The chair of the National Data Protection Commission (CNIL), France's privacy regulator, has ordered WhatsApp to stop transferring data to its parent company Facebook, within 30 days.
The CNIL says that transferring data between the services breaches French data protection laws. WhatsApp began sharing data with Facebook in August 2016 to assist with targeted advertising, security and business intelligence.
Shortly after WhatsApp announced that it would be sharing data in this way, the WP29 working group of CNIL requested that the company stop transferring data for advertising purposes, which Facebook agreed to.
Following an investigation, the regulator determined that the data of WhatsApp's 10 million French users had not been used for targeted advertising. However, it did identify ‘violations' of the French Data Protection Act.
While the use of users' data for security was deemed ‘essential to the efficient functioning of the application', the same does not apply to its use for business intelligence, said CNIL. In particular, the regulator objected to the fact that users' consent was not sought before using the data in this way, and there is no method to opt out short of uninstalling the app.
WhatsApp refused to supply a sample of French users' data that it had transferred to Facebook, explaining that it considers itself only subject to the laws of the USA, as it is based in that country. CNIL, which says that it should be involved ‘the moment an operator processes data in France', therefore determined that WhatsApp was in violation of its commitment to cooperate and issued formal notice to comply with the Data Protection Act within one month.
Formal notices like this are not sanctions; the regulator will take no further action against WhatsApp if it complies inside the specified time period. However, if WhatsApp continues to act as it has been doing, then CNIL could appoint an internal investigator, whose recommendations could include issuing sanctions.
A WhatsApp spokesperson told ZDNet: "Privacy is incredibly important to WhatsApp. It's why we collect very little data, and encrypt every message. We will continue to work with the CNIL to ensure users understand what information we collect, as well as how it's used.
"And we're committed to resolving the different, and at times conflicting concerns, we've heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018."
This is not the first such case against the messaging service. A German court upheld a similar order from the Hamburg data commissioner in April; and Facebook was fined €110 million by the European Commission in May for providing incorrect information during an investigation into its acquisition of WhatsApp.
And, yep, it'll run Android rather than RiscOS
US engineering giant's cost-cutting outsourcing plan is on the rocks, according to insiders
HP Envy X2 laptop only affordable if you've got loadsamoney
Counterfeit code-signing certificates enabling hackers to hide malware being sold by cyber criminals
Certificates can be used as part of layered obfuscation to evade detection by anti-virus software