Facebook may face action from EU privacy regulators over WhatsApp data transfers, German watchdog says

16 May 2018 10:44am
Eu Flag on Keyboard

14 May 2018. By Vesela Gladicheva.

The transfer of personal data between WhatsApp and parent company Facebook, previously criticized by EU privacy regulators, could come under watchdogs' scrutiny after the bloc's strict new data-protection rules come into effect on May 25, a German data regulator has said.

Johannes Caspar, who heads the data-protection authority of Hamburg, told MLex that the matter "might be the first case" for the EU's new data-protection umbrella body, the European Data Protection Board.

The EDPB will become operational on May 25, when the EU's General Data Protection Regulation comes into force. It will be able to issue binding decisions to be enforced by individual privacy regulators in cross-border cases.

Last October, EU privacy regulators voiced concern about transfers of user data from WhatsApp to Facebook, identifying deficiencies in the way WhatsApp seeks permission from users for passing on their data.

Caspar told MLex today that WhatsApp continues to share "limited categories of information" with Facebook, such as device and usage data, according to the company's privacy policy.

"That is really astonishing," he said. "It seems that WhatsApp has just reactivated former plans to exchange user data with Facebook. Despite two German court decisions, which confirmed an administrative order of the Hamburg [data-protection authority] against this data transformation, the entry into force of the GDPR marks obviously a new try for downsizing the data-protection standards." 

In February, a Hamburg court said in a provisional ruling that Facebook may not use WhatsApp’s private data of German users. It sided with a decision by the city's lower administrative tribunal, after Facebook challenged an order by the Hamburg privacy regulator. The court found that users’ consent to terms of use and data-protection guidelines is likely to constitute a breach of German privacy standards.

"It's crucial for me that after the GDPR [comes into effect] data subjects must have more rights than before," Caspar told a conference* in Berlin today. 

Under the GDPR, if a national privacy regulator decides to investigate an international company, which is not based in its country, the regulator would need to go to the regulator in the country where the company in question is headquartered.

If that "lead authority" would not investigate the matter, or is investigating it in a different, unsatisfactory way to the authority that originally raised concerns, then the case would go straight to the EDPB.

*Eighth European Data Protection Days 2018. Berlin, Germany. May 14-15, 2018.

CCPA Report