Facebook and WhatsApp have been issued with formal notices by France’s data protection watchdog warning that data transfers being carried out for ‘business intelligence’ purposes currently lack a legal basis — and consequently that Facebook Inc, WhatsApp’s owner, has violated the French Data Protection Act.

WhatsApp has been given a month to remedy the situation or could face additional investigation by the CNIL — and the potential for a sanction to be issued against it in future.

In August 2016 the social networking giant caused massive controversy when its messaging platform WhatsApp announced a privacy U-turn — saying it would shortly begin sharing user data with its parent, Facebook, and Facebook’s network of companies, despite the founder’s prior publicly stated stance that user privacy would never be compromised as a result of the Facebook acquisition.

WhatsApp’s founder, Jan Koum, had also assured users that ads would not be added to the platform. However the data-sharing arrangement with Facebook included “ad-targeting purposes” among its listed reasons.

Users were offered an opt-out, but only a time-limited one — which also required they actively read through terms & conditions to find and uncheck a default-checked box to prevent information such as their mobile phone number being shared with Facebook for ad targeting (shared phone numbers enabling the company to link a user’s Facebook profile and activity with their WhatsApp account).

The company’s subsequent teeing up of a monetization strategy for WhatsApp, via the forthcoming launch of business accounts, likely explains its push to link users of the end-to-end encrypted messaging platform with Facebook users, where the same people have likely engaged in far more public digital activity — such as liking pages, searching for content, and making posts and comments that Facebook is able to read.

And that’s how a platform giant which owns multiple social networks is able to circumvent the privacy firewall provided by e2e encryption to still be able to perform ad-targeting. (Facebook doesn’t need to read your WhatsApp messages because it has a granular profile of who you are, based on your multi-years of Facebook activity… And while business accounts don’t constitute literal ‘display ads’, in the traditional sense, they clearly open up ample targeting opportunities for Facebook to engineer once it links all its user profiling data.)

In May this year Facebook was fined $122M by the European Commission for providing “incorrect or misleading” information at the time of its 2014 acquisition of WhatsApp — when it had claimed it could not automatically match user accounts between its own platform and WhatsApp. And then three years later was doing exactly that.

In the European Union another twist to this story is that Facebook’s data transfers between WhatsApp and Facebook for ads/product purposes were quickly suspended — the CNIL confirms in its notice that Facebook told it the data of its 10M French users have never been processed for targeted advertising purposes — after local regulators intervened, and objected publicly that Facebook had not provided users with enough information about what it planned to do with their data, nor secured “valid consent” to share their information. Another bone of contention was over the opt-out being time-limited to just a 30-day window.

However the CNIL’s intervention now is based on a continued investigation of the data transfers covering the two other areas Facebook claimed it would be using the WhatsApp user data for — namely security and “evaluation and improvement of services” (aka business intelligence).

And while the regulator seems satisfied that security is a valid and legal reason to transfer the data — writing that “it seems to be essential to the efficient functioning of the application” — business intelligence is another matter, with CNIL noting the purpose here “aims at improving performances and optimizing the use of the application through the analysis of its users’ behavior”.

“The chair of the CNIL considered that the data transfer from WhatsApp to Facebook Inc. for this ‘business intelligence’ purpose is not based on the legal basis required by the Data Protection Act for any processing,” it continues. “In particular, neither the users’ consent nor the legitimate interest of WhatsApp can be used as arguments in this case.”

The watchdog asserts that user consent is “not validly collected” because it is neither specified for this purpose (rather it is only listed as processing “in general”); it also says it is not ‘free’ — in the sense of users being able to refuse the transfer; with the only option if they do not agree being to uninstall the application.

“On the other hand, the company WhatsApp cannot claim a legitimate interest to massively transfer data to the company Facebook Inc. insofar as this transfer does not provide adequate guarantees allowing to preserve the interest or the fundamental freedoms of users since there is no mechanism whereby they can refuse it while continuing to use the application,” it adds.

Reached for comment a Facebook spokesperson provided the following statement:

Privacy is incredibly important to WhatsApp. It’s why we collect very little data, and encrypt every message. We will continue to work with the CNIL to ensure users understand what information we collect, as well as how it’s used. And we’re committed to resolving the different, and at times conflicting concerns, we’ve heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018.

The spokesperson failed to respond to specific questions we put to it about its WhatsApp data transfer activity in Europe. But did confirm that WhatsApp-Facebook data transfers for product/ads remain paused across the region.

In its formal notice to Facebook, the French watchdog sharply criticizes the company for failing to co-operate with its investigation — writing that its departments “repeatedly asked” WhatsApp to provide a sample of the French users’ data transferred to Facebook Inc only to be told that “it could not supply the sample requested by the CNIL since, as it is located in the United States, it considers that it is only subject to the legislation of this country”.

“The CNIL, which is competent the moment an operator processes data in France, was therefore unable to examine the full extent of the compliance of the processing implemented by the company with the Data Protection Act because of the violation of its obligation to cooperate with the Commission under Article 21 of the Act,” it writes.

It also criticizes WhatsApp for “insufficiently” co-operating with its investigation — saying it made it difficult to determine how data was being processed.

The CNIL adds that it decided to make the formal notice public in order to raise awareness of the “massive data transfer from WhatsApp to Facebook Inc and thus to alert to the need for individuals concerned to keep their data under control”.

It also makes a point of emphasizing that the data transfer has increased in the amount of information the company has at its disposal — “including information about individuals who have not registered for its social network”. (The CNIL has previously ordered Facebook to stop tracking non-users.)