WhatsApp Blasted by EU Data Protection Group Over Facebook Sharing

Yet another privacy coalition is urging WhatsApp to clarify that user information shared between the company and Facebook is compliant with data protection laws on the books in Europe.

The Article 29 Working Party, comprised of representatives from data protection authorities from each EU member state, penned a letter to WhatsApp’s CEO and co-founder Jan Koum late last week, asking the company to halt the collection of user data.

img_1948The letter, written by Chairwoman Isabelle Falque-Pierrotin, comes a few weeks after similar letters issued by authorities like the UK’s Information Commissioner’s Office (ICO) and Germany’s Federal Commissioner for Data Protection and Freedom of Information.

All of the notices call out a policy change announced by WhatsApp in August which said the company would soon begin sharing user data with parent company Facebook.

The Article 29 letter (.PDF) asks that WhatsApp specify just what type of data it’s merging, whether it’s names, phone numbers, email, or postal addresses, and whether the company is taking the data from users’ phones or data already stored on its servers.

“This extensive information is essential for enabling WP29 members to correctly conclude whether any changes are necessary in order to ensure that the processing is compliant to the European legal framework,” the letter reads.

letterWhatsApp users who have agreed to the company’s updated Terms of Service and Privacy Policy have the option – at least for 30 days – to ensure their account information isn’t shared with Facebook. In the app’s account settings users can opt not to share their account information with Facebook. WhatsApp claims the “Facebook family of companies” will still receive user information to improve delivery systems and to fight spam, but the information won’t be used to personally improve ads and product experiences.

Falque-Pierrotin, who’s also the head of France’s data protection authority CNIL, says the Working Party takes issue with to how the updated Terms of Service was communicated to users but also questions the “effectiveness” of the app’s control mechanisms that give WhatsApp users, in addition to users who aren’t on Facebook, the option to exercise their rights. Going forward, WP29 says a dedicated working group will “act in a coordinated way” to ensure the company follows European data protection laws.

cfec7db003243ae39181d7741cd2db970f6d77b3The Working Party, set up through Article 29 of Directive 95/46/EC back in 1995, is an advisory body set up to monitor data protection and privacy. The group took similar umbrage with Google, years ago, as it was gearing up to roll out out a set of privacy regulations combining user data across YouTube, Gmail, and Google+.

The move by WhatsApp has ruffled its fair share of feathers over the past two months. Since the announcement, officials from the Electronic Privacy Information Center and the Center for Digital Democracy have written a letter to FTC’s Chairwoman Edith Ramirez asking to intervene. Similar entities in Germany, the UK, and India have followed suit and asked Facebook to stop collecting data from WhatsApp users.

Koum and fellow co-founder Brian Acton defended the company’s Terms of Service tweak – the first one its made in four years – during a Wall Street Journal panel last week. While the men didn’t address the complaints lodged by privacy groups, they did stand by their choice to bridge the gap between both Facebook and WhatsApp user data.

Acton told the crowd at the event, a technology conference dubbed WSJDLive, that the move was partly done to take advantage of Facebook’s spam-detection system, so businesses could contact customers, like if a bank detected a fraudulent charge on a users account.

“There was pent up demand. It meant we really needed to build this,” Acton said of the changes.

When reached Monday, a WhatsApp spokesperson said the company was working towards resolving questions brought forth by Article 29 and other authorities.

“We’re working with data protection authorities to address their questions. We’ve had constructive conversations, including before our update, and we remain committed to respecting applicable law,” the statement said.