The French privacy regulator, the National Commission of Computing and Freedoms (CNIL) has issued a formal notice on WhatsApp. It requires the Facebook company to stop personal data transfers to the parent company in the U.S. unless there is a legal basis for doing so. In particular, WhatsApp must obtain ‘user consent’ (within the meaning of European law) to gather and transfer that data.
It’s a busy time for privacy issues between the U.S. and Europe. CNIL published its notice on Tuesday. On the same day, the powerful German competition authority, the Bundeskartellamt (the Federal Cartel Office or FCO), warned Facebook that it “is abusing [its] dominant position by making the use of its social network conditional on its being allowed to limitlessly amass every kind of data generated by using third-party websites.”
Last week the European Commission filed an amicus curiae brief (PDF) with the United States Court of Appeals For the Second Circuit in the ongoing dispute between Microsoft and the U.S. government. Noticeably, this was in support of neither party, but was an attempt to ensure that the the U.S. court has a full understanding of the relevant European law — in this case, specifically the General Data Protection Regulation (GDPR).
The German FCO concern over Facebook is over the widespread collection of personal user data. In February 2017, the FCO declared that it would investigate Facebook. President Andreas Mundt said at the time, “Dominant companies are subject to special obligations. These include the use of adequate terms of service as far as these are relevant to the market. For advertising-financed internet services such as Facebook, user data are hugely important. For this reason it is essential to also examine under the aspect of abuse of market power whether the consumers are sufficiently informed about the type and extent of data collected.”
Now the FCO has stated, “The authority holds the view that Facebook is abusing this dominant position by making the use of its social network conditional on its being allowed to limitlessly amass every kind of data generated by using third-party websites.” At the heart of the concern is the inadequate informed consent of the user in allowing personal data collection. Facebook claims that it is not a dominant company in Europe (it has more than 30 million active monthly users in Germany); and that it complies with European law.
In a subsequent investigation, WhatsApp told CNIL that French personal data had never been used for targeted advertising. However, CNIL determined that personal data was shared for business intelligence and security. “Thus,” says the CNIL statement, “information about users such as their phone number or their use habits on the application are shared.” While sharing data for security is not an issue, sharing for business intelligence “is not based on the legal basis required by the Data Protection Act for any processing.”
According to CNIL, any user consent to this data collection and sharing is neither free nor informed (“the only way to refuse the data transfer for ‘business intelligence’ purpose is to uninstall the application”). CNIL requested a sample of data that had been transferred, but this was refused by WhatsApp. The data concerned is now in the U.S., and WhatsApp apparently considers that it is only subject to the law of the U.S.
This refusal has been interpreted by CNIL as a breach of WhatsApp’s obligation to cooperate with the regulator under Article 21 of the Data Protection Act. It has consequently issued the formal notice requiring WhatsApp to comply with the Data Protection Act within one month.
Neither the CNIL notice nor the FCO statement can directly lead to sanctions against Facebook/WhatsApp. They can best be viewed as shots across the bow, which — if ignored — could lead to the full cannon power of European data protection being leveled against Facebook. Both statements being issued on the same day is a remarkable coincidence. Coming exactly one week after the European Commission used the GDPR-relevant Microsoft vs U.S. government court struggle to make sure that U.S. courts understand Europe’s point of view is also remarkable.
It could all be coincidence. But coincidence or not, Europe is warning the large American tech companies — and indeed, any company that trades with or within Europe — it is taking its data protection laws seriously. While existing sanctions could be funded out of the running costs of large companies, the potential for future GDPR sanctions of up to 4% of global turnover is not something that can be ignored. Any assumption that Europe will not be quick to enforce GDPR when it comes into force in May 2018 should be rejected.