Breaking the law…Watchdog accuses WhatsApp of ‘misleading’ users and breaking German data protection laws
Facebook is once again facing questions over its privacy procedures after its popular mobile instant messaging app WhatsApp ran into trouble with a German data protection watchdog.
The development comes after a researcher found that WhatsApp leaves traces of deleted posts that could be easily recovered, which has added to privacy concerns about the service.
The latest development has seen Hamburg Commissioner for Data Protection and Freedom of Information ordering Facebook to halt the collection and storage of data belonging to 35 million WhatsApp users in Germany.
The regulator said that it had “issued an administrative order that prohibits Facebook with immediate effect to collect and store data of German WhatsApp users. Facebook is also ordered to delete all data that has already been forwarded by WhatsApp”.
And it went further, accusing both organisations of “misleading” their users and breaking German law.
“After the acquisition of WhatsApp by Facebook two years ago, both parties have publicly assured that data will not be shared between them,” said the regulator. “The fact that this is now happening is not only a misleading of their users and the public, but also constitutes an infringement of national data protection law.”
Under German law, a company that provides the data (in this case WhatsApp) and the receiving company (Facebook) have to establish a legal agreement to do so. According to the Hamburg regulator Facebook had not obtained an effective approval from WhatsApp users, and it doesn’t have the legal basis to hold onto the data.
“It is clear that Facebook must respect German data protection law after the ECJ confirmed in its ruling from July, that national data protection laws are applicable if a company processes data in connection with a national subsidiary,” said the watchdog. “Facebook is doing this through its subsidiary in Hamburg, which is responsible for the operation of the marketing business in German-speaking regions,” explained Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information. “This administrative order protects the data of about 35 million WhatsApp users in Germany,”
“It has to be their decision, whether they want to connect their account with Facebook,” added Caspar. “Therefore, Facebook has to ask for their permission in advance. This has not happened.”
“In addition, there are many millions of people whose contact details were uploaded to WhatsApp from the user’s address books, although they might not even have a connection to Facebook or WhatsApp.
“According to Facebook, this gigantic amount of data has not yet been collected. Facebook’s answer, that this has merely not been done for the time being, is cause for concern that the gravity of the data protection breach will have much a more severe impact.”
“Facebook complies with EU data protection law,” a spokesperson for the social networking giant told TechWeekEurope in a statement. “We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns.”
Facebook of course acquired WhatsApp back in early 2014 for a cool $19 billion (£11.4bn). That acquisition was a bumpy affair after two privacy groups officially complained to US regulators about the privacy implications of the acquisition.
At the time WhatsApp founder Jan Koum denied claims the app would have to follow Facebook’s privacy policies. WhatsApp famously has never carried adverts and had a strong privacy slant. Koum at the time also pledged he would not allow user data to be used for advertising.
And in March, Facebook’s vice president for Latin America was arrested following a court order for WhatsApp to provide access to the messages of an alleged gang member to assist with a drug-trafficking investigation.
Take our mobile apps quiz here!