According to the Information Commissioners Office (ICO) website instant messaging giant WhatsApp has signed a public commitment to not share personal data with Facebook until they can do so in compliance with the upcoming General Data Protection Regulation (GDPR).
Its updated policy in 2016 emphasised that it could share user data: “Facebook and other companies in the Facebook family may also use information from us (WhatsApp) to improve your experience within their service.” It was this move that sparked an investigation by the ICO led by Information Commissioner Elizabeth Denham to decide if WhatsApp could legally share users’ data.
Denham said of the action: “I reached the conclusion that an undertaking was the most effective regulatory tool for me to use, given the circumstances of the case. As WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as a ‘data processor’), I would not be able to meet the criteria for issuing a civil monetary penalty under the Data Protection Act. I would like to stress that signing an undertaking is not the end of the story. I will closely monitor WhatsApp’s adherence to it.”
Results of ICO Investigation
• WhatsApp has not identified a lawful basis of processing for any such sharing of personal data
• WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data
• In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained
• If they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.
Facebook’s Shadow Profiles
Under GDPR individuals will have the right to know what information an organisation holds about them, including data obtained from others. Currently Facebook’s ‘shadow profile’ accumulates and stores data about every address you’ve ever lived at, mobile phone number ever associated with you, any social network profiles associated with you, nicknames, instant messages accounts you are connected with and anything other people have added about you to their phone.
This means that friends who opt to share their contacts with Facebook will also inadvertently share your details too. Facebook refuses to share the contents of your shadow profiles and the PYMK system they feed into, can’t be turned off or opted out of. The UK is not alone in raising concerns over its sharing policy, France has already ordered WhatsApp to stop sharing data and Germany has banned it outright. Previously, the EU fined Facebook £94 million for providing misleading information of its technical capabilities in terms of sharing over data.
Facebook said on their business page: “Facebook takes data protection and people’s privacy very seriously and we are committed to continuing to comply with data protection laws. At Facebook, preparations are well underway to ensure that our products and services comply with the GDPR. Facebook and its affiliates, including Instagram, Oculus and WhatsApp, will all comply with the GDPR. Our team has been working to review and expand our tools to help people manage their privacy and understand their choices with respect to their personal data.”