The CNIL has given WhatsApp and Facebook one month to bring themselves into compliance with French data protection law or face a fine
France’s data protection agency, the CNIL, said on Monday it has determined WhatsApp’s transmission of user data to parent company Facebook is illegal under French law and given the companies one month to bring themselves into compliance.
Facebook acquired WhatsApp in 2014 and the messaging app subsequently modified its terms of service informing users it would share its data on them with the new parent company.
The move has spurred a number of regulatory actions against Facebook in Europe, including an investigation into the matter by the CNIL.
The French agency concluded its probe on Monday with the determination that WhatsApp “does not have a legal basis” for sharing data with Facebook.
No user consent
More specifically, the regulator noted that WhatsApp hadn’t obtained user consent for its policy change and that users who opposed it had no recourse but to terminate their account.
The CNIL added that because WhatsApp believes it is subject only to American law, it declined to provided the regulator with requested details on French user data provided to Facebook. The CNIL therefore had not been able to fully examine the firm’s data-sharing practices, it said.
The agency gave WhatsApp one month to obtain user consent for sharing their data with Facebook, while giving them the option to decline while continuing to use the service if they chose to do so.
If WhatsApp fails to come into compliance with French law it faces being fined, the CNIL added.
Neither WhatsApp nor Facebook were immediately available for comment.
The CNIL regularly finds itself in conflict with Facebook, Google and other large US IT companies over privacy issues.
During its deliberations the agency noted that in May the European Commission (EC) had fined Facebook 110 million euros (£96m) for having provided “misleading information” whilst the WhatsApp acquisition was being vetted.
Facebook had said during the acquisition process that it had no way of automatically matching its user accounts to WhatsApp users, but two years later launched a service that did exactly that, according to the EC.
“The Commission has found that, contrary to Facebook’s statements in the 2014 merger review process, the technical possibility of automatically matching Facebook and WhatsApp users’ identities already existed in 2014, and that Facebook staff were aware of such a possibility,” the Commission said at the time.
Facebook said at the time the errors were not intentional and that the Commission had confirmed they had not affected the outcome of the merger review.
How much do you know about privacy? Try our quiz!