Earlier this year, the Italian DPA closed its investigation into WhatsApp sharing data with
Facebook. The investigation started in August 2016, after changes to the “terms of service and privacy notice” by WhatsApp. Those changes were related to the sharing of some information about WhatsApp accounts — such as users’ phone numbers, device information, and “last seen” access — with Facebook for the following purposes: business analysis analytics, system security, and targeted advertising.
The investigation carried out by the Italian DPA and the results of the work of the Working Party 29 (WP29, currently the EDPB) showed that the ways in which WhatsApp has acquired consent for the transfer of data from Italian users to Facebook cannot be considered compliant with Articles 13, 23, and 24 of the Italian Privacy Code.
In particular, the communication of the change in the privacy notice was generic, not easy to understand, and the definition of the purposes was vague. As a result, consent cannot be considered expressly, specifically, and freely given. In fact, it was expressed through a model based on an opt-out principle. In addition, if a user did not accept the terms, interruption of the service would have been the only outcome.
For these reasons, the Italian DPA prohibits WhatsApp from sharing the data of users whose “consent” was obtained with the methods described above, and further prohibits Facebook to carry out any additional processing using these data.
Text of the DPA decision (in Italian) here.
Provided by: Hermes Center