March 14, 2018
GDPR doesn’t kick in until May 25, but we’re already seeing data battles with big tech companies making headlines. In August 2016, the UK Information Commissioner’s Office launched an investigation into whether messaging platform WhatsApp could legally share users’ data with Facebook, who acquired WhatsApp in 2014. The ICO has officially concluded that investigation with a huge win for the data protection of UK consumers.
According to a statement released by the ICO, investigation findings include:
1. WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
2. WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
3. In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
4. I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.
The conclusion? WhatsApp signed an undertaking in a public commitment to not share personal identifiable data with Facebook until both platforms can do so in a way that is compliant with GDPR.
“Data protection law does not prevent a company from sharing personal data,” says Commissioner Elizabeth Denham. “They just have to follow the legal requirements.”
As we’ve noted before, those requirements are pretty simple to understand (even if implementation is difficult). At the bare minimum, people have the right to keep their personal data to themselves; they have the right to be notified and explained what their data is being used for; and they have the right to give express consent.
It’s worth it to keep in mind that neither Facebook nor WhatsApp have been fined the staggering 20mm Euros (or 4% global annual revenue). Those fine penalties don’t kick in until the May 25 compliance date.
“As WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as ‘data processor’), I would not be able to meet the criteria for issuing a civil monetary penalty under the Data Protection Act.
This news comes after the High Administrative Court in Hamburg, Germany also banned Facebook from using WhatsApp user data.