France puts Facebook on notice over WhatsApp information transfers

25 views Leave a comment


Facebook and WhatsApp have been released with grave notices by France’s information insurance watchdog warning that information transfers being carried out for ‘business intelligence’ functions now miss a authorised basement — and hence that Facebook Inc, WhatsApp’s owner, has disregarded a French Data Protection Act.

WhatsApp has been given a month to pill a conditions or could face additional review by a CNIL — and a intensity for a permit to be released opposite it in future.

In Aug 2016 the amicable networking hulk caused large debate when a messaging height WhatsApp announced a remoteness U-turn — observant it would shortly start pity user information with a parent, Facebook, and Facebook’s network of companies, notwithstanding a founder’s before publicly settled position that user remoteness would never be compromised as a outcome of a Facebook acquisition.

WhatsApp’s founder, Jan Koum, had also positive users that ads would not be combined to a platform. However a data-sharing arrangement with Facebook enclosed “ad-targeting purposes” among a listed reasons.

Users were offering an opt-out, though usually a time-limited one — that also compulsory they actively review by terms conditions to find and uncheck a default-checked box to forestall information such as their mobile phone series being common with Facebook for ad targeting (shared phone numbers enabling a association to couple a user’s Facebook form and activity with their WhatsApp account).

The company’s successive teeing adult of a monetization plan for WhatsApp, around a stirring launch of business accounts, expected explains a pull to couple users of a end-to-end encrypted messaging height with Facebook users, where a same people have expected intent in distant some-more open digital activity — such as fondness pages, acid for content, and creation posts and comments that Facebook is means to read.

And that’s how a height hulk that owns mixed amicable networks is means to by-pass a remoteness firewall supposing by e2e encryption to still be means to perform ad-targeting. (Facebook doesn’t need to read your WhatsApp messages given it has a granular form of who we are, formed on your multi-years of Facebook activity… And while business accounts don’t consecrate verbatim ‘display ads’, in a normal sense, they clearly open adult plenty targeting opportunities for Facebook to operative once it links all a user profiling data.)

In May this year Facebook was fined $122M by a European Commission for providing “incorrect or misleading” information during a time of a 2014 merger of WhatsApp — when it had claimed it could not automatically compare user accounts between its possess height and WhatsApp. And afterwards 3 years after was doing accurately that.

In a European Union another turn to this story is that Facebook’s information transfers between WhatsApp and Facebook for ads/product functions were fast dangling — a CNIL confirms in a notice that Facebook told it a information of a 10M French users have never been processed for targeted promotion functions — after internal regulators intervened, and objected publicly that Facebook had not supposing users with adequate information about what it designed to do with their data, nor cumulative “valid consent” to share their information. Another bone of row was over a opt-out being time-limited to usually a 30-day window.

However a CNIL’s involvement now is formed on a continued review of a information transfers covering a dual other areas Facebook claimed it would be regulating a WhatsApp user information for — namely confidence and “evaluation and alleviation of services” (aka business intelligence).

And while a regulator seems confident that confidence is a current and authorised reason to send a information — essay that “it seems to be essential to a fit functioning of a application” — business comprehension is another matter, with CNIL observant a purpose here “aims during improving performances and optimizing a use of a focus by a research of a users’ behavior”.

“The chair of a CNIL deliberate that a information send from WhatsApp to Facebook Inc. for this ‘business intelligence’ purpose is not formed on a authorised basement compulsory by a Data Protection Act for any processing,” it continues. “In particular, conjunction a users’ establish nor a legitimate seductiveness of WhatsApp can be used as arguments in this case.”

The watchdog asserts that user establish is “not validly collected” given it is conjunction specified for this purpose (rather it is usually listed as estimate “in general”); it also says it is not ‘free’ — in a clarity of users being means to exclude a transfer; with a usually choice if they do not establish being to uninstall a application.

“On a other hand, a association WhatsApp can't explain a legitimate seductiveness to massively send information to a association Facebook Inc. insofar as this send does not yield adequate guarantees permitting to safety a seductiveness or a elemental freedoms of users given there is no resource whereby they can exclude it while stability to use a application,” it adds.

Reached for criticism a Facebook orator supposing a following statement:

Privacy is impossibly critical to WhatsApp. It’s since we collect really small data, and encrypt each message. We will continue to work with a CNIL to safeguard users know what information we collect, as good as how it’s used. And we’re committed to solution a different, and during times opposing concerns, we’ve listened from European Data Protection Authorities with a common EU approach before a General Data Protection Regulation comes into force in May 2018.

The orator unsuccessful to respond to specific questions we put to it about a WhatsApp information send activity in Europe. But did endorse that WhatsApp-Facebook information transfers for product/ads sojourn paused opposite a region.

In a grave notice to Facebook, a French watchdog neatly criticizes a association for unwell to co-operate with a review — essay that a departments “repeatedly asked” WhatsApp to yield a representation of a French users’ information eliminated to Facebook Inc usually to be told that “it could not supply a representation requested by a CNIL since, as it is located in a United States, it considers that it is usually theme to a legislation of this country”.

“The CNIL, that is efficient a impulse an user processes information in France, was therefore incompetent to inspect a full border of a correspondence of a estimate implemented by a association with a Data Protection Act given of a defilement of a requirement to concur with a Commission underneath Article 21 of a Act,” it writes.

It also criticizes WhatsApp for “insufficiently” co-operating with a review — observant it done it formidable to establish how information was being processed.

The CNIL adds that it motionless to make a grave notice open in sequence to lift recognition of a “massive information send from WhatsApp to Facebook Inc and so to warning to a need for people endangered to keep their information underneath control”.

It also creates a indicate of emphasizing that a information send has increased in a volume of information a association has during a ordering — “including information about people who have not purebred for a amicable network”. (The CNIL has formerly systematic Facebook to stop tracking non-users.)

Featured Image: Erik Tham/Getty Images