WhatsApp: We won’t share your data with Facebook… for now


Author: Michelle Waknine


Following an investigation by the Information Commissioner’s Office (ICO), the UK’s data protection watchdog, WhatsApp has signed a public commitment not to share personal data (i.e. data which identifies individuals) with Facebook until data protection concerns are addressed.

Facebook acquired WhatsApp in 2014, and the ICO’s investigation commenced in August 2016 to address concerns being raised globally about possible inappropriate data sharing. This followed the publication of WhatsApp’s updated terms and conditions and privacy policy, which included various vague references to information being shared within the Facebook “family of companies”:

“We may use information… to help operate, improve, understand, customize, support, and market our Services and their offerings…Facebook and the other companies in the Facebook family may also use information from us to improve your experience within their services such as making product suggestions (for example, of friends or connections, or of interesting content) and showing relevant offers and ads”.

The ICO’s findings from the investigation were as follows:

  • WhatsApp has not identified a lawful basis of processing for any such sharing of personal data;
  • WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data;
  • in relation to existing users, such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained; and
  • if they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.

WhatsApp has now signed an ‘undertaking’ in which it has committed to not sharing personal data with Facebook, until it is in a position to comply with the upcoming General Data Protection Regulation (GDPR) coming into force in May this year. The ICO has made clear that it will be closely monitoring WhatsApp’s adherence to the undertaking.

Elizabeth Denham, the Information Commissioner, is optimistic that the new legislation will be “good news for UK users of social media services” and will provide a stronger emphasis on transparency and accessibility of information for the public.

It will be interesting to see WhatsApp’s approach to tackling compliance with the GDPR, which imposes much tougher requirements surrounding the protection of personal data. In particular, the GDPR strengthens the rules on what constitutes ‘consent’. With fines of up to €20 million or 4% of companies’ global annual turnover for breach of the GDPR, all businesses handling personal data should, if they haven’t already done so, be considering whether the new rules apply to them and, if so, be taking compliance very seriously. It is the large-scale companies handling personal data, such as WhatsApp and Facebook, which may be stung the hardest in terms of fines, and it is likely that WhatsApp will be working hard on its compliance and introducing notable changes over the forthcoming months.

Michelle Waknine, Associate, Fladgate LLP (mwaknine@fladgate.com)

View by author:


Would you like to hear more?