Alert November 09, 2016

WhatsApp-Facebook Data Sharing Attracts Scrutiny from EU Privacy Authorities

Summary
European Data Protection Authorities (DPAs) recently launched investigations into WhatsApp’s sharing of user data with Facebook. (Facebook owns WhatsApp.) DPAs ordered WhatsApp to stop sharing the data pending the investigation into whether the sharing complies with EU privacy law. Companies that seek to share their users’ personal data with subsidiaries, affiliates, vendors or other third parties should review and, as necessary, update their privacy policies before implementing any changes to ensure that the contemplated sharing is aligned with privacy policy representations.

Background

On October 27, 2016, the Article 29 Data Protection Working Party (Working Party) launched an investigation into WhatsApp’s sharing of user data with Facebook. The Working Party ordered WhatsApp to stop sharing the data pending the investigation into whether the sharing complies with EU privacy law.

The Working Party said it has “serious concerns” about the validity of users’ consent to the data sharing, since the terms of service and privacy policy that WhatsApp users relied on failed to provide adequate notice and choice. Further, it asked WhatsApp to provide details about the specific data being shared, the source of the data, a list of data recipients and information about the effects of the sharing on users and individuals whose contact details were uploaded to WhatsApp from individual address books, even if those individuals had no connection to either Facebook or WhatsApp.

When WhatsApp was acquired by Facebook in 2014 it assured the public that it would not share user data with Facebook. However, in August 2016, the company announced changes to its terms of service and privacy policy allowing sharing with Facebook and the “Facebook family of companies” for a range of purposes, including advertising. WhatsApp users could opt out of the data sharing for advertising.

EU Privacy Law and Member State Investigations

EU law imposes data privacy obligations on companies that share personal data with third parties, even if the data is shared within a corporate group. Transparency about this data sharing is a core requirement.

On September 27, 2016, Hamburg’s DPA ordered Facebook to stop collecting and storing German WhatsApp user data because it failed to obtain a valid consent from users. It also required Facebook to delete any data already received from WhatsApp. Facebook announced that it will appeal the order.

The UK, Italian and Spanish DPAs have already launched their own investigations on the matter. On November 7, 2016, the UK DPA said that Facebook has agreed to suspend using data from UK WhatsApp users for advertising purposes after the DPA expressed concerns that users affected by the sharing were not properly protected. The UK DPA also required Facebook and WhatsApp to sign an undertaking committing to better explaining to users how their data would be used and giving them ongoing control over the data.

Although the Working Party is an advisory body and its opinions are not binding, it is made up of national DPAs. It is very likely that other DPAs will launch additional actions to address the concerns highlighted in the Working Party’s letter.

In light of the current proceedings, companies that seek to share their users’ personal data with subsidiaries, affiliates, vendors or other third parties should review and, as necessary, update their privacy policies before implementing any changes to ensure that the contemplated sharing is aligned with privacy policy representations.

About Goodwin’s Privacy & Cybersecurity Practice

Goodwin’s Privacy & Cybersecurity Practice, established formally in 2004, leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial industry, licensing, litigation and investigations, regulatory and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.

For more information about this update, or for other assistance regarding privacy and data security matters, please contact Brenda Sharton (Co-Chair, Privacy & Cybersecurity), Lynne Barr (Co-Chair, Privacy & Cybersecurity), Karen Neuman, Privacy lead in the D.C. office, or any member of the Goodwin Privacy & Cybersecurity practice.

 About the Authors

Karen Neuman, a partner in the firm’s Business Litigation Group and a member of its Privacy & Cybersecurity Practice, is an internationally recognized privacy lawyer and former Chief Privacy Officer with the U.S. Department of Homeland Security. A solution-oriented practitioner with highly specialized expertise in complex privacy law matters at the intersection of technology and innovation, Ms. Neuman advises organizations and management on a broad range of issues related to data privacy, cybersecurity, and regulatory compliance.

Federica De Santis is a former secondee joining Goodwin from Portolano Cavallo in Rome, Italy. She advises clients on the regulatory, contractual, and litigation aspects of data protection and information governance and cyber-security. In these areas she advises clients on cutting edge legal issues arising from quickly changing technology and business models.