After Facebook’s purchase of WhatsApp in 2015, new terms of service and privacy policies were released explaining that user data would be transferred from WhatsApp to Facebook for targeted advertising, security, and evaluation and improvement of services. The CNIL (the French equivalent of the Information Commissioner’s Office) challenged this data transfer and investigated.
The CNIL found that transferring data for the purpose of evaluation and improvement of services (or ‘business intelligence’) had no legal basis for processing – consent given by the data subject was not specific to this purpose, and is compulsory in order to use the application. In addition, legitimate interest doesn’t apply as “this transfer does not provide adequate guarantees to preserve the interest or the fundamental freedoms of the users” since there is no mechanism whereby they can refuse it while continuing to use the application.
On several occasions, the CNIL requested a sample of the French users’ data that had been transferred to Facebook, but WhatsApp did not cooperate, stating that it is only subject to the law of the country in which it is based: the United States.
Consequently, the chair of the CNIL has issued a formal notice to WhatsApp to comply with France’s data protection act within one month, making the record public in order to raise awareness of the data transfers. The CNIL has stated that, if WhatsApp fails to comply with the notice, it may take the next step towards issuing a sanction.
It’s essential to understand what personal data your business possesses, how it processes it and if there is a lawful basis for processing it. Documenting this is a key element for compliance with the General Data Protection Regulation (GDPR), which applies from May 2018.
Still getting to grips with the GDPR? Our GDPR green paper gives an easy-to-read summary of the GDPR, the changes compared with current legislation and some pointers for beginning a compliance project.