European privacy watchdogs have warned WhatsApp over sharing user information with parent company Facebook, and cautioned Yahoo over a 2014 data breach and scanning of customer emails for US intelligence purposes.
The popular messaging service's recent change in privacy policy to start sharing users' phone numbers with Facebook – the first policy change since WhatsApp was acquired by Facebook in 2014 – has attracted regulatory scrutiny in Europe.
The independent body composed of the European Union’s 28 data protection authorities said in a statement it had requested WhatsApp stop sharing users’ data with Facebook to avoid falling foul of EU data protection law.
WhatsApp’s new privacy policy involves the sharing of information with Facebook for purposes that were not included in the terms of service when users signed up.
The body known as the Article 29 Working Party (WP29) said it had “serious concerns” regarding the manner in which the information relating to the updated terms of service and privacy policy was provided to users, and consequently about the validity of the users’ consent.
It told WhatsApp it was of “the utmost importance” that the company communicate “all the available information”.
“This includes not only but specifically information on the exact categories of data (eg names, telephone numbers, email, postal address, etc) and the source of such (eg data from the users’ phones or data already stored on company servers) as well as a list of recipients of the data and the effects of the data transfer on the users and potential third persons.”
A spokeswoman for WhatsApp said the company was working with data protection authorities to address their questions.
“We’ve had constructive conversations, including before our update, and we remain committed to respecting applicable law,” she said.
Separate inquiry
The Italian antitrust watchdog on Friday also announced a separate inquiry into whether WhatsApp obliged users to agree to sharing personal data with Facebook.
Facebook has had run-ins with European privacy watchdogs in the past over its processing of users’ data. However, the fines that regulators can levy are paltry in comparison to the revenues of the big US tech companies concerned.
The EU data protection authorities also wrote to Yahoo over a massive data breach that exposed the email credentials of 500 million users, as well as its scanning of customers’ incoming emails for specific information provided by US intelligence officials.
Yahoo said it was aware of the letter and would work to respond as appropriate.
The data protection authorities asked Yahoo to communicate all aspects of the data breach to the EU authorities, to notify the affected users of the “adverse effects” and to co-operate with all “upcoming national data protection authorities’ enquiries and/or investigations”.
“The reports [about email scanning] are concerning to WP29 and it will be important to understand the legal basis and justification for any such surveillance activity, including an explanation of how this is compatible with EU law and protection for EU citizens,” the WP29 body said in its letter to Yahoo.”
The regulators will discuss the Yahoo and WhatsApp cases in November.
– (Additional reporting: Reuters)