WhatsApp with the UK's new Information Commissioner? Thumbnail
Building Trust 30 November 2016

WhatsApp with the UK's new Information Commissioner?

By Robin WiltonDirector, Internet Trust

The UK’s Information Commissioner, Elizabeth Denham, has been in post just under four months, but already the differences between her approach and those of her two most recent predecessors (Richard Thomas and Christopher Graham) are starting to become clear. This may be due partly to the fact that she comes to the role with six years’ experience as the Information and Privacy Commissioner for British Columbia, whereas Thomas and Graham came, respectively, from legal practice and the BBC.

Recently, Denham posted an update on the first eight weeks of her team’s investigation into personal data sharing between WhatsApp and Facebook. The bottom line is this: she thinks consumers and their data are not being properly protected, and she offers the prospect of enforcement action if Facebook uses consumers’ data without consent. Here’s how she thinks Facebook is falling short of the legal requirements:

  • Subscribers are not properly protected, or properly informed about uses of data about them;
  • Facebook does not have valid consent for sharing personal data;
  • Users are not given sufficient control over data about them.

The Commissioner also highlights risk in a number of other areas:

  • “Free” services are not a licence for the service provider to do as they please with users’ data;
  • Vague terms of service don’t adequately protect the intimacy revealed by our online data;
  • Company mergers, and aggregation of the resulting data, create privacy risks that go beyond simple data protection.

The tone of the Commissioner’s post is firm but understated. It focuses on basic steps: inform users, get meaningful consent, give users proper control, and be transparent about terms and conditions. The Commissioner’s concerns echo those expressed by the wider group of European information commissioners, the Article 29 Working Group. The head of that group, Isabelle Falcque-Pierrotin, has expressed its concern that, following WhatsApp’s acquisition by Facebook, personal data is being used for purposes that were not included in the terms users signed up to.

Some may point out that, in strict legal terms, consent is just one of a number of valid grounds for the processing of personal data. My personal view is that there is no need for equivocation here. I don’t care (and neither should consumers) if consent isn’t the only basis for legal processing: if the end result is not what I signed up for, and it increases privacy risk, I should be made aware of that and given the option to say no.

The Commissioner has set out her position, simply and clearly. It will be interesting to see what the next eight weeks bring.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...