European regulators demand halt to user data transfer by WhatsApp, and contact Yahoo over breach and spying issue

The WP29 European data protection group have issued a stark warning to WhatsApp and Yahoo over potential violation of Europe’s strict data protection rules.

The warning came in separate letters to both companies from the European Data Protection Authorities (the so called “Article 29 Working Party”).

This group is made up of data protection heads from each of the EU’s 28 nations.

WhatsApp has already been warned by a German data protection watchdog, the Hamburg Commissioner for Data Protection and Freedom of Information.

Last month it ordered Facebook to halt the collection and storage of data belonging to 35 million WhatsApp users in Germany.

This is because in August WhatsApp announced changes to its privacy policy so businesses could send users messages, and so Facebook could use phone numbers to serve up more relevant ads.

This drew a frosty response from the European data protection body, which addressed its letter to WhatsApp founder Jan Koum.

“According to the information which has been provided to users of the service, WhatsApp will share information within the ‘Facebook family of companies’ for a range of purposes that include marketing and advertising,” stated the European letter.

“These are not purposes which were included within the Terms of Service and Privacy Policy when existing users signed-up to the service. These changes have been introduced in contradiction with previous public statements of the two companies ensuring that no sharing of data would ever take place,” it said.

“The Article 29 Working Party (WP29) has serious concerns regarding the manner in which the information relating to the updated Terms of Service and Privacy Policy was provided to users and consequently about the validity of the users’ consent,” it said.

The body warned it would “act in a coordinated way and take actions” on the matter, and it urged the firm to halt data sharing.

“In order to avoid the possibility that the processing of personal data by WhatsApp or the Facebook family of companies is not compliant with EU legislation, WP29 urges Whatsapp not to proceed with the sharing of users’ data until the appropriate legal protections can be assured,” it said.

What will make this issue so galling to privacy campaigners is the fact that WhatsApp’s Koum has previously pledged to protect user’s privacy.

Facebook of course acquired WhatsApp back in early 2014 for a cool $19 billion (£11.4bn). That acquisition was a bumpy affair after two privacy groups officially complained to US regulators about the privacy implications of the acquisition.

At the time Koum denied claims the app would have to follow Facebook’s privacy policies. WhatsApp famously has never carried adverts and always had had a strong privacy slant.

Koum at the time also pledged he would not allow user data to be used for advertising.

Meanwhile it is understood that the regulator’s letter to Yahoo concerns the 2014 data breach the company reported only in September this year, as well as allegations that the company built a system that scanned customers’ incoming emails at the request of US intelligence services.

TechWeekEurope