Facebook fined EUR 150,000 by French DPA for WhatsApp’s unlawful tracking

On May 16, 2017, the French, Belgian and Dutch members of the Data Protection Contact Group published the results of their investigations after WhatsApp issued its new privacy policy in August 2015, after joining Facebook. See here.

The DPAs all over the world watched the changes closely and several EU authorities initiated national investigations to verify, among others:

  • the quality of the information provided to users; and
  • the validity of consent and the processing of personal data for advertising purposes.

In France, the CNIL (Commission Nationale de l’Informatique et des Libertés) issued a sanction of 150,000 euros against Facebook for engaging in unlawful tracking. More information is available here (in French).

In Belgium, the Belgian Privacy Commission (Commissie voor de bescherming van de persoonlijke levenssfeer), issued new recommendations to the Facebook Group about its tracking of users. More information is available here.

In the Netherlands, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) assessed that the Facebook Group violated Dutch data protection law by giving users insufficient information about the use of their personal data. The Dutch DPA is currently assessing whether the other violations stopped after Facebook changed the way it uses this type of data. More information is available here.

In Germany (Hamburg), the Hamburg DPA (Hamburgischen Beauftragten für Datenschutz und Informationsfreiheit – HmbBfDI) issued two different orders relating to the Facebook Group but it postponed its decision on applicable law in view of a relevant judgment by the EUCJ (case C-210/16). More information is available here (in German).

In Spain, the Spanish DPA (Agencia Española de Protección de Datos – AEPD) opened two infringement procedures on Facebook’s privacy policy and terms of use. More information is available here (in Spanish).

The main question concerns the applicable law. According to the Facebook Group, only the Irish DPA is competent to supervise the processing of personal data of users of the service in Europe and only the Irish data protection law is applicable.

On the other side, the other national DPAs deem each to be competent under Article 4(1)a of the EU Data Protection Directive 95/46/EC. The activities of each of Facebook’s offices “are “inextricably linked” to the data processing by the Facebook Group, and all the investigated national offices are relevant establishments” according to the applicable EU data protection law.

The Common Statement by the Contact Group of the Data Protection Authorities of The Netherlands, France, Spain, Hamburg and Belgium is available at https://www.cnil.fr/fr/node/23602

For more information, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli.

Follow us on& Like us on