WhatsApp can’t share user data with parent Facebook without breaking the upcoming General Data Protection Regulation (GDPR), so it won’t.
It’s signed a public commitment not to share personal data with Facebook until data protection concerns are addressed.
No harm, no foul, no fine, the Information Commissioner’s Office (ICO) said on Wednesday as it wrapped up an investigation into whether WhatsApp could legally share users’ data with Facebook as it wanted.
In August 2016, WhatsApp announced that it was going to start sharing users’ phone numbers and other personal information with Facebook, in spite of years of promises that it would never, ever do such a thing.
The move was for ad targeting, of course, and to give businesses a way to communicate with users about other things, like letting your bank inform you about a potentially fraudulent transaction or getting a heads-up from an airline about a delayed flight. The reasons fell into three buckets: targeted advertising, security, and evaluation and improvement of services (“business intelligence”).
For a window of 30 days, WhatsApp offered users the option of opting out of data sharing for the purposes of advertising, but no way to entirely opt out of the new data sharing scheme.
The move outraged privacy advocates. After all, at the time of its $19 billion acquisition by Facebook in 2014, WhatsApp had promised never to share data.
That promise goes back further still. In November 2009, WhatsApp founder Jan Koum posted this to the company’s blog:
So first of all, let’s set the record straight. We have not, we do not and we will not ever sell your personal information to anyone. Period. End of story. Hopefully this clears things up.
Clear as mud. In December, France told WhatsApp and Facebook to knock off the data sharing. France’s ultra-vigilant privacy watchdog, the Chair of the National Data Protection Commission (CNIL), gave WhatsApp and Facebook a month to comply with an order to stop sharing data. In its public notice, it said that the messaging app will face sanctions for sharing user phone numbers and usage data for “business intelligence” purposes if it didn’t comply.
Germany had in September 2016 already told WhatsApp to stop sharing German users’ data with Facebook. The UK told it in November 2016 to back off, before Facebook even started.
WhatsApp swore that it would work to comply with all these data protection authorities, even though they were all barking out differing orders:
We’re committed to resolving the different, and at times conflicting, concerns we’ve heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018.
Ahhh, the GDPR: it’s right around the corner, and it features in that public commitment the ICO got WhatsApp to sign.
The document outlines the history of WhatsApp’s privacy policy before and after the Facebook acquisition. The upshot: outside of using UK customers’ data as a “data processor” – data sharing done in order for Facebook to provide support service to WhatsApp, such as to run its messaging service, or perhaps to help out a business that takes out an ad on Facebook to refer people to its WhatsApp account – there’s been no data shared.
Data processing is “common practice,” ICO’s Elizabeth Denham said, and generally doesn’t raise data protection concerns when it’s done right:
My investigation has not been concerned about WhatsApp’s sharing of personal data with Facebook when Facebook are only providing a support service to WhatsApp.
The technical term for such sharing is that WhatsApp can use Facebook as a data processor. This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns.
In the public commitment, WhatsApp promises to refrain from sharing data with Facebook until the GDPR comes into effect in May, and only if it can do so in accordance with the regulation.
Denham said in her announcement that the investigation had been sparked by outcry from the public and from regulators over WhatsApp and Facebook sharing data.
At the heart of these concerns lies a desire for improved transparency, control, and accountability, at a time when personal data is ever more central to the business models of key players in the digital economy.
One of many examples of that loud outcry: The EU’s influential privacy body, the Article 29 Working Party (WP29), in October 2016 published an unflattering open letter outlining its worries.
Isabelle Falque Pierrotin, who chairs the working party, explained the problem, which was that the new terms had contradicted promises made to users when they signed up for the service:
These changes have been introduced in contradiction with previous public statements of the two companies ensuring that no sharing of data would ever take place.
The companies had also been vague about the precise nature of the sharing, she said:
The Article 29 Working Party has serious concerns regarding the manner in which the information relating to the updated Terms of Service and Privacy Policy was provided to users and consequently about the validity of the users’ consent.