Facebook ran into trouble following its acquisition of WhatsApp back in 2014. It appeared to backtrack on an earlier promise not to share data between the two services, and was later warned that it may be breaking the law in the UK and elsewhere …
The UK’s Information Commissioner’s Office (ICO) has now ruled that user data cannot be shared between the services. Commissioner Elizabeth Denham explained her four findings.
My investigation found:
- WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
- WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
- In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
- I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.
However, she found that no data had yet been shared, and therefore would not be fining the company.
Facebook, for its part, has agreed that it will not do so until it can do so in a way that complies with upcoming European privacy rules, General Data Protection Regulation (GDPR). This does not, however, prevent it sharing data in the US or other non-European countries.
WhatsApp was facing similar legal challenges in France, Germany and Italy.