WhatsApp-Facebook Data-Sharing Transparency Under Review By EU DPAs
An old investigation in the European Union aimed at the transparency of data-sharing between Facebook and WhatsApp has moved towards resolution. Ireland’s Data Protection Commission (DPC) has confirmed that it has sent a draft decision to the European Union’s DPA at the end of last year.
This will trigger the draft review process by other DPAs. Prominence is required under the bloc’s General Data Protection Regulation (GDPR) for Facebook’s proposed settlement of the EU’s data supervisor before a decision is finalized.
The DPC’s draft WhatsApp decision was sent to other observers for review on December 24. This is supposed to be the only the second draft that the Irish watchdog has released cross-border.
The first similar case was an investigation into a Twitter security breach – which led to the company being fined USD 550,000 each month.
The WhatsApp case, the recent backlash regarding the update to its T&CS seems new, but it dates back to 2018, the year the GDPR began to take effect – and with Articles 12–14 of the GDPR. WhatsApp is related to compliance with Ireland.
The DPC said, “We were investigating WhatsApp Ireland’s compliance with GDPR Articles 12-14. This investigation on transparency has concluded and we have sent a draft decision to our fellow EU data protection authorities on December 24, 2020, to begin the GDPR co-decision making process. We are waiting for their comments. When the process is over and a final decision is issued, it will clarify the standard of transparency that WhatsApp hopes to convey by data protection authorities of European Union.”
The time between the release of the DPC’s Twitter draft and the final decision – after the other European Union won a majority from the DPA – was seven months. In the Twitter case, the German DPA suggested a penalty of USD 22 million.
Twitter’s case was relatively a data breach in the face of the complex business of evaluating transparency. So the final decision on WhatsApp is also unlikely to come soon. There are clearly enough differences between DPAs over GDPR.
WhatsApp has been facing many problems with regards to transparency in recent weeks, creating a huge concern over the privacy implications of a misleading mandatory update, which allowed users to alternatively migrate to other chat platforms like Signal and Telegram.
The backlash led to WhatsApp announcing that it is delaying imposing new terms for three months. Last week, Italy’s Data Protection Agency also issued a warning over the lack of clarity in T & Cs saying that it allowed for emergency EU legislation.
DPC’s deputy commissioner Graham Doyle said, “Updates made last week by WhatsApp are about providing clearer, more detailed information to users about how and why they use the data. WhatsApp has confirmed there has been no change in data-sharing practices in the European region or in the rest of the world arising from these updates. However, DPC has received many questions from stakeholders who are confused and concerned about these updates. WhatsApp confirmed that they will delay the date of the update and users will be asked to review and accept the terms from February 8 to May 15. Meanwhile, WhatsApp will launch information campaigns to provide more clarity on how privacy and security work on the platform.”
Europe’s record of enforcing a lot of Europe’s own data protection laws against tech giants is a major weak point of regulation, there are signs that increased user awareness and privacy concern is causing a shift in the balance of power in favor of users.
Europe is coming up with prior regulations for platform giants, which will place more obligations on how they can operate – to combat abusive/unfair trade practices and promote competition in digital markets purposefully.