On October 27, 2016, the Article 29 Data Protection Working Party (Working Party) launched an investigation into WhatsApp’s sharing of user data with Facebook. The Working Party ordered WhatsApp to stop sharing the data pending the investigation into whether the sharing complies with EU privacy law.
EU Privacy Law and Member State Investigations
EU law imposes data privacy obligations on companies that share personal data with third parties, even if the data is shared within a corporate group. Transparency about this data sharing is a core requirement.
On September 27, 2016, Hamburg’s DPA ordered Facebook to stop collecting and storing German WhatsApp user data because it failed to obtain a valid consent from users. It also required Facebook to delete any data already received from WhatsApp. Facebook announced that it will appeal the order.
The UK, Italian and Spanish DPAs have already launched their own investigations on the matter. On November 7, 2016, the UK DPA said that Facebook has agreed to suspend using data from UK WhatsApp users for advertising purposes after the DPA expressed concerns that users affected by the sharing were not properly protected. The UK DPA also required Facebook and WhatsApp to sign an undertaking committing to better explaining to users how their data would be used and giving them ongoing control over the data.
Although the Working Party is an advisory body and its opinions are not binding, it is made up of national DPAs. It is very likely that other DPAs will launch additional actions to address the concerns highlighted in the Working Party’s letter.
About Goodwin’s Privacy & Cybersecurity Practice
Goodwin’s Privacy & Cybersecurity Practice, established formally in 2004, leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial industry, licensing, litigation and investigations, regulatory and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.
For more information about this update, or for other assistance regarding privacy and data security matters, please contact Brenda Sharton (Co-Chair, Privacy & Cybersecurity), Lynne Barr (Co-Chair, Privacy & Cybersecurity), Karen Neuman, Privacy lead in the D.C. office, or any member of the Goodwin Privacy & Cybersecurity practice.
About the Authors
Karen Neuman, a partner in the firm’s Business Litigation Group and a member of its Privacy & Cybersecurity Practice, is an internationally recognized privacy lawyer and former Chief Privacy Officer with the U.S. Department of Homeland Security. A solution-oriented practitioner with highly specialized expertise in complex privacy law matters at the intersection of technology and innovation, Ms. Neuman advises organizations and management on a broad range of issues related to data privacy, cybersecurity, and regulatory compliance.
Federica De Santis is a former secondee joining Goodwin from Portolano Cavallo in Rome, Italy. She advises clients on the regulatory, contractual, and litigation aspects of data protection and information governance and cyber-security. In these areas she advises clients on cutting edge legal issues arising from quickly changing technology and business models.