WhatsApp-Facebook data-sharing deal probed by UK privacy watchdog

Well that was fast. Just one day after WhatsApp revealed a sea-change in its attitude to user data, by detailing plans to share the mobile numbers and last seen status of its users with parent company Facebook for ad-targeting and marketing purposes, the UK’s data protection watchdog has fired a warning shot across Zuckerberg’s bows by announcing it intends to investigate the arrangement.

In a statement today, fresh-in-post UK information commissioner, Elizabeth Denham, who only took up the role last month, said: “We’ve been informed of the changes. Organisations do not need to get prior approval from the ICO to change their approaches, but they do need to stay within data protection laws. We are looking into this.”

Denham said the regulator will be considering whether the two companies are being transparent with users about how their data is being shared and used.

“The changes WhatsApp and Facebook are making will affect a lot of people. Some might consider it’ll give them a better service, others may be concerned by the lack of control. Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed,” she added.

A WhatsApp spokesperson had this to say when asked for comment on the ICO’s interest in its new privacy policy: “We look forward to answering any questions regulators or other stakeholders have about this update.”

Discussing the legal implications of the new data-sharing arrangement between WhatsApp and Facebook with TechCrunch earlier today, Scott Vernick, partner and head of the data security and privacy practice at U.S. law firm Fox Rothschild LLP, suggested regulators will be keen to ensure the language used in the updated T&Cs clearly and accurately conveys the changes being made.

“The question that any regulator will be asking is whether or not the new policies and the way in which you opt into them — or opt out of them — is expressed in clear to the average user,” he said. “There’s no doubt that a disclosure is being made, but it’s a question of whether it’s transparent enough to the average user so you know exactly what it is you’re giving up.”

When WhatsApp users are prompted to agree to the new T&Cs in the app, the wording that describes the purpose of the setting where they can opt out of sharing data with Facebook is as follows: “Share my WhatsApp account information with Facebook to improve my Facebook ads and products experiences. Your chats and phone number will not be shared onto Facebook regardless of this setting.” — Emphasis theirs.

It’s possible that someone reading that wording quickly might think their phone number will not be shared with Facebook. When in fact it will be shared with Facebook the company. (But will just not be publicly posted onto their own Facebook page.) So there certainly looks to be some room for confusion, although it remains to be seen whether the ICO will view the phrasing as troublingly opaque or not.

Vernick also suggested another area that might be problematic for the WhatsApp/Facebook data-sharing arrangement is if the two companies gave certain guarantees to regulators about how they would handle user data at the time of the WhatsApp acquisition — and can now be shown to be reneging on any earlier commitments.

“The regulators have been much more active in looking at the M&A space, and looking at the privacy consequences for M&A activity,” he noted. “And so I could see a scenario in which if either Facebook or WhatsApp or the both of them made certain representations to the regulators, either in the States or in Europe, about what was going to happen with individual user information once the two companies hooked up and now they’re going back on that, then that could be a real issue.”

Potential legal implications aside, Vernick argued there is an unavoidable “visceral” reaction to such a big change by WhatsApp on sharing user data, given how the company has previously positioned itself as a privacy champion — which in itself could have serious trust/reputational consequences if users feel betrayed.

“I think there’s a real visceral issue here which in some ways is more important than the legal issue — not that the legal issues aren’t important, but it’s just this idea that as consumers, or as users, we continue — assuming there’s anything left to lose — we just continue to lose more,” he said.

“It feels like a bit of a bait and switch. Or it feels like I’m losing more control even though my choices are ‘well if you don’t like it, just don’t use it’,” he added.

In terms of ‘choice’, other encrypted messaging apps are of course available. One example, Telegram, offers end-to-end encryption via a secret chats features. Another, Signal, is made by the same company that makes the open source secure-messaging protocol that WhatsApp has rolled out to its own app — completing that rollout earlier this year.

Telegram founder Pavel Durov confirmed to TechCrunch the app has seen a small bump in downloads since the WhatsApp privacy policy change was announced, with an increase of new users in the region of 30 to 40 per cent over the past 24 hours. Although he added that it has not seen “millions” of downloads — as it did when the Facebook-WhatsApp acquisition was announced, back in February 2014.