A pan-European privacy watchdog has expressed serious concerns over WhatsApp sharing users’ personal data with Facebook and asked it to cease data processing until the end of its investigation. It also warned Yahoo over a 2014 data breach.
Recent changes in WhatsApp’s privacy policy allowing it to “share information within the ‘Facebook family of companies’ for a range of purposes that include marketing and advertising” have become a source of “serious concern,” Article 29 Working Party (WP29), a pan-European privacy watchdog composed of representatives of the national data protection authorities and the European Commission, wrote in a letter sent to the messenger company and published on Thursday.
It noted in particular that the initial terms of service and privacy policy rules of WhatsApp signed by the existing users of the service did not include any such provisions.
The watchdog went on to say that the new rules were introduced “in contradiction with previous public statements of the two companies ensuring that no sharing of data would ever take place,” adding that the manner in which users were informed about the change raises serious concerns about “the validity of the users’ consent.”
The privacy regulator then demanded that the company communicate “all available information” concerning the change as well as “not to proceed with the sharing of users’ data until the appropriate legal protections can be assured.”
It also added that it will take action to clarify the points of concern and ensure compliance of WhatsApp policy with EU law.
The change in privacy policy allowing WhatsApp to share user data with “the Facebook family of companies” was the first change in policy after Facebook bought the messenger, Reuters reports.
A WhatsApp spokeswoman told journalists that the company was closely working with the data protection authorities on these issues. “We’ve had constructive conversations, including before our update, and we remain committed to respecting applicable law,” she said.
Meanwhile, WP29 also sent a letter to Yahoo expressing its “deep concern” over the 2014 data breach that exposed the personal data of at least 500 million users, as well as over Yahoo scanning customer emails for US intelligence.
The privacy watchdog urged Yahoo to “notify the adverse effects” of the breach to users and to communicate all aspects of the incident to EU authorities, as well as to “cooperate fully with any enquiries made and/or investigations conducted by independent national [data protection authorities].”
Addressing the issue of personal data scanning for intelligence purposes, the WP29 asked Yahoo to provide information concerning “the legal basis and justification for any such surveillance activity, including an explanation of how this is compatible with EU law and protection for EU citizens.”
Yahoo has not yet issued any comments on the issue. Earlier, it called a report on the company’s scanning of customers’ incoming emails “misleading.”
The privacy regulator also said that it will review both the WhatsApp and Yahoo issues at the first meeting of its enforcement subcommittee in November.
European privacy watchdogs have already probed big US tech companies like Facebook, Google, and Microsoft over privacy issues.
In late September, German authorities ordered Facebook to stop collecting and storing data from WhatsApp, citing digital privacy concerns. In July, France demanded that Microsoft stop collecting private user data, and threatened the company with fines of up to €150,000 ($163,770).
In April, European privacy watchdogs demanded changes in the EU-US Privacy Shield agreement aimed at allowing companies to transfer EU citizens’ data across the Atlantic, stressing that they are not satisfied with the level of personal data protection.