The Hamburg Commissioner for Data Protection and Freedom of Information has issued an emergency order prohibiting Facebook Ireland Ltd using personal data from the group’s WhatsApp social media platform for its own purposes.

WhatsApp is asking users to agree a new privacy policy by 15 May which gives it the right to share data with Facebook, including connecting with products from Facebook companies.

A previously existing notice that WhatsApp messages are not shared on Facebook has been removed, according to the DPA, which says there is no legal basis for Facebook to process data from WhatsApp.

The DPA also argues consent is not freely given because WhatsApp demands acceptance of the new terms as a condition for continued use of the service.

Hamburg’s Commissioner Johannes Caspar said: “The order is intended to safeguard the rights and freedoms of the many millions of users who approve to the terms of use throughout Germany. The aim is to prevent disadvantages and damage associated with such a black-box procedure.”

He referred to recent data scandals such as Cambridge Analytica’s use personal information from Facebook users’ profiles and a data leak affecting 533m Facebook users show the extent and threat of mass profiling.

“This concerns fundamental rights and also the possibility of using profiling to influence voter decisions in order to manipulate democratic decision-making processes. With nearly 60m users of WhatsApp, the danger is all the more concrete in view of the upcoming federal elections in Germany in September 2021, which will create a desire to influence voters on the part of Facebook’s ad customers,” he said.

“The worldwide criticism against the new terms of service should give reason to fundamentally rethink the consent mechanism once again. Without user trust, no business model based on data can be successful in the long run,” Caspar commented.

The DPA also said: “The processing of WhatsApp users’ data is also not necessary for Facebook to perform a contract.

“The investigation of the new provisions has shown that they aim to further expand the close connection between the two companies in order for Facebook to be able to use the data of WhatsApp users for its own purposes at any time.”

Because the emergency order is only valid for three months under the EU’s General Data Protection Regulation (GDPR), the Hamburg DPA says it will bring the case to the European Data Protection Board (EDPB) for a binding decision at European level.

 

Topics