The French data protection authority CNIL is giving Facebook-owned WhatsApp one month to start complying with French privacy law when sharing user data with its parent company.
Continue Reading Below
If WhatsApp does not bring its data sharing with Facebook into compliance with France's Data Protection Act, it could face fines, CNIL warned in a formal notice Monday.
The ultimatum comes after WhatsApp in August 2016 started sharing certain user information, like phone numbers and analytics data, with Facebook. The move, according to WhatApp, is intended to fight spam and abuse and improve the user experience. By connecting phone numbers, Facebook can offer better friend suggestions and show more relevant ads, WhatsApp said at the time.
That prompted concern from European Union regulators, who in October 2016 opened an antitrust investigation into the practice. Now, France's CNIL, whose mission is to "protect personal data, support innovation, preserve individual liberties," says WhatsApp has not properly obtained users' consent to share their information with Facebook, a violation the Data Protection Act.
The privacy watchdog doesn't have a problem with the transfer of user data for security purposes, noting that this "seems to be essential to the efficient functioning of the application," but said that's not the case for the business intelligence purpose.
"When installing [WhatsApp], users must accept that their data are processed for the messaging service, but also, in general, by Facebook for accessory purposes such as the improvement of its service," the note reads. "The only way to refuse the data transfer for 'business intelligence' purpose is to uninstall the application."
CNIL said it has "repeatedly" asked WhatsApp to provide a sample of French users' data transferred to Facebook, and the company has not yet handed over the information.
"The company explained that it could not supply the sample … since, as it is located in the United States, it considers that it is only subject to the legislation of this country," CNIL wrote, adding that WhatsApp's failure to cooperate is another violation of the Data Protection Act. So, CNIL is now giving WhatsApp one month to comply with the Act, or face fines.
"Should WhatsApp fail to comply with the formal notice within the specified timescale, the Chair [of the CNIL] may appoint an internal investigator, who may draw up a report proposing that the CNIL… issue a sanction against the company."
WhatsApp said it plans to work with CNIL on a solution. "Privacy is incredibly important to WhatsApp," a spokesperson told PCMag. "It's why we collect very little data, and encrypt every message. We will continue to work with the CNIL and are committed to resolving the different, and at times conflicting concerns, we've heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018."