The Article 29 Working Party, a collection of EU-based data protection authorities, has written a public letter to WhatsApp CEO Jan Koum, reasserting its concerns with the company's consent mechanism for sharing EU citizens' data with parent company Facebook. Since announcing new data-sharing between the two organizations last year, WhatsApp has been under pressure from the EU. 

The letter may well be instructive for other privacy pros concerned about what the WP29 is looking for with regard to achieving informed consent from users. It also stresses that grounds for processing data under legitimate business interests is not a blanket provision, while pointing out the forthcoming consent obligations under the General Data Protection Regulation. 

The WP29 originally sent a letter to WhatsApp last December about changes to its privacy policy and terms of service. Though WhatsApp responded by publishing a specific "Notice for EU users" in its "Frequently Asked Questions" section last August, the new letter, which is dated Oct. 24, 2017, and signed by WP29 Chairwoman Isabelle Falque-Pierrotin, asserts WhatsApp's notice "does not ... sufficiently address the issues of non-compliance with data protection law." 

In particular, the WP29 points to what it calls "deficiencies in the consent mechanism employed by WhatsApp." Pierrotin states the notice does not provide satisfactory informed, freely given, specific, and unambiguous consent, all of which are mandated under the Directive 95/46. WhatsApp has said consent is the legal basis for sharing data with Facebook, but Pierrotin writes, "In particular, [the Directive 95/46] specifies that consent must consist of a statement or clear affirmative action, be demonstrable, clearly distinguishable, intelligible and easily accessible, use clear language and be capable of being withdrawn." 

Pierrotin pointed out that "the information presented to [WhatsApp] users was seriously deficient as a means to inform their consent." Though the Working Party "notes there is a balance to be struck between presenting the user with too much information and not enough, the initial screen [that users see] made no mention at all of the key information users needed to make an informed choice, namely that clicking the agree button would result in their personal data being shared with the Facebook family of companies." 

The letter also points out that WhatsApp was neither clear about what comprises "WhatsApp account information" nor what information will be shared with Facebook. 

The WP29 also takes issue with what it characterizes as the company's "take it or leave it" stance with its users. Since the company, along with Facebook, is "embedded into the digital lives of European citizens," its requirement for users to consent to continue using the service means, according to the WP29, "that consent could not be freely given by WhatsApp users in the absence of sufficiently granular user controls allowing for an appropriate level of control over the sharing of the data." 

The consent users provided is not specific enough either, according to Pierrotin's letter. She asserts that, according to the Working Party's Opinion 15/2011, "the definition of consent makes clear that a blanket consent without specifying the exact purpose of the processing is not acceptable, and that to be specific, consent should refer clearly to the scope and consequences of the data processing." WP29 also believes that citizens should be allowed the ability to "grant or withhold specific consent for the different purposes for which their data is shared" with the parent company. 

The letter also cites concerns with unambiguous consent, a concept that "must leave no doubt as to the data subject's intention to deliver consent." Notably, the WP29 takes issue with pre-ticked boxes for obtaining unambiguous consent. 

The overarching issue, according to the letter, is "that the processing of personal data must be fair. The lack of transparency and sufficient controls afforded to users indicates that the processing undertaken was not fair to users," and that WhatsApp's FAQs for EU citizens "does not remedy these issues." 

The WP29 also highlights the requirement for users to be able to withdraw consent, something that will be required under the forthcoming GDPR.  

Pierrotin's letter also confronts the "legitimate interests" for processing data under the current Directive and forthcoming Regulation. Here, she cites the WP29's Opinion 06/2014 on legitimate interests, "which explains this is bound by a necessity test and that '...this strictly limits the context in which they can apply.' ... Moreover, having an appropriate legal ground does not relieve the data controller of its obligations under Article 6 with regard to fairness, lawfulness, necessity and proportionality, as well as data quality." 

"The legitimate interest ground," the letter states, "cannot be relied upon to justify the general combination of user data across services within the Facebook family of companies without adequate user controls and safeguards." 

Ultimately, the letter cites requirements under the current Directive 95/46, but also warns about the impending additional requirements under the GDPR. This is certainly something that all companies doing business in the EU must consider.

To resolve the issue, which it considers as "a matter of upmost importance," the WP29 "encourages WhatsApp and Facebook to engage positively" with a task force that is chaired by the U.K's Information Commissioner's Office. 

Photo credit: stroganovaphoto whatsapp via photopin (license)