France gives Facebook 30 days to stop harvesting user data

19 Dec 2017

France's data privacy agency CNIL has ordered WhatsApp to stop sharing data with its owner Facebook, the Verge reported, saying users had not consented to sharing data for business intelligence or targeted advertising functions when the social network disclosed the collection.

CNIL explained in a blog post that while it agreed that it was reasonable for Facebook to collect WhatsApp user data for security reasons, the other purposes were not justified ''on the legal basis required by the Data Protection Act for any processing.'' CNIL showed particular concern over the manner in which the way the data collection programme was rolled out, arguing that Facebook had failed to accurately explain to users why their data was being collected and that users had no ability to opt out if they wanted to remain on WhatsApp. The has given Facebook 30 days to comply.

In its statement, the agency said that it was disclosing the decision because of the ''massive data transfer from WhatsApp to Facebook Inc. and thus to alert to the need for individuals concerned to keep their data under control.''

According to CNIL it had ''repeatedly asked WhatsApp to provide a sample of the French users' data transferred to Facebook,'' but Facebook had refused arguing that as a US company it is not subject to French law.

CNIL said on its website, ''It was observed that the company WHATSAPP actually transfers data concerning its users to the company FACEBOOK Inc., for ''business intelligence'' and security purposes. Thus, information about users such as their phone number or their use habits on the application are shared.

"While the security purpose seems to be essential to the efficient functioning of the application, it is not the case for the ''business intelligence'' purpose which aims at improving performances and optimizing the use of the application through the analysis of its users' behaviour.

"The Chair of the CNIL considered that the data transfer from WHATSAPP to FACEBOOK Inc. for this ''business intelligence'' purpose is not based on the legal basis required by the Data Protection Act for any processing.

In particular, neither the users' consent nor the legitimate interest of WHATSAPP can be used as arguments in this case.

Indeed, on the one hand, the consent is not validly collected because:

it is not specific to this purpose – when installing the application, users must accept that their  data are processed for the messaging service, but also, in general, by FACEBOOK Inc. for  accessory purposes such as the improvement of its service;

it is not free – the only way to refuse the data transfer for ''business intelligence'' purpose is to uninstall the application.

On the other hand, the company WHATSAPP cannot claim a legitimate interest to massively transfer data to the company FACEBOOK Inc. insofar as this transfer does not provide adequate guarantees allowing to preserve the interest or the fundamental freedoms of users since there is no mechanism whereby they can refuse it while continuing to use the application.''