Facebook, its popular messaging app WhatsApp, and the UK’s Information Commissioner’s Office (ICO) have reached a truce in their long-running investigation over how Facebook and WhatsApp share user data. The ICO today announced that it has closed its investigation and concluded that WhatsApp and Facebook, in fact, cannot and do not share user data for anything other than basic data processing. The two most significant upshots of this: WhatsApp (and Facebook) will not be fined; and the ICO has gotten WhatsApp to sign an undertaking in which it has committed publicly not to share personal data with Facebook in the future until the two services can do it in a way that is compliant with General Data Protection Regulation (GDPR).
“Data protection law does not prevent a company from sharing personal data – they just have to follow the legal requirements,” writes Commissioner Elizabeth Denham, who also published her own letter to WhatsApp as part of her blog post.
This is a truce of sorts. Notably, Commissioner Denham said that the ICO would not be fining Facebook as a result of its investigation, since — even if WhatsApp intended to do unlawful things, it never actually did — which is a win for Facebook, too.
“I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case,” she notes. “As WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as a ‘data processor’, as explained below), I would not be able to meet the criteria for issuing a civil monetary penalty under the Data Protection Act.”
GDPR is the wide-ranging data protection framework that essentially gives individuals more control over how and where their data is used across digital services. It comes into force in May across the European Union, and it’s bringing about a sweep of privacy changes among digital services to fall in line with the new rules.
While there have never been many questions raised about how Facebook uses data from Messenger in its service (I wonder if there should?), WhatsApp is in a different class. Facebook acquired the startup in 2014 for $19 billion, picking it up after it had long established itself as a business and service. Crucially, WhatsApp built its reputation on setting itself apart from social services like Facebook and its reliance on advertising, and all the data manipulation the comes along with that.
Denham said that her investigation found several issues with the idea of sharing personal data between WhatsApp and Facebook:
“WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.”
But, on the other hand, WhatsApp also managed to escape any fines because it halted the data sharing program before it ever got off the ground.
Going forward, there are a few interesting loopholes for where data can be shared between the two platforms.
Specifically, they can share in cases where Facebook is a “data processor” and providing a support service to WhatsApp. For example, this would apply in the use of servers to run its messaging service, or perhaps in running a relay for a business who is taking out an ad in Facebook to refer people to its WhatsApp account.
“My investigation has not been concerned about WhatsApp’s sharing of personal data with Facebook when Facebook are only providing a support service to WhatsApp,” she writes. “The technical term for such sharing is that WhatsApp can use Facebook as a data processor. This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns.”
As Denham points out, there are two other takeaways from this case.
The second will be the wider European ramifications. In Germany, the Hamburg Commissioner of Data Protection and Freedom of Information said earlier this month that the Higher Administrative Court (OVG) Hamburg has now officially also banned Facebook from using WhatsApp user data for its own purposes, while in France the regulator CNIL is currently in the process of bringing enforcement actions of its own.
More generally, while a lot of companies are preparing how they will comply with GDPR, this case highlights how companies will likely challenge and test the framework as well. I’m not sure Facebook will give up so quickly and it will be worth watching what kind of workarounds, if any, it comes up with to continue in its wider strategy to “connect” us all.
Update: A WhatsApp spokesperson has provided us also with a comment about the outcome of the ICO’s investigation.
“WhatsApp cares deeply about the privacy of our users,” he said. “We collect very little data and every message is end-to-end encrypted. As we’ve repeatedly made clear for the last year we are not sharing data in the ways that the U.K. Information Commissioner has said she is concerned about anywhere in Europe.”