A day later, the UK Information Commissioner’s Office (ICO) announced that it would look into these changes. Subsequently, the Article 29 Working Party (a group of representatives from the data protection authorities of each EU member) wrote to WhatsApp with its concerns and, in Germany, Facebook has been ordered to stop collecting and storing the data of German users of WhatsApp.
Update from the ICO
Elizabeth Denham (UK Information Commissioner at the ICO) recently provided an update. The key points were that she thought that:
- users lacked information on how Facebook would use the information;
- valid consent had not been obtained from WhatsApp to share the information; and
- users should have continuing control over how their information is used.
Whilst Facebook has agreed to stop using the data of UK WhatsApp users temporarily (for the purposes of adverts or product improvement), Facebook (and WhatsApp) has not agreed (so far) to sign undertakings that it will provide this above information and control to users. Ms Denham wrote that the ICO will continue pressing this issue together with other European data protection authorities and warned that Facebook may face enforcement action if it does not have valid consent.
In the EU, personal data must be processed fairly and lawfully and cannot be processed unless at least one of certain conditions is met. One of these conditions is to obtain the freely given, specific, unambiguous and informed consent of the person whose data is being processed. Furthermore, personal data will not be processed fairly unless, as far as practicable, the person has been given certain information, including the intended purpose that the data is to be processed for and any further information that may be necessary in the circumstances so that the processing is fair. The ICO is considering whether WhatsApp users were provided with sufficient information and whether they gave sufficient consent.
A new General Data Protection Regulation (GDPR) will apply to EU members in 2018. Despite Brexit, British businesses that trade with EU citizens and businesses and deal in their personal data will have to comply with the GDPR. For more information (and a short webinar) on the GDPR see https://pdtn.org/general-data-protection-regulation-uk-digital-businesses-care/. For information on how Briffa can help you on data protection issues contact us or arrange for a meeting on +44 (0)20 7288 6003.