What’s up with WhatsApp (and Facebook)?

In the beginning…

In 2014 Facebook bought WhatsApp (for $19 billion!). Why? Because WhatsApp was well on its way to having 1 billion users – and Facebook wanted to have access to those. Fine, but what’s this got to do with data protection? Well, on 29 December 2012, WhatsApp had posted a blog entitled ‘Why we don’t sell ads’. The blog said:

‘At WhatsApp, our engineers spend all their time fixing bugs, adding new features and ironing out all the little intricacies in our task of bringing rich, affordable, reliable messaging to every phone in the world. That’s our product and that’s our passion. Your data isn’t even in the picture. We are simply not interested in any of it’.

That was then but this is now

But, (you just knew there was this ‘but’ coming, didn’t you?), about a couple of years later, (on 25 August 2016 to be precise), WhatsApp announced it would changing its privacy policy to enable it to share its user’s personal data with. Shock! Horror!

To say this caused a bit of a backlash, (at least from data protection regulators), would be an understatement. On 27 September 2016, the German data protection authority ordered WhatsApp to stop sharing data with Facebook immediately and ordered Facebook to delete all data it had already received. The same month the ICO issued a statement saying:

The changes WhatsApp and Facebook are making will affect a lot of people. Our role is to pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared, and protecting consumers by making sure the law is being followed. We are looking into this.”

Then, in November 2016 the ICO said that it didn’t think WhatsApp had got valid consent from users to share their information and that if Facebook started using the data it might face enforcement action.

Which means

For any business, one of their most important assets is their database of customers’ personal data. When business merge that data become an asset that is bought and sold. In fact, there are many occasions when businesses are bought primarily for this data.

But, (did you see this is rather big ‘but’ coming too?), although that data can be bought and sold, it doesn’t necessarily follow that it can be used, at least as intended, by the buyer. Much, in fact nearly all, depends on what the privacy policy of the business that is being bought says. What does yours say? Err… you do have a privacy policy don’t you….?

So, anyway, it turns out that those pesky privacy policies are rather more important than many businesses seem to think. Maybe whenever a business is bought and sold the buyer should do check it out (do due diligence on it). Just sayin’.

Maybe Mark (Zuckerberg) will do that next time?


This article is intended for informational purposes only, so please don’t rely on it as legal advice!

And finally…

We believe that data protection is about protecting people and that the four elements of data protection are trust, transparency, privacy and security. If you agree and like this page please feel free to share it.