WhatsApp may be the most popular messenger app, but its record makes it hard to trust. At first, WhatsApp nobly vowed never to share our data, not even with Zuckerberg and co. after the merger with Facebook. We were told that WhatsApp would remain autonomous, and Facebook reassured regulators that it wouldn't be possible to link Facebook and WhatsApp accounts, before proceeding to make that the default situation for users. After so many broken promises, maybe it's time to set some boundaries.
Across the Atlantic, Facebook's shenanigans have landed it in some hot water. Last May, the social media giant was fined €110 million by the European Commission for misleading regulators about its technical capacities of matching WhatsApp and Facebook users. Now, an investigation by the UK's Information Commissioner's Office (ICO) has reached a settlement with WhatsApp, barring the company from sharing data with Facebook until both companies comply with the EU's General Data Protection Regulation (GDPR).
The GDPR comes into full effect this May, and we're already seeing a positive effect when it comes to user privacy and control over the data we hand over to big tech companies.
Privacy in the UK
The ICO concluded that WhatsApp and Facebook can’t legally share user data at the moment. In an official statement by Information Commissioner Elizabeth Denham, the ICO clarifies that while there is not sufficient cause to fine Facebook in Britain, the investigation identified the following problems with WhatsApp:
WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
In relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained;
I found that if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.
The ICO’s announcement mentions that Facebook is also under investigation from various other EU data protection authorities. Facebook is already banned from using WhatsApp user data in Germany and faces further investigation, and the French data protection authority (CNIL) has its own enforcement action against WhatsApp.
Is it time for the US to protect the data of its citizens?
Back in the USA, Facebook has faced only a comparatively soft touch from consumer protection agencies and trade regulation authorities. After Facebook acquired WhatsApp, the Federal Trade Commission (FTC) confronted the company with a...uh...strongly worded letter. Ok.
Facebook is already under a 20-year consent decree from the FTC (since 2012), related to earlier complaints about its privacy policies and misleading its users. Yet the decision to share data with WhatsApp hasn't met with the same pushback the social network faced in more privacy-conscious Europe.
The FTC seems to be content with WhatsApp's opt-out system for data sharing, in which the ability to opt-out of data collection is only valid for 30 days. A more pro-active opt-in system, supported by the European Commission, would give users more control by default.
As it stands right now, US users can still hope to benefit from the more far-reaching European measures, as companies like Facebook and Google are forced to adapt to maintain their position globally.
In the meantime, however it's not a great look when the US, a country that drives so much technological innovation, ends up relying on other countries to protect the users.
What do you think? Should the US follow suit and enforce privacy protections for consumers?