On 25 August 2016, WhatsApp announced that it was changing its
communications with businesses (e.g. potentially an airline could
inform you of delays via WhatsApp), to reflect its end-to-end
encryption and as it is going to be working more with Facebook to
improve tracking the frequency that users use services, to help
fight spam and to improve the friend suggestions and adverts that
Facebook provides. To continue using WhatsApp, users were asked to
users could withdraw this permission within a further 30 days.
A day later, the UK Information Commissioner's Office (ICO)
announced that it would look into these changes. Subsequently, the
Article 29 Working Party (a group of representatives from the data
protection authorities of each EU member) wrote to WhatsApp with
its concerns and, in Germany, Facebook has been ordered to stop
collecting and storing the data of German users of WhatsApp.
Update from the ICO
Elizabeth Denham (UK Information Commissioner at the ICO)
recently provided an update. The key points were that she thought
users lacked information on how Facebook would use the
valid consent had not been obtained from WhatsApp to share the
users should have continuing control over how their information
Whilst Facebook has agreed to stop using the data of UK WhatsApp
users temporarily (for the purposes of adverts or product
improvement), Facebook (and WhatsApp) has not agreed (so far) to
sign undertakings that it will provide this above information and
control to users. Ms Denham wrote that the ICO will continue
pressing this issue together with other European data protection
authorities and warned that Facebook may face enforcement action if
it does not have valid consent.
In the EU, personal data must be processed fairly and lawfully
and cannot be processed unless at least one of certain conditions
is met. One of these conditions is to obtain the freely given,
specific, unambiguous and informed consent of the person whose data
is being processed. Furthermore, personal data will not be
processed fairly unless, as far as practicable, the person has been
given certain information, including the intended purpose that the
data is to be processed for and any further information that may be
necessary in the circumstances so that the processing is fair. The
ICO is considering whether WhatsApp users were provided with
sufficient information and whether they gave sufficient
The fourth and final part of our mini-series on the draft ICO guidance on Consent, published on 2 March 2017, focuses on the practical impact the GDPR (General Data Protection Regulation) will have on how your organisation records and manages consent.
In light of the much anticipated ICO draft GDPR (the General Data Protection Regulation) Consent Guidance being published yesterday, 2 March 2017, we will be running a mini-series on the guidelines under consultation and the impact the GDPR will have on the much vexed position of consent and the impact on your business.
The first of our four discussions on the ICO guidelines for Consent will focus on the meaning of consent under the GDPR (General Data Protection Regulation) and how this change enhances the previous law on consent to data processing.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).