UK regulator clears Facebook, WhatsApp of data-sharing charges

15 Mar 2018

Facebook, its popular messaging app WhatsApp, and the UK's Information Commissioner's Office (ICO) have reached a truce in the long-running investigation into how Facebook and WhatsApp share user data. The ICO today announced that it has closed its investigation and concluded that WhatsApp and Facebook cannot and in fact do not share user data for anything other than basic data processing.

A couple of years ago it was reported that WhatsApp had plans to share its user data with Facebook, which resulted in a huge outcry amongst its users and privacy advocates around the world.

The two most significant upshots of the latest truce are that WhatsApp and Facebook will not be fined; and the ICO has got WhatsApp to sign an undertaking in which it has committed publicly not to share personal data with Facebook in the future until the two services can do it in a way that is compliant with General Data Protection Regulation (GDPR).

''Data protection law does not prevent a company from sharing personal data – they just have to follow the legal requirements,'' wrote Information Commissioner Elizabeth Denham, who also published her own letter to WhatsApp as part of her blog post.

This is a truce of sorts, and does not mean data won't be shared in future if GDPR rules are met. Notably, Denham said that the ICO would not be fining Facebook as a result of its investigation, since even if WhatsApp intended to do unlawful things, it never actually did.

''I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case,'' she noted. ''As WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as a 'data processor', as explained below), I would not be able to meet the criteria for issuing a civil monetary penalty under the Data Protection Act.''

GDPR is the wide-ranging data protection framework that essentially gives individuals more control over how and where their data is used across digital services. It comes into force in May across the European Union, and it's bringing about a sweep of privacy changes among digital services to fall in line with the new rules.

The ICO investigation started back in August 2016, prompted by an update WhatsApp made to its privacy policy noting that it planned to start sharing user data with Facebook.

While there have never been many questions raised about how Facebook uses data from Messenger in its service, WhatsApp is in a different class. Facebook acquired the startup in 2014 for $19 billion, picking it up after it had long established itself as a business and service.

Crucially, WhatsApp built its reputation by setting itself apart from social services like Facebook and its reliance on advertising, and all the data manipulation that comes along with that.

Denham said that her investigation found several issues with the idea of sharing personal data between WhatsApp and Facebook:

WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;

WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;

In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;

''I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.''

But on the other hand WhatsApp also managed to escape any fines because it halted the data sharing programme before it ever got off the ground.

According to Denham, ''My investigation has not been concerned about WhatsApp's sharing of personal data with Facebook when Facebook are only providing a support service to WhatsApp,'' she writes. ''The technical term for such sharing is that WhatsApp can use Facebook as a data processor. This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns.''

As Denham points out, there are two other takeaways from this case.

The first is the public outcry and ''broad concerns'' that arose when the privacy policy was first updated in August 2016 and the message that this gives to tech companies, regulators and others involved in helping shape our digital world. ''At the heart of these concerns lies a desire for improved transparency, control, and accountability, at a time when personal data is ever more central to the business models of key players in the digital economy,'' she writes.

The second will be the wider European ramifications. In Germany, the Hamburg Commissioner of Data Protection and Freedom of Information said earlier this month that the Higher Administrative Court (OVG) Hamburg has now officially also banned Facebook from using WhatsApp user data for its own purposes, while in France the regulator CNIL is currently in the process of bringing enforcement actions of its own.

More generally, while a lot of companies are preparing how they will comply with GDPR, this case highlights how companies are likely to challenge and test the framework as well.