Facebook Inc has escaped a potential European Union ban on its use of WhatsApp customers’ data, but faces an investigation into new terms and services that have sparked outrage among consumer advocates.
The European Data Protection Council, a panel of EU authorities, said on Thursday that Facebook’s practices linked to WhatsApp data should be scrutinized “as a matter of priority” by the Irish privacy watchdog, the region’s main regulator.
“Given the high potential for violations in particular of the safety, security and integrity of WhatsApp” and other Facebook units, “EDBB considered this matter to require further prompt investigations,” the EU body said in a statement.
WhatsApp announced the policy changes in January, but had to delay introducing them until May, due to confusion and user reaction about the data the messaging service collects and how it shares that information with parent Facebook.
Earlier this week, consumer rights activists filed a complaint against WhatsApp for its allegedly “aggressive” introduction of a policy that remains “vague”.
In Thursday’s decision, the EDPB stopped imposing a temporary EU-wide ban on data access, as requested by Hamburg’s data privacy commissioner.
The German authority in May imposed a three-month ban order on Facebook to prevent it from collecting German user data from its WhatsApp unit, and asked European Union regulators to make a block-wide decision.
The Irish Data Protection Commission said in an emailed statement Thursday that the Irish Data Protection Commission “has already conducted an in-depth investigation into the WhatsApp privacy policy user’s encounter with material in the context of its transparency investigation.” A draft of its decision was sent to its EU counterparts in December, and it needs their approval before the investigation can be concluded.
This decision is currently stuck in EU dispute resolution procedures, as it has failed to gain the full support of all European data watchdogs.
The Irish authority said it would “take into account any appropriate regulatory follow-up as it identifies matters addressed in the EDPB decision that have not already been addressed” in the more advanced WhatsApp investigation. It added that it was also still working on a “separate complaint-based investigation” into the “legal basis on which WhatsApp relies for processing” and that “the investigation is also at an advanced stage.”
Under the EU’s General Data Protection Regulation, authorities have been given unprecedented powers to fine companies up to 4% of their annual sales. The rules also put in place a system that puts regulators based in the EU center of choice for a company responsible for overseeing them, raising tensions as the Irish office grapples with a mountain of investigations and colleagues elsewhere accuse it of being too slow.
The Irish Data Protection Commission has at least 28 investigations open into Silicon Valley giants, including Apple Inc and Google – all of which have an EU base in Ireland. The Facebook accounts of nine of these investigations and more are pending in the WhatsApp and Instagram business.
WhatsApp said it welcomed the decision not to extend the German regulator’s order across the European Union, saying it was “based on a fundamental misunderstanding regarding the purpose and effect of updating our Terms of Service.”
“We remain fully committed to providing secure and private communications for everyone and will work with the Irish Data Protection Commission as the lead regulator in the region to fully address the questions raised by the EDPB,” WhatsApp said.
Johannes Kaspar, Hamburg’s until recently data protection commissioner who had requested an EU-wide decision, said in an email that he regretted EDPB’s “lack of courage” for not seeing any urgency in this case despite the “high skepticism” he said about Facebook data processing. – Bloomberg