Introduction

On 25 August 2016, WhatsApp announced that it was changing its terms and privacy policy to (among other things) allow communications with businesses (e.g. potentially an airline could inform you of delays via WhatsApp), to reflect its end-to-end encryption and as it is going to be working more with Facebook to improve tracking the frequency that users use services, to help fight spam and to improve the friend suggestions and adverts that Facebook provides. To continue using WhatsApp, users were asked to read and agree to the terms and privacy policy within 30 days and users could withdraw this permission within a further 30 days.

A day later, the UK Information Commissioner’s Office (ICO) announced that it would look into these changes. Subsequently, the Article 29 Working Party (a group of representatives from the data protection authorities of each EU member) wrote to WhatsApp with its concerns and, in Germany, Facebook has been ordered to stop collecting and storing the data of German users of WhatsApp.

Update from the ICO

Elizabeth Denham (UK Information Commissioner at the ICO) recently provided an update. The key points were that she thought that:

  • users lacked information on how Facebook would use the information;
  • valid consent had not been obtained from WhatsApp to share the information; and
  • users should have continuing control over how their information is used.

Whilst Facebook has agreed to stop using the data of UK WhatsApp users temporarily (for the purposes of adverts or product improvement), Facebook (and WhatsApp) has not agreed (so far) to sign undertakings that it will provide this above information and control to users. Ms Denham wrote that the ICO will continue pressing this issue together with other European data protection authorities and warned that Facebook may face enforcement action if it does not have valid consent.

Legal Background

In the EU, personal data must be processed fairly and lawfully and cannot be processed unless at least one of certain conditions is met. One of these conditions is to obtain the freely given, specific, unambiguous and informed consent of the person whose data is being processed. Furthermore, personal data will not be processed fairly unless, as far as practicable, the person has been given certain information, including the intended purpose that the data is to be processed for and any further information that may be necessary in the circumstances so that the processing is fair. The ICO is considering whether WhatsApp users were provided with sufficient information and whether they gave sufficient consent.

A new General Data Protection Regulation (GDPR) will apply to EU members in 2018. Despite Brexit, British businesses that trade with EU citizens and businesses and deal in their personal data will have to comply with the GDPR. For more information (and a short webinar) on the GDPR see https://pdtn.org/general-data-protection-regulation-uk-digital-businesses-care/. For information on how Briffa can help you on data protection issues contact us or arrange for a meeting on +44 (0)20 7288 6003.

Menu