France's data privacy watchdog is closely scrutinizing the messaging platform WhatsApp (opens in new tab) over how the company is breaking French privacy law by sharing user data with its parent company Facebook (opens in new tab).
CNIL, the French data protection authority, has given WhatsApp one month to comply with its order before it places sanctions on the company over obtaining and sharing user data with the social network without consumer consent.
Facebook purchased WhatsApp in 2014 and two years later the company said that it would begin to share user data from the messaging app with its social network. This raised concerns among European privacy watchdogs over whether or not the two companies would appropriately obtain consent from their users.
European privacy regulators then criticised WhatsApp this October for not resolving any of the concerns over the app sharing user data with Facebook despite previous warnings surrounding the issue. According to CNIL, WhatsApp had failed to obtain consent before it began sharing users' phone numbers with Facebook for “business intelligence” purposes. The French authority highlighted its concerns in a statement, saying:
“The only way to refuse the data transfer for “business intelligence” purpose is to uninstall the application.”
The regulator noted that transferring user data for security purposes was essential to the app's functionality but this did not apply to Facebook utilising that same data for “business intelligence” purposes aimed at improving the performance of WhatsApp.
A spokesperson for WhatsApp has responded to CNIL's claims over privacy concerns, saying:
“Privacy is incredibly important to WhatsApp. It’s why we collect very little data, and encrypt every message. We will continue to work with the CNIL to ensure users understand what information we collect, as well as how it’s used. And we’re committed to resolving the different, and at times conflicting, concerns we’ve heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018.”
Currently European data protection authorities can only levy small fines against businesses though is set to change next year when a new EU privacy law will allow them to impose fines of up to four per cent of a company's global revenue (opens in new tab).
Image Credit: Endermasali / Shutterstock