In 2014, WHATSAPP was acquired by FACEBOOK, Inc. On 25 August 2016, it published online a new version of the terms of use and confidentiality of its application, advising users of the now systematic transmission of their personal data to FACEBOOK, Inc.
It was specified that this transmission had two purposes in particular, "business intelligence" and security. Users thus had the choice between refusing, their access to the application thus being blocked, or accepting unconditionally.
The Article 29 Working Party[1] or WP29, alerted by these changes, was quick to ask WHATSAPP to provide it with further information regarding said changes and demanded immediate suspension of all targeted advertising. Furthermore, it instructed its "Enforcement Subgroup" to coordinate future investigations by national authorities and in particular those of the National Data Protection Commission (hereafter, CNIL)
Throughout November 2016, the WP29 carried out inspections online and by questionnaire and summoned WHATSAPP to a hearing.
Through these various inspections, CNIL found that no information related to the processing of personal data established by WHATSAPP was present on the form to create an account in the application and that consent collected from old and new users concerning the transmission of their data to FACEBOOK, Inc. was not free.
With these findings, CNIL then urged WHATSAPP to send it samples of French users’ data sent to FACEBOOK, Inc.
WHATSAPP only replied that it did not use French users’ data targeted advertising purposes and categorically refused to disclose further information to CNIL, considering itself subject only to US law.
Also, on 18 December 2017[2], given WHATSAPP’s non-compliance with its obligation to cooperate with CNIL (1.) and the violations related to data processing that it implements (2.), CNIL publicly put WHATSAPP on notice to comply with the law within one month (3.).
1. French law being applicable, WHATSAPP committed a violation of its obligation to cooperate with CNIL.
Article 5, Section I, Clause 2 of the Data Protection Act provides that the processing for which the data controller is subject to“ the data controller, although not established on French territory or in any other Member State of the European Union, uses means of processing located on French territory, (…)”, which the WP29 confirmed in its Directive no. 8/2010 of 16 December 2010 by the WP29[3].
In this case, it is undeniable that WHATSAPP collects personal data by means of processing facilities located in France, since the messaging service offered through its application intended in particular to be installed on mobile terminals located, inter alia, in France (see language of use and setting options specific to France) and allows collection of a lot of data related to the identity of users (name, telephone number, photographs, etc.) WHATSAPP is therefore indeed subject to the French Data Protection Act, in its amended version[4].
Now, repeatedly, CNIL has asked WHATSAPP to provide it with contractual or non-contractual documents governing the exchange of data between WHATSAPP and the recipient companies of said data as well as all data sent by WHATSAPP to FACEBOOK, Inc. for a sample of one thousand users in France.
WHATSAPP responded to these requests by indicating that it did not understand the nature of the documentation requested, or that sending the desired sample faces legal difficulties, or even that the requested documentation is subject to strict confidentiality rules, as such it could not send the data.
These elements of response illustrate the insufficiency, not to say, the absence of cooperation by WHATSAPP with CNIL, demonstrating a failure of the obligation to cooperate with CNIL in accordance with Article 21 of the aforementioned Data Protection Act[5].
2. CNIL found a lack of legal basis for the data processing implemented
The various investigations carried out confirmed the use of said data was limited to the sole purposes of security and business intelligence, which aroused the concerns of the Working Group 29 and CNIL. For if the security objective is essential for the proper functioning of the application, which is acceptable, this is not the case of the so-called “business intelligence” purpose aimed at “improving the performance of the application and optimising its operation”, which according to the words used by CNIL in its notice on 18 December last, does not rely on any of the legal bases listed in Article 7 of the Data Protection Act[6].
Firstly, concerning the argument of the free and specific consent of the person concerned, invoked by WHATSAPP, it is not valid in this case.
Indeed, according to Directive no. 15/2011 of 13 July 2011 by WP29 “the consent can only be valid if the person concerned is really in a position to make a choice (…) and if there are no important consequences should they not give consent” and specifically “if the consequences of the consent undermine the freedom of choice of the persons, the consent is not free”.
In this case, users were notified about the transmission of their data, but the manifestation of their will cannot be described as free, in so far as the only means they have to oppose it is to uninstall the application and thus completely give up its use.
