German regulator acts to halt 'illegal' WhatsApp data collection
Germany's lead data protection regulator for Facebook said on Tuesday that it was taking action against the social network to prevent the collection of personal data from users of its WhatsApp messaging app.
The regulator in the city-state of Hamburg said that it had opened emergency proceedings against Facebook after WhatsApp earlier this year informed users that they would need to consent to new data terms or stop using the service.
"We have reason to believe that the data sharing policy between WhatsApp and Facebook is being impermissibly enforced due to the lack of voluntary and informed consent," said Hamburg's data protection officer Johannes Caspar.
Caspar, who leads domestic oversight of Facebook under Germany's federal system as its country office is in Hamburg, said he was opening a formal administrative procedure "to prevent an illegal mass exchange of data", with a view to reaching a decision before May 15.
A WhatsApp spokesperson said: “Our recent update includes new options people will have to message a business on WhatsApp, and provides further transparency about how we collect and use data.
"To be clear, by accepting WhatsApp’s updated terms of service, users are not agreeing to any expansion in our ability to share data with Facebook, and the update does not impact the privacy of their messages with friends or family."
The regulatory action opens a new front in Germany over Facebook's privacy policies, with the national antitrust regulator already waging a legal battle over data practices it alleges reflect an abuse of the social network's market dominance.
Since 2018, online privacy has been subject to a European Union rulebook, called the General Data Protection Regulation (GDPR). Under the GDPR, Ireland leads oversight of Facebook because the company's European headquarters is there.
Caspar said that he was seeking to impose a three-month freeze on WhatsApp's collection of user data, citing "extraordinary circumstances" foreseen in the GDPR. The measures can be extended by the European Data Protection Board, a forum that groups regulators from the bloc's 27 member states.