WhatsApp-Facebook data-sharing transparency under review by EU DPAs after Ireland sends draft decision – TechCrunch

A long-running investigation in the European Union focused on the transparency of data-sharing between Facebook and WhatsApp has taken the first major step towards a resolution. Ireland’s Data Protection Commission (DPC) on Saturday confirmed that it has sent a draft decision to the European Union’s DPA at the end of last year.

This will trigger the draft review process by other DPAs. Prominence is required under the bloc’s General Data Protection Regulation (GDPR) for Facebook’s proposed settlement of the European Union’s data supervisor before a decision is finalized.

The DPC’s draft WhatsApp decision, which it told us was sent to other observers for review on 24 December, is only the second draft that the Irish watchdog has released in cross-border GDPR cases.

The first case to undergo this process was an investigation into a Twitter security breach – which led to the company being issued an A. Fined $ 550,000 last month.

WhatsApp case may seem very timely, given Recent backlash for update of T&CS, But it is actually the date of 2018, the year the GDPR began to come into force – and concerns WhatsApp Ireland’s compliance with Articles 12–14 of GDPR (which determines how data subjects should be provided information , Whose information is being processed) are able to exercise their rights).

In a statement, the DPC said:

“As you know, the DPC is investigating WhatsApp Ireland’s compliance with Articles 12-14 of GDPR in terms of transparency, which includes information on what transparency has been shared with Facebook since 2018. Is performed. DPC is temporarily on. This investigation was concluded and we sent a draft decision to our fellow EU data protection authorities on December 24, 2020 to begin the GDPR co-decision making process. We are waiting to receive their comments. On the decision of this draft.

“When the process is complete and a final decision is issued, it will clarify the standard of transparency that WhatsApp hopes to convey by the data protection authorities of the European Union,” he said.

Ireland has extra Ongoing GDPR investigation Other aspects of the tech giant’s business, including complaints filed May 2018 EU privacy rights, not for profit, Noib (So-called ‘forced consent’). In May 2020 The DPC said the separate investigation was in the decision-making stage – but it has not yet confirmed sending a draft decision for review.

It is also notable that the time between the release of the DPC’s Twitter draft and the final decision – after the other European Union won a majority from the DPA – was about seven months.

Twitter’s case was relatively straightforward (a data breach) in the face of the more complex business of evaluating ‘transparency’. So the final decision on WhatsApp is unlikely to come in a Swifter resolution. There are clearly enough differences between DPAs as to how the GDPR should be implemented across the block. (In the Twitter case, for example, the German DPA suggested a penalty of $ 22M vs. Ireland’s initial offer of a maximum of $ 300k). However there is some hope that GDPR enforcement of cross-border cases will accelerate as DPAs gain experience with the various mechanisms and processes involved in making these co-decisions (even if major conceptual gaps remain).

Returning to WhatsApp, the messaging platform has had a lot of problems with transparency in recent weeks – creating a lot of unwanted attention and concern over the privacy implications of a misleading mandatory update to its T&CS, which allowed users to alternate migration to chat platforms Has made major contributions to, such as The hint And Wire.

Backlash announced WhatsApp Last week It delayed implementing the new terms for three months. Italy’s Data Protection Agency also released last week Warning Lack of clarity in T&CS – asserting that it could interfere using the emergency procedure allowed by EU legislation (which would be in addition to the ongoing DPC process).

On the WhatsApp T&CS dispute, DPC deputy commissioner Graham Doyle told us that the regulator had received “several questions” from confused and worried stakeholders, which he said led to a re-engagement with the company. The regulator previously obtained a commitment from WhatsApp that “there is no change in data-sharing practices in the European region or the rest of the world”. But later it was confirmed that it would delay in implementing the new conditions.

“Updates made last week by WhatsApp are about providing clearer, more detailed information to users about how and why they use the data. WhatsApp has confirmed to us that there has been no change in data-sharing practices in the European region or in the rest of the world arising from these updates. However, DPC has received many questions from stakeholders who are confused and concerned about these updates, ”said Doyle.

“We engaged with WhatsApp on the matter and they confirmed to us that they will delay the date by which people will be asked to review and accept the terms from 8 February to 15 May. Meanwhile, WhatsApp will launch information campaigns to provide more clarity on how privacy and security works on the platform. We will continue to connect with WhatsApp on these updates. “

However, there is no doubt that Europe has a record of enforcing its very abusive data protection laws against tech giants. A major weak point of regulation, Are signs that raise the user’s awareness of rights and, more broadly, concern for privacy, is causing a shift in the balance of power in favor of users.

Proper privacy enforcement is still lacking, but Facebook is being forced to put a T&CS update on ice for three months – as its business is subject to ongoing regulatory scrutiny – suggesting that the platform Giants are able to move fast and break things in vain.

Likewise, for example, Facebook recently Delay in launching dating feature in Europe Whereas it consulted with DPC. It is also limited in the data that can be shared between WhatsApp and Facebook due to the existence of GDPR – So still can’t Share data for ad targeting and product enhancement purposes, also under the new target.

Meanwhile, Europe is Platform is coming with pre-rules for veterans There will be further constraints on how they can work – aimed at combating abusive / unfair business practices and competition in digital markets.