Facebook may face action from EU privacy regulators over WhatsApp data transfers, German watchdog says
14 May 2018. By Vesela Gladicheva.
The transfer of personal data between WhatsApp and parent company Facebook, previously criticized by EU privacy regulators, could come under watchdogs' scrutiny after the bloc's strict new data-protection rules come into effect on May 25, a German data regulator has said.
Johannes Caspar, who heads the data-protection authority of Hamburg, told MLex that the matter "might be the first case" for the EU's new data-protection umbrella body, the European Data Protection Board.
The EDPB will become operational on May 25, when the EU's General Data Protection Regulation comes into force. It will be able to issue binding decisions to be enforced by individual privacy regulators in cross-border cases.
Last October, EU privacy regulators voiced concern about transfers of user data from WhatsApp to Facebook, identifying deficiencies in the way WhatsApp seeks permission from users for passing on their data.
"That is really astonishing," he said. "It seems that WhatsApp has just reactivated former plans to exchange user data with Facebook. Despite two German court decisions, which confirmed an administrative order of the Hamburg [data-protection authority] against this data transformation, the entry into force of the GDPR marks obviously a new try for downsizing the data-protection standards."
"It's crucial for me that after the GDPR [comes into effect] data subjects must have more rights than before," Caspar told a conference* in Berlin today.
Under the GDPR, if a national privacy regulator decides to investigate an international company, which is not based in its country, the regulator would need to go to the regulator in the country where the company in question is headquartered.
If that "lead authority" would not investigate the matter, or is investigating it in a different, unsatisfactory way to the authority that originally raised concerns, then the case would go straight to the EDPB.
*Eighth European Data Protection Days 2018. Berlin, Germany. May 14-15, 2018.