Facebook banned from gathering WhatsApp users' data in Germany
Facebook has been told that it cannot collect WhatsApp users' data in Germany after the messaging app updated its terms last month to allow information sharing with its parent company.
Regulators expressed fears that the policy changes could infringe on WhatsApp users' privacy by giving Facebook access to their phone numbers, as well as information about their phones and operating systems.
Responding to such concerns, a German regulator has ordered Facebook to stop collecting WhatsApp data and delete all of the information that has already been transferred from the messaging app to the social media giant.
"It has to be the 35 million WhatsApp users in Germany's decision whether they want to connect their account with Facebook," said Johannes Caspar, the data protection commissioner for Hamburg. "Facebook has to ask for their permission in advance. This has not happened." When Facebook bought WhatsApp in 2014 for $19 billion (£14.7bn), the deal came with an assurance from both companies that they wouldn't share their users' data. To some regulators, the recent amendment that lets WhatsApp share user information and analytics with Facebook breaks that promise.
The Hamburg watchdog, which acts for the country, said the companies had been "misleading" and, in doing so, infringed on Germany's data protection law. It also said Facebook didn't acquire legal permission to collect the information.
The amount of data potentially available to Facebook through the new agreement is "cause for concern", according to the Hamburg regulator.
WhatsApp asks users for permission to access their contacts when they first download the app so they can start conversations with people they know. This automatically lets the app see the names and numbers of all of their contacts, even those who don't use WhatsApp.
Facebook hasn't traditionally had access to this raft of information as it doesn't require contacts permission, and has only more recently started asking for it.
"According to Facebook, this gigantic amount of data has not yet been collected. Facebook's answer - that this has merely not been done for the time being - is cause for concern that the gravity of the data protection breach will have a much more severe impact," said Caspar.
The US Federal Trade Commission warned that WhatsApp and Facebook could have violated its guidelines with the changes, while the UK Information Commissioner's Office said it was investigating the matter.
Elizabeth Denham, the UK commissioner, said at the time of the changes: "Organisations do not need to get prior approval from the ICO to change their approaches, but they do need to stay within data protection laws. We are looking into this.
"Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed."
The watchdog is yet to release any more information about whether Facebook has violated data protection laws in the UK.
A spokesman for Facebook said: "Facebook complies with EU data protection law. We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns."
The social media giant said the changes, which are part of its plans to put WhatsApp and Facebook users' in touch with businesses, would improve user experience by helping fight spam and refine friend recommendations on Facebook. It also assured users their phone numbers wouldn't be shared publically on Facebook or with advertisers.
As WhatsApp messages are end-to-end encrypted, neither WhatsApp nor Facebook can read the contents of users' messages. WhatsApp can however tell who users are communicating with and for how long, as well as the type of phone and operating system they're using.