WhatsApp has been asked to handle the situation properly with a month or face additional investigation by CNIL - If WhatsApp fails to comply, a sanction maybe issued against it in the future.
"The company explained that it could not supply the sample requested by the CNIL since it is located in the US, it considers that it is only subject to the legislation of this (US) country," CNIL posted on its website late on Monday.
"As a result, the Chair of the CNIL decided to issue formal notice to the company WhatsApp to comply with the Data Protection Act within one month," it added.
In August 2016 the social networking giant caused massive controversy when its messaging platform WhatsApp announced a privacy U-turn — saying it would shortly begin sharing user data with its parent, Facebook, and Facebook’s network of companies, despite the founder’s prior publicly stated stance that user privacy would never be compromised as a result of the Facebook acquisition.
WhatsApp’s founder, Jan Koum, had also assured users that ads would not be added to the platform. However the data-sharing arrangement with Facebook included “ad-targeting purposes” among its listed reasons.
"While the security purpose seems to be essential to the efficient functioning of the application, it is not the case for the 'business intelligence' purpose which aims at improving performances and optimising the use of the application through the analysis of its users' behaviour," noted Chair of the CNIL.
The watchdog considered that the data transfer for "business intelligence" purpose is not based on the legal basis required by the Data Protection Act for any processing.
The watchdog considered that the data transfer for "business intelligence" purpose is not based on the legal basis required by the Data Protection Act for any processing.
In May this year Facebook was fined $122M by the European Commission for providing “incorrect or misleading” information at the time of its 2014 acquisition of WhatsApp — when it had claimed it could not automatically match user accounts between its own platform and WhatsApp. And then three years later was doing exactly that.
In the European Union another twist to this story is that Facebook’s data transfers between WhatsApp and Facebook for ads/product purposes were quickly suspended — the CNIL confirms in its notice that Facebook told it the data of its 10M French users have never been processed for targeted advertising purposes — after local regulators intervened, and objected publicly that Facebook had not provided users with enough information about what it planned to do with their data, nor secured “valid consent” to share their information. Another bone of contention was over the opt-out being time-limited to just a 30-day window.
However the CNIL’s intervention now is based on a continued investigation of the data transfers covering the two other areas Facebook claimed it would be using the WhatsApp user data for — namely security and “evaluation and improvement of services” (aka business intelligence).
And while the regulator seems satisfied that security is a valid and legal reason to transfer the data — writing that “it seems to be essential to the efficient functioning of the application” — business intelligence is another matter, with CNIL noting the purpose here “aims at improving performances and optimizing the use of the application through the analysis of its users’ behavior”.
“The chair of the CNIL considered that the data transfer from WhatsApp to Facebook Inc. for this ‘business intelligence’ purpose is not based on the legal basis required by the Data Protection Act for any processing,” it continues. “In particular, neither the users’ consent nor the legitimate interest of WhatsApp can be used as arguments in this case.”
The watchdog asserts that user consent is “not validly collected” because it is neither specified for this purpose (rather it is only listed as processing “in general”); it also says it is not ‘free’ — in the sense of users being able to refuse the transfer; with the only option if they do not agree being to uninstall the application.
“On the other hand, the company WhatsApp cannot claim a legitimate interest to massively transfer data to the company Facebook Inc. insofar as this transfer does not provide adequate guarantees allowing to preserve the interest or the fundamental freedoms of users since there is no mechanism whereby they can refuse it while continuing to use the application,” it adds.
The CNIL adds that it decided to make the formal notice public in order to raise awareness of the “massive data transfer from WhatsApp to Facebook Inc and thus to alert to the need for individuals concerned to keep their data under control”.
Follow my blog with Bloglovin
No comments:
Post a Comment