Facebook bypasses EU's ban on WhatsApp data due to increased control
Facebook Inc. escaped a possible European Union ban on its use of WhatsApp customer data but faces an investigation of new terms and services that have sparked outrage among consumer-rights campaigners.
The European Data Protection Board, a panel of EU authorities, on Thursday said Facebook’s practices linked to WhatsApp data should be examined “as a matter of priority” by the Irish privacy watchdog, its main regulator in the region.
“Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp” and other Facebook units “the EDPB considered that this matter requires swift further investigations,” the EU body said in statement.
WhatsApp announced the policy changes in January, but was forced to delay its introduction until May, because of confusion and user backlash over what data the messaging service collects and how it shares that information with parent Facebook.
Earlier this week, consumer-rights campaigners filed a complaint against WhatsApp over its allegedly “aggressive” roll out of a policy that remains “opaque.”
In Thursday’s decision, the EDPB stopped short of imposing a provisional EU-wide ban on data access, as requested by the Hamburg data privacy commissioner.
The German authority in May imposed a three-month banning order on Facebook to stop it collecting German users’ data from its WhatsApp unit, and asked EU regulators to take a bloc-wide decision.
That decision is currently stuck in a EU dispute resolution procedure, failing to get the full backing of all European data watchdogs.
The Irish authority said it “will give consideration to any appropriate regulatory follow-up where it identifies matters canvassed in the EDPB decision have not already been addressed” in the more advance WhatsApp probe. It added that it is also still working on “a separate, complaint-based inquiry” into “the legal basis that WhatsApp relies upon for processing” and that the “inquiry is also at an advanced stage.”
Europe’s Data Law Is Broken, Departing Privacy Chief Warns
Under the EU’s General Data Protection Regulation, authorities got unprecedented powers to fine companies as much as 4% of their annual sales. The rules also set up a system that puts watchdogs based in a company’s chosen EU hub in charge of supervising them, which has raised tensions as the Irish office grapples with a mountain of probes and colleagues elsewhere accuse it of being too slow.
The Irish Data Protection Commission has at least 28 probes open into Silicon Valley giants, including Apple Inc. and Google -- which all have their EU base in Ireland. Facebook accounts for nine of these investigations and more are pending into its WhatsApp and Instagram businesses.
WhatsApp said it welcomed the decision not to extend the German regulator’s order across the EU, saying it “was based on fundamental misunderstandings as to the purpose and effect of the update to our terms of service.”
“We remain fully committed to delivering secure and private communications for everyone and will work with the Irish Data Protection Commission as our lead regulator in the region in order to fully address the questions raised by the EDPB,” WhatsApp said.
Johannes Caspar, until recently the Hamburg data protection commissioner, who requested an EU-wide decision, said in an emailed that he regretted the EDPB’s “lack of courage” to not see any urgency in this case despite the “considerable doubts” it said it had about Facebook’s data processing.