In 2014, the company WHATSAPP was acquired by the company FACEBOOK Inc. On 25 August 2016, the company WHATSAPP released a new version of its Terms of Service and Privacy Policy for its application WhatsApp. It is explained that from now on, its users’ data are transferred to the company FACEBOOK Inc. for three purposes: targeted advertising, security and evaluation and improvement of services (“business intelligence”).

Following this update, the WP29 (group of European CNIL) requested explanations from WHATSAPP on the processing implemented on the occasion of this data transfer and asked the company to stop this transfer for targeted advertising purpose. The WP29 also mandated its subgroup in charge of the cooperation on investigations and sanctions (“enforcement subgroup”) to coordinate actions of the authorities planning to conduct investigations.

It is in this context that the Chair of the CNIL decided, in order to verify the compliance of the processing implemented by WHATSAPP with the Act, to carry out online inspections, to send a questionnaire to the company and then to summon it to a hearing,

The CNIL was informed by the company that the data of its 10 Million French users have actually never been processed for targeted advertising purposes.

However, the investigations found violations of the French Data Protection Act.

A violation of the obligation to have a legal basis for the processing operations implemented

It was observed that the company WHATSAPP actually transfers data concerning its users to the company FACEBOOK Inc., for “business intelligence” and security purposes. Thus, information about users such as their phone number or their use habits on the application are shared.

While the security purpose seems to be essential to the efficient functioning of the application, it is not the case for the “business intelligence” purpose which aims at improving performances and optimizing the use of the application through the analysis of its users’ behavior.

The Chair of the CNIL considered that the data transfer from WHATSAPP to FACEBOOK Inc. for this “business intelligence” purpose is not based on the legal basis required by the Data Protection Act for any processing.

In particular, neither the users’ consent nor the legitimate interest of WHATSAPP can be used as arguments in this case.

Indeed, on the one hand, the consent is not validly collected because:

it is not specific to this purpose – when installing the application, users must accept that their data are processed for the messaging service, but also, in general, by FACEBOOK Inc. for accessory purposes such as the improvement of its service;

it is not free – the only way to refuse the data transfer for “business intelligence” purpose is to uninstall the application.

On the other hand, the company WHATSAPP cannot claim a legitimate interest to massively transfer data to the company FACEBOOK Inc. insofar as this transfer does not provide adequate guarantees allowing to preserve the interest or the fundamental freedoms of users since there is no mechanism whereby they can refuse it while continuing to use the application.

A violation of the obligation to cooperate with the Commission

The CNIL departments repeatedly asked WHATSAPP to provide a sample of the French users’ data transferred to FACEBOOK Inc. The company explained that it could not supply the sample requested by the CNIL since, as it is located in the United States, it considers that it is only subject to the legislation of this country.

The CNIL, which is competent the moment an operator processes data in France, was therefore unable to examine the full extent of the compliance of the processing implemented by the company with the Data Protection Act because of the violation of its obligation to cooperate with the Commission under Article 21 of the Act.

As a result, the Chair of the CNIL decided to issue formal notice to the company WHATSAPP to comply with the Data Protection Act within one month.

The Chair of the CNIL and the two vice chairs decided to make this formal notice public in order to ensure the highest level of transparency on the massive data transfer from WhatsApp to Facebook Inc. and thus to alert to the need for individuals concerned to keep their data under control.

This decision also results from the fact that the company WhatsApp insufficiently cooperated with the CNIL which couldn’t fully control the compliance of the processing carried out, when it contributes to the increase in the amount of information Facebook Inc. has at its disposal, including information about individuals who have not registered for its social network.

For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.

Should WHATSAPP fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.