France’s data privacy watchdog may fine messaging app WhatsApp if it does not comply with an order to bring its sharing of user data with parent company Facebook into line with French privacy law.
The French data protection authority – CNIL – said on Monday it had told WhatsApp to comply with the order within one month, and pay particular attention to obtaining users’ consent. If WhatsApp does not comply it could sanction the company, it said.
The CNIL said WhatsApp did not have the legal basis to share user data with Facebook and had violated its obligation to cooperate with the French authority. WhatsApp, bought by Facebook in 2014, said it would begin sharing some user data with the social media group in 2016, drawing warnings from European privacy watchdogs about getting the appropriate consent. In October, European Union privacy regulators criticized WhatsApp for not resolving their concerns over the messaging service’s sharing of user data with Facebook a year after they first issued a warning. The French regulator said WhatsApp had not properly obtained users’ consent to begin sharing their phone numbers with Facebook for “business intelligence” purposes. “The only way to refuse the data transfer for “business intelligence” purpose is to uninstall the application,” the CNIL said in a statement. The regulator accepted the transfer of user data for security purposes seemed to be essential to the functioning of the application. But the watchdog also said the same did not apply for “business intelligence” purposes which aim to improve the apps’ performance. “Privacy is incredibly important to WhatsApp. It’s why we collect very little data, and encrypt every message,” a spokeswoman for WhatsApp said. “We will continue to work with the CNIL to ensure users understand what information we collect, as well as how it’s used. And we’re committed to resolving the different, and at times conflicting, concerns we’ve heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018.” European data protection authorities can only impose small fines at the moment, but a new EU privacy law entering into force next year will increase fines to up to 4 percent of a company’s global turnover. The CNIL said it had repeatedly asked WhatsApp to provide a sample of French users’ data transferred to Facebook but the company had explained it could not do so as it is located in the United States and “it considers that it is only subject to the legislation of this country.” Separately, Germany’s cartel office said on Tuesday it had found Facebook had abused its dominant market position, in a ruling that questioned the company’s model of monetizing the personal data of its users through targeted advertising.