Facebook, its popular messaging app WhatsApp, and the UK’s Information Commissioner’s Office (ICO) have reached a truce in their long-running investigation over how Facebook and WhatsApp share user data. The ICO today announced that it has closed its investigation and concluded that WhatsApp and Facebook, in fact, cannot share user data at present. The two most significant upshots of this: WhatsApp (and Facebook) will not be fined; and the ICO has gotten WhatsApp to sign an undertaking in which it has committed publicly not to share personal data with Facebook until the two services can do it in a way that is compliant with General Data Protection Regulation (GDPR).
“Data protection law does not prevent a company from sharing personal data – they just have to follow the legal requirements,” writes Commissioner Elizabeth Denham, who also published her own letter to WhatsApp as part of her blog post.
This is a truce of sorts. Notably, Commissioner Denham said that the ICO would not be fining Facebook as a result of its investigation, since — even if WhatsApp intended to do unlawful things, it never actually did — which is a win for Facebook, too.
“I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case,” she notes. “As WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as a ‘data processor’, as explained below), I would not be able to meet the criteria for issuing a civil monetary penalty under the Data Protection Act.”
GDPR is the wide-ranging data protection framework that essentially gives individuals more control over how and where their data is used across digital services. It comes into force in May across the European Union, and it’s bringing about a sweep of privacy changes among digital services to fall in line with the new rules.
Denham said that her investigation found several issues with the idea of sharing data:
“WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.”
But, on the other hand, WhatsApp also managed to escape any fines as it halted the data program before it ever got off the ground.
Going forward, there are a few interesting loopholes for where data can be shared between the two platforms. Specifically, in cases where Facebook is a “data processor” and providing a support service to WhatsApp. For example, this would apply in the use of servers to run its messaging service, or perhaps in running a relay for a business who is taking out an ad in Facebook to refer people to its WhatsApp account. “My investigation has not been concerned about WhatsApp’s sharing of personal data with Facebook when Facebook are only providing a support service to WhatsApp,” she writes. “The technical term for such sharing is that WhatsApp can use Facebook as a data processor. This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns.”
As Denham points out, there are two other takeaways from this case.
The second will be the wider European ramifications. In Germany, the Hamburg Commissioner of Data Protection and Freedom of Information said earlier this month that the Higher Administrative Court (OVG) Hamburg has now officially also banned Facebook from using WhatsApp user data for its own purposes, while in France the regulator CNIL is currently in the process of bringing enforcement actions of its own.
More generally, while a lot of companies are preparing how they will comply with GDPR, this case highlights how companies will likely challenge and test the framework as well. I’m not sure Facebook will give up so quickly and it will be worth watching what kind of workarounds, if any, it comes up with to continue in its wider strategy to “connect” us all.