German data watchdog bans Facebook from using WhatsApp users' data

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has banned Facebook today from processing WhatsApp user data for the next three months.

The order issued today by the HmbBfDI, one of Germany’s data protection commissioners, comes after WhatsApp said that it will slowly restrict account features for users who refuse to give up control of their data and have it shared with Facebook companies starting May 15th, 2021.

With last week’s policy update, WhatsApp backpedaled on a previous decision that gave users a jarring ultimatum to delete their accounts if they don’t agree to share their data with Facebook.

Three-month ban on using WhatsApp user data

“The order is intended to safeguard the rights and freedoms of the many millions ofusers who approveto the terms of use throughout Germany,” Dr. Johannes Caspar, the head of Hamburg’s data protection agency, said today. “The aim is to prevent disadvantages and damage associated with such a black-box procedure.”

The announcement comes after the data watchdog started urgent proceedings last month with the goal of issuing an order under GDPR guidance to stop Facebook from collecting and processing any data from WhatsApp users for their own purposes.

Hamburg’s data regulator head also wants to extend the emergency ban imposed on Facebook’s WhatsApp data processing capabilities by asking the European Data Protection Board (EDPB) to make it a binding order at the European level.

However, as the German data watchdog said, its request to Ireland’s Data Protection Commission (DPC) (the lead European supervisory authority) “for an investigation into the actual practice of data sharing was not honoured so far.”

Despite Facebook’s three-month data processing freeze order, WhatsApp will continue pushing its new privacy changes asking users to choose between limited account functionality and accepting to share their data with Facebook.

“As the Hamburg DPA’s claims are wrong, the order will not impact the continued roll-out of the update,” a WhatsApp spokesperson told Reuters.

“We remain fully committed to delivering secure and private communications for everyone.”

WhatsApp policy updates deemed misleading

As detailed in the German data protection agency’s order [PDF], the new policy changes WhatsApp is currently pushing onto its userbase expand the company’s data processing powers concerning:

  • the processing of location information,
  • the transfer of communication data of users to third-party companies explicitly with reference to Facebook,
  • the additional purpose of ensuring the integrity of the services, and the cross-company verification of the account in order to use the service in an “appropriate manner”
  • the use of data to connect with products from Facebook companies

WhatsApp’s new policy provisions on data transfer are confusing, misleading, and contradict themselves, making it hard for users to grasp the actual consequences of agreeing to the new terms the data regulator found.

Also, WhatsApp can share its users’ data with Facebook companies for product improvement and advertising purposes according to the new provisions.

However, as the HmbBfDI data watchdog also discovered, some WhatsApp users’ data, including phone numbers and device identifiers, are already being shared with Facebook for “network security and to prevent spam from being sent.”

“The data protection scandals of recent years, from ‘Cambridge Analytica’ to the recently disclosed data leak that affected more than 500 million Facebook users, show the extent and threats of mass profiling,” Caspar added.

“The order now issued relates to the further processing of WhatsApp user data and is directed at Facebook. The worldwide criticism against the new terms of service should give reason to fundamentally rethink the consent mechanism once again.”