Moreover, and as WP29 mentioned in its aforementioned directive, the consent must be specific, “In other words, a general consent, without specifying the exact purpose of the processing, is not acceptable. Consent must be given on the different, clearly defined aspects of the processing. (…) Indeed, it cannot be regarded as covering all legitimate purposes pursued by the data controller”.
In this case, users consent in a general manner to the terms of use and the confidentiality policy before installing the application. The consent delivered concerns not only the data processing by WHATSAPP, but also its processing by FACEBOOK, Inc. for the additional purposes in which the improvement of its service belongs. Consequently, consent for the transmission of data is not specific.
Failing to be free and specific, the users' consent was therefore not appropriately received.
Secondly, in regards to the legitimate interest of the data controller cited by WHATSAPP, it must be appreciated not only as such but also in the interest of the data subject and their fundamental rights and freedoms, “which the interest of the data controller cannot undermine”. It therefore concerns the proportionality of data processing in regards to its purposes.
In this case, the data of the WHATSAPP application users is sent to FACEBOOK, Inc. even when the latter do not have a FACEBOOK account. As CNIL stressed in its decision last 27 November "this means that the data of these persons is sent to another data controller with which they have no connection".
Furthermore, in its Notice n. 06/2014 of 09 April 2014, the WP29 stresses concerning the legitimate interest that "must be taking into account in the balance of interests the supplementary guarantees implemented by the data controller in order to prevent any unjustified incident for the persons concerned".
However, as CNIL rightly noted, “a contrary mechanism based on the definitive deletion of an account does not ensure a fair balance between the interest of the company and the interest of the data subjects in that it deprives the person of the use of a service”.
In the present case, it is clear that the purpose of “business intelligence” does not seem essential for the proper functioning of the application and that it is WHATSAPP and not its users who benefit chiefly from the transmission of data. The patent imbalance between the "massive" data processing by a single actor for purposes not precisely defined necessarily leads to a considerable imbalance which should be rectified by development of an effective contrary mechanism for the benefit of the user.
In conclusion, the absence of free and specific consent by the users, even though the legitimate default interest of WHATSAPP constitutes a lack of obligation for any data processing to satisfy one of the legal bases listed in Article 7 of the Data Protection Act.
3. On 18 December 2017, CNIL issued formal notice to WHATSAPP to comply with the law within a period of one month
On 18 December last, the CNIL President issued formal notice to WHATSAPP to comply with the law within a period of one month, a decision that the CNIL Chair, after internal consideration, made public.[7].
If some saw in this decision a penalty, CNIL stated that in the interests of transparency in regard to users, the objective was primarily to alert users of the WHATSAPP application and to “allow them to keep control over their data”. It is also likely that the insufficient or non-existent nature of the cooperation of WHATSAPP throughout the investigations conducted by CNIL is not unrelated to this decision.
CNIL stated however that this decision cannot constitute a penalty insofar as WHATSAPP complies with the law within the prescribed time, the proceedings will be closed and its closure also made public. Failure to comply within the time limit, CNIL shall appoint a rapporteur to suggest to the Commission's restricted formation in order to impose one of the penalties provided for in Article 45 of the Data Protection Act (pronouncement of a warning, a pecuniary sanction, an injunction to cease the processing and a withdrawal of the authorisation granted, etc.).
[1] WP29 includes all of the European CNILs.
[2].https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000036232595&fastReqId=1869831892&fastPos=2
[3] “When a data controller knowingly collects personal data, even incidentally, using means located in the EU, the Directive applies”.
[4] Act n. 78-17 of 6 January 1978 in its amended version.
[5] Furthermore, Article 21 of the Data Protection Act 21 of law no. 78-17 of 6 January 1978 provides that “the (…) managers of public or private companies, heads of various groups and, more generally, the owners or users of personal data processing or data files of personal nature may not oppose the action of the commission or its members and must, on the contrary, take all necessary measures in order to facilitate the task”.
[6] Article 7 of the Data Protection Act no. 78-17 of 6 January: “Processing of personal data must have the consent of the data subject or meet one of the following conditions:
1 - Compliance with a legal obligation incumbent on the controller;
2 - Safeguarding the life of the person concerned;
3- Execution of a public service for which the controller or recipient is entrusted with the processing;
4 - Execution of either a contract to which the data subject is party, or pre-contractual measures taken at the request of that party;
5 - The fulfilment of the legitimate interest pursued by the controller or the recipient, subject to not disregarding the interest or fundamental rights and freedoms of the person concerned. "