WhatsApp's sharing of user data with its parent company, Facebook, is illegal. The UK's Information Commissioner's Office (ICO), a data protection watchdog, has ruled that user data cannot be shared between the services and has forced the firm to sign an undertaking declaring it will not share user data with parent company before GDPR.
WhatsApp continues to get in trouble thanks to Facebook
While the messaging platform had promised the app will continue to focus on user security and privacy back in 2014 when it was acquired by Facebook, everything appeared to change when it was revealed that WhatsApp was going to share user data with Facebook - a data monster.
The popular messaging app was first forced to stop sharing personal user data with Facebook in November 2016. After opening a full investigation into the matter, Elizabeth Denham, the information commissioner, said the investigation found that “WhatsApp has not identified a lawful basis of processing for any such sharing of personal data."
"if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act”
The watchdog doesn't believe if there is any reason why WhatsApp would need to share user data with the social network for Facebook's own purposes like ad improvement, as the messaging service failed to provide lawful basis for this requirement.
The messaging company - led by a privacy advocate - has signed an undertaking declaring that it will not share any data of its European users with Facebook until the General Data Protection Regulation (GDPR) comes into force on 25 May. Following that, the company will share data in compliance with the new rules. The company would not be fined since the investigation and the subsequent halting of data sharing happened almost instantly after Facebook started taking WhatsApp data.
It should be noted that WhatsApp does share personal user data with Facebook and according to the watchdog that's okay since Facebook is providing a support service to WhatsApp. "The technical term for such sharing is that WhatsApp can use Facebook as a data processor," Denham wrote. "This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns."
The data in question was what Facebook was using to improve ads and product experience.
The company will continue sharing user data in the United States and other countries outside of the European Union for this purpose. Again, personal data continues to be shared between the two companies as data protection law does not prevent a company from sharing personal data as long as they are following the legal requirements.
Here's a list Denham's findings:
My investigation found:
- WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
- WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
- In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
- I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.
[Update]: WhatsApp's statement on the matter
In an emailed statement to Wccftech, WhatsApp spokesperson said that the messaging platform "cares deeply about the privacy" of its users.
We collect very little data and every message is end-to-end encrypted. As we've repeatedly made clear for the last year we are not sharing data in the ways that the U.K. Information Commissioner has said she is concerned about anywhere in Europe.