A German privacy regulator issued an order this week prohibiting Facebook from collecting user data on German WhatsApp users, calling the company’s actions misleading and in violation of the nation’s data protection law.
The move comes a few weeks after a recent WhatsApp policy change that said the company would begin sharing users’ data with its parent company, Facebook.
Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information, issued the administrative order (.PDF) on Tuesday, insisting Facebook immediately stop collecting and storing data on German WhatsApp users. The notice also orders the social media giant to delete any information its already received on users from WhatsApp.
Caspar said sharing of customer data is permissible only if the companies have established a legal basis for doing so, adding that Facebook has not gotten the consent of users. The commissioner reasons that it should be up to the 35 million WhatsApp users in Germany whether they want that data commingled with their Facebook data.
“It has to be their decision, whether they want to connect their account with Facebook. Therefore, Facebook has to ask for their permission in advance. This has not happened,” Caspar wrote.
Caspar goes on to say that there’s the possibility that data on people whose contact details were uploaded to WhatsApp, who may not have a connection a Facebook, could be harvested in the future.
In a prepared statement, a Facebook spokesperson said the company will work with Hamburg’s Data Protection Agency to sort through lingering issues.
“Facebook complies with EU data protection law. We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns,” the statement reads.
Germany’s notice comes about a week after a handful of consumer privacy groups filed a letter with the FTC urging the commission’s chairwoman, Edith Ramirez, to halt WhatsApp’s data sharing plan.
The letter, signed by a dozen coalitions, Privacy Rights Clearinghouse and Demand Progress to name a few, called on Ramirez to investigate the company’s change in business practices. The letter rallied behind a complaint previously issued by the Electronic Privacy Information Center and the Center for Digital Democracy. In that complaint, filed at the end of August – shortly after WhatsApp’s announcement, both EPIC and the CDD said that WhatsApp’s proposed change would represent an unfair and deceptive trade practice.
WhatsApp, which was acquired by Facebook for $19 billion in 2014, announced in August that it would transfer some of its customers’ data, including phone numbers, to Facebook’s systems in order to offer better friend suggestions and more relevant ads.
The announcement was almost immediately met with widespread concern.
Elizabeth Denham, the UK’s Information Commissioner, said she would be looking into the proposed changes in August. The commission, an independent regulatory office that helps enforce the UK’s Data Protection Act, said that companies should be transparent with the public with regards to how their personal data is shared.
India’s Delhi High Court weighed in on the move five days ago, ordering WhatsApp to delete data of users who opted out before September 25 – when the policy came into effect. The court also asked WhatsApp not to share data belonging to users who aren’t opting out of the policy that was collected before September 25.
Both Caspar’s notice and the letter from EPIC and CDD point out that WhatsApp is retreading on promises the company made to the public following its acquisition. At the time both Facebook and WhatsApp said their data privacy practices would not change and that they wouldn’t share data.