France puts Facebook on notice over WhatsApp data transfers

France puts Facebook on notice over WhatsApp data transfers
From TechCrunch - December 19, 2017

Facebook and WhatsApp have been issued with formal notices by Frances data protection watchdog warning that data transfers being carried out for business intelligence purposes currently lack a legal basisand consequently that Facebook Inc, WhatsApps owner, has violated the French Data Protection Act.

WhatsApp has been given a month to remedy the situation or could face additional investigation by the CNILand the potential for a sanction to be issued against it in future.

In August 2016the social networking giant caused massive controversy when its messaging platform WhatsApp announced a privacy U-turnsaying it would shortly begin sharing user data with its parent, Facebook, and Facebooks network of companies, despite the founders prior publicly stated stance that user privacy would never be compromised as a result of the Facebook acquisition.

WhatsApps founder, Jan Koum, had also assured users that ads would not be added to the platform. However the data-sharing arrangement with Facebook included ad-targeting purposes among its listed reasons.

Users were offered an opt-out, but only a time-limited onewhich also required they actively read through terms & conditions to find and uncheck a default-checked box to prevent information such as their mobile phone number being shared with Facebook for ad targeting (shared phone numbers enabling the company to link a users Facebook profile and activity with their WhatsApp account).

The companys subsequent teeing up of a monetization strategy for WhatsApp, via the forthcoming launch of business accounts, likely explains its push to link users of the end-to-end encrypted messaging platform with Facebook users, where the same people have likely engaged in far more public digital activitysuch as liking pages, searching for content, and making posts and comments that Facebook is able to read.

And thats how a platform giant which owns multiple social networks is able to circumvent the privacy firewall provided by e2e encryption to still be able to perform ad-targeting. (Facebook doesnt need to read your WhatsApp messages because it has a granular profile of who you are, based on your multi-years of Facebook activity And while business accounts dont constitute literal display ads, in the traditional sense, they clearly open up ample targeting opportunities for Facebook to engineer once it links all its user profiling data.)

In May this yearFacebook was fined $122Mby the European Commission for providing incorrect or misleading information at the time of its 2014 acquisition of WhatsAppwhen it had claimed it could not automatically match user accounts betweenits own platform and WhatsApp. And then three years later was doing exactly that.

In the European Union another twist to this story is that Facebooks data transfers between WhatsApp and Facebookforads/product purposes were quickly suspendedthe CNIL confirms in its notice thatFacebook told it the data of its 10M French users have never been processed for targeted advertising purposesafter local regulators intervened, andobjected publiclythat Facebook had not provided users with enough information about what it planned to do with their data, nor secured valid consent to share their information. Another bone of contention was over the opt-out being time-limited to just a 30-day window.

However the CNILs intervention now is based on a continued investigation of the data transfers covering the two other areas Facebook claimed it would be using the WhatsApp user data fornamely security and evaluation and improvement of services (aka business intelligence).

And while the regulator seems satisfied that security is a valid and legal reason to transfer the datawriting that it seems to be essential to the efficient functioning of the applicationbusiness intelligence is another matter, with CNIL noting the purpose here aims at improving performances and optimizing the use of the application through the analysis of its users behavior.

The chair of the CNIL considered that the data transfer from WhatsApp to Facebook Inc. for this business intelligence purpose is not based on the legal basis required by the Data Protection Act for any processing, it continues. In particular, neither the users consent nor the legitimate interest of WhatsApp can be used as arguments in this case.


Continue reading at TechCrunch »