Following a statement from the UK data protection regulator, the Information Commissioner's Office (ICO), Facebook has paused its use of data coming from WhatsApp users in the UK. The move, announced in August 2016, has since come under the scrutiny of several data protection regulators in the EU, which are showing signs of a consistent approach over the protection of consumers' privacy. Regulators' grip is likely to get even tighter when the EU's General Data Protection Regulation (GDPR) comes into force.
OTTs can no longer hope to go unnoticed, and should do more to get ready for the GDPR
On November 8, 2016, Facebook announced its intention to "pause" its plan to use data coming from UK users of WhatsApp, following the intervention of the ICO. In September 2016, the ICO started an investigation into the approach taken by WhatsApp in sharing customer information with Facebook. Eight weeks later, the ICO concluded that consumers were not being given sufficient information about what Facebook plans to do with their data, and WhatsApp did not have valid consent from users to share the information. The ICO also believes that users should be given ongoing control over how their information is used instead of a 30-day window, which is how much time users had to agree to the sharing of data through the updated version of WhatsApp; had they not agreed, the service would have no longer been available. It is worth noting that, following the ICO's statement, Facebook has not agreed to any permanent change.
Since WhatsApp and Facebook announced the data exchange in August 2016, the initiative has come under fire from multiple regulators in the EU. Most notably, in September 2016, the German data protection authority issued an order to Facebook, ordering it to stop collecting data from WhatsApp users in the country. In October 2016, a statement was published by the Article 29 Working Party, the advisory body within the European Commission that groups together the data protection authorities of all EU member states. In the statement, concerns were raised about the validity of the consent and the effectiveness of control mechanisms for users to exercise their rights. WhatsApp was asked to provide the Article 29 Working Party with information about the type and source of data collected and shared and was urged to stop the transfer until the appropriate legal protections are assured.
All the regulatory activity around this case shows that OTTs (particularly the most popular ones) can no longer hope to go unnoticed when they change the terms and conditions for their users. In particular, it was enough to remind WhatsApp that it had committed not to change its privacy policies following Facebook's takeover of the company; this was also one of the conditions imposed by the US Federal Trade Commission to approve the merger in 2014.
However, the case also shows that regulators continue to intervene ex-post and are still struggling to ensure that online services come up with clear, user-friendly privacy policies from the outset. This could change when the EU's GDPR becomes valid at the end of 2017. At that point, companies will need to ensure that explicit consent has been obtained to collect and process personal data and will bear the burden of proof in showing that they have done it in the correct way. OTTs should consider getting ready for the GDPR before it comes into force because regulators' grip is likely to get tighter and tighter over time.
The EU's General Data Protection Regulation, TE0007-001037 (August 2016)
How Regulators Are Approaching OTTs, TE0007-001023 (September 2016)
"WhatsApp shares data with Facebook ahead of monetization," TE0003-000949 (August 2016)
Luca Schiavoni, Senior Analyst, Regulation