WhatsApp will not share user data with Facebook until it complies with GDPR, ICO closes investigation

Facebook, its popular messaging app WhatsApp, and the UK’s Information Commissioner’s Office (ICO) have reached a truce in their long-running investigation over how Facebook and WhatsApp share user data. The ICO today announced that it has closed its investigation and concluded that WhatsApp and Facebook, in fact, cannot and do not share user data for anything other than basic data processing. The two most significant upshots of this: WhatsApp (and Facebook) will not be fined; and the ICO has gotten WhatsApp to sign an undertaking in which it has committed publicly not to share personal data with Facebook in the future until the two services can do it in a way that is compliant with General Data Protection Regulation (GDPR).

“Data protection law does not prevent a company from sharing personal data – they just have to follow the legal requirements,” writes Commissioner Elizabeth Denham, who also published her own letter to WhatsApp as part of her blog post.

This is a truce of sorts. Notably, Commissioner Denham said that the ICO would not be fining Facebook as a result of its investigation, since — even if WhatsApp intended to do unlawful things, it never actually did — which is a win for Facebook, too.

“I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case,” she notes. “As WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as a ‘data processor’, as explained below), I would not be able to meet the criteria for issuing a civil monetary penalty under the Data Protection Act.”

GDPR is the wide-ranging data protection framework that essentially gives individuals more control over how and where their data is used across digital services. It comes into force in May across the European Union, and it’s bringing about a sweep of privacy changes among digital services to fall in line with the new rules.

The ICO investigation started back in August 2016, prompted by an update WhatsApp made to its privacy policy noting that it planned to start sharing user data with Facebook.

While there have never been many questions raised about how Facebook uses data from Messenger in its service (I wonder if there should?), WhatsApp is in a different class. Facebook acquired the startup in 2014 for $19 billion, picking it up after it had long established itself as a business and service. Crucially, WhatsApp built its reputation on setting itself apart from social services like Facebook and its reliance on advertising, and all the data manipulation the comes along with that.

In addition to being an unpopular move at the time, the change in WhatsApp’s privacy policy flew directly into the face of assurances that WhatsApp and Facebook had made long before and during the acquisition period that neither had any intention of ever turning WhatsApp customers into the “product” and using their data in Facebook’s service, or in ways that Facebook is known to use data.

Denham said that her investigation found several issues with the idea of sharing personal data between WhatsApp and Facebook:

“WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.”

But, on the other hand, WhatsApp also managed to escape any fines because it halted the data sharing program before it ever got off the ground.

Going forward, there are a few interesting loopholes for where data can be shared between the two platforms.

Specifically, they can share in cases where Facebook is a “data processor” and providing a support service to WhatsApp. For example, this would apply in the use of servers to run its messaging service, or perhaps in running a relay for a business who is taking out an ad in Facebook to refer people to its WhatsApp account.

“My investigation has not been concerned about WhatsApp’s sharing of personal data with Facebook when Facebook are only providing a support service to WhatsApp,” she writes. “The technical term for such sharing is that WhatsApp can use Facebook as a data processor. This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns.”

As Denham points out, there are two other takeaways from this case.

The first is the public outcry and “broad concerns” that arose when the privacy policy was first updated in August 2016 and the message that this gives to tech companies, regulators and others involved in helping shape our digital world. “At the heart of these concerns lies a desire for improved transparency, control, and accountability, at a time when personal data is ever more central to the business models of key players in the digital economy,” she writes.

The second will be the wider European ramifications. In Germany, the Hamburg Commissioner of Data Protection and Freedom of Information said earlier this month that the Higher Administrative Court (OVG) Hamburg has now officially also banned Facebook from using WhatsApp user data for its own purposes, while in France the regulator CNIL is currently in the process of bringing enforcement actions of its own.

More generally, while a lot of companies are preparing how they will comply with GDPR, this case highlights how companies will likely challenge and test the framework as well. I’m not sure Facebook will give up so quickly and it will be worth watching what kind of workarounds, if any, it comes up with to continue in its wider strategy to “connect” us all.

Update: A WhatsApp spokesperson has provided us also with a comment about the outcome of the ICO’s investigation.

“WhatsApp cares deeply about the privacy of our users,” he said. “We collect very little data and every message is end-to-end encrypted. As we’ve repeatedly made clear for the last year we are not sharing data in the ways that the U.K. Information Commissioner has said she is concerned about anywhere in Europe.”

Ahead of GDPR coming into effect, we understand that WhatsApp is in the process of updating its privacy policy again, and it will be going into more detail then about how it might propose to share data in the future between different Facebook services.