New Information Commissioner, Elizabeth Denham, asserts her authority against Facebook and WhatsApp for sharing userâs personal data

The Information Commissioner’s Office (ICO) had been investigating WhatsApp and Facebook for the past two months, regarding the former sharing data about UK users with its parent company Facebook, following the merger.

The ICO had concerns that the WhatsApp privacy policy was in breach of data protection law and did not adequately inform people of how their personal data would be used.

WhatsApp was sharing personal data on their customers with Facebook for primarily advertising purposes.

WhatsApp users were able to opt-out but the option was hard to discover, hidden behind a ‘read more’ button. For those that accepted the terms and conditions, they were only able to opt-out, if they did so within 30 days.

WhatsApp users were not in control of how their personal data was going to be used and certainly were not informed.

The ICO have ruled that WhatsApp did not have valid consents from its users to share their personal data with Facebook.

In a blog on the ICO website Information Commissioner, Elizabeth Denham, said she believed that customers should be put in the driving seat regarding how their personal data is used and in this case that clearly did not happen.

As a result, Facebook have agreed to stop using personal data from UK WhatsApp users for advertising on Facebook.

The DMA believes that this is the right result as clarity for the consumer is of the utmost importance. The behaviour of WhatsApp clearly did not have the customer at its heart.

Elizabeth Denham said: “We have now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to customers how their data will be used, and to giving users ongoing control over that information. We also want individuals to have the opportunity to be given an unambiguous choice before Facebook start using that information and to be given the opportunity to change that decision at any point in the future.”

She went on to threaten enforcement action against Facebook, if evidence arises that shows the company processing personal data without a valid consent to do so. Other data protection authorities across Europe are also investigating.

Welcome remarks that the DMA supports. Consumers should not be surprised by what happens with their data after they sign up to a service or buy a product. Organisations should always ask themselves whether their action would be in the reasonable expectations of the consumer, and make sure that they consider data protection before and after any merger.