After an injunction from the UK’s Information Commissioner’s Office (ICO), WhatsApp has said that it will no longer share personal data with its parent company, Facebook, until the upcoming EU General Data Protection Regulation (GDPR) rules can be met.
The popular mobile messaging app, which the social network acquired for $19 billion in 2014, had reserved the right to share user information across the Facebook family of properties (which also includes Instagram) for the purpose of advertising targeting, marketing, making “suggestions” such as who to follow on social media and cybersecurity. Now it has signed an “undertaking” with the ICO making a commitment to not share such user information for these or any other purpose until it can guarantee compliance with the GDPR.
“People have a right to have their personal data kept safe, only used in ways that are properly explained to them, and for certain uses of their data, to which they expressly consent,” said Information Commissioner Elizabeth Denham in a blog. “This is a requirement of the Data Protection Act…WhatsApp has not identified a lawful basis of processing for any such sharing of personal data.”
Concerns about possible inappropriate data sharing have been raised by media reports, civil society groups and data protection authorities globally since at least 2016, as a result of Facebook and WhatsApp updating their terms and conditions and privacy policy to be able to share phone numbers and other data. Those concerns have not fallen on deaf ears: In addition to the UK’s ban, the issue has been seized upon by European Data Protection Authorities, and the Higher Administrative Court (OVG) Hamburg banned Facebook from using WhatsApp user data in Germany. The French data protection authority (CNIL) is in the process of bringing enforcement action against WhatsApp, and other EU data protection authorities also have ongoing investigations.
“At the heart of these concerns lies a desire for improved transparency, control and accountability at a time when personal data is ever more central to the business models of key players in the digital economy,” said Denham.
The move is seen as a win for UK consumers, who have expressed concern about not only marketing data being shared but also a potential lawful intercept provision in the service.
"For a public that is increasingly aware and concerned about its privacy rights but, perhaps, not so clear on how that privacy is eroded, the decision by WhatsApp to not share personal data with Facebook is a very welcome step,” said Lee Munson, security researcher at Comparitech.com, via email. “While the undertaking will need to be monitored in the future, especially when the General Data Protection Regulation comes into effect, it should have the desired effect of raising transparency and increasing trust with a public that may already be concerned about its own government’s desire to insert a backdoor into the popular chat app.”