Facebook is in the process of acquiring the WhatsApp mobile messaging service for a total of $19 billion. The two services have diametrically opposed business models. Facebook makes its revenue by selling advertising based on its knowledge of its users. WhatsApp makes its revenue by a subscription fee, eschews advertising, and promises to respect its users' privacy.
The privacy groups' complaint is twofold: that selling the service to Facebook amounts to a 'deceptive failure to represent "that WhatsApp’s governing principles of anonymity and privacy were subject to reversal;" and that it amounts to "unfair failure to adequately protect user data in the event of an acquisition." The concern is that Facebook will incorporate WhatsApp user data and start scanning WhatsApp messages (something WhatsApp does not currently do) in order to improve and expand its own targeted advertising revenue model.
The complaint argues that this possibility was never fairly presented to WhatsApp users, and that this failure amounts to deceptive practices. For its part, Facebook responded to the complaint by saying, "As we have said repeatedly, Whatsapp will operate as a separate company and will honor its commitments to privacy and security."
However, this is not a legal guarantee, and the complaint points to Facebook's earlier acquisition of Instagram. "When Facebook purchased Instagram in 2012, Instagram users were not subjected to advertisements based on the content they uploaded to the site," says the complaint. "After the acquisition, Facebook did in fact access Instagram users’ data and changed the Instagram Terms of Service to reflect this change." The concern is that something similar could happen with WhatsApp.
The privacy groups also argue that the acquisition implicates safe harbor compliance. The FTC, charged with overseeing the EU/US safe harbor arrangement, has already issued a settlement order on Facebook which prohibits the social network from misrepresenting the extent to which it participates in safe harbor. But Dutch and German data protection regulators have begun separate investigations into the data protection issues related to the acquisition. This is presented as a further argument that the FTC needs to investigate the acquisition itself.
EPIC is asking the FTC to investigate the acquisition to examine Facebook's ability to access WhatsApp user data, and to suspend the acquisition until this has been done. If it subsequently allows the merger to proceed, EPIC is asking the FTC to "insulate WhatsApp users’ information from access by Facebook’s data collection practices."
The FTC has not yet commented on the complaint. However, it separately announced yesterday that it had signed a memorandum of understanding with the UK's Information Commissioner "to promote increased cooperation and communication between the two agencies in their efforts to protect consumer privacy." The UK is not (yet, at least) one of the EU member states that has raised any queries over the WhatsApp acquisition. Nevertheless, the UK is bound by the same data protection directive that underlies the Dutch and German data protection laws. Their findings are not binding on the UK, but could be used to support any complaint made to the ICO. This new MoU between the FTC and the ICO can only increase pressure on the FTC to uphold EPIC's complaint.
Infosecurity asked the UK's ICO if it has any plans to investigate the WhatsApp acquisition, and was told, "We have no plans to investigate WhatsApp at this time."