Facebook Purchase of WhatsApp Raises German, Dutch, Art. 29 Privacy Concerns

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti and Stephanie Bodoni  

Feb. 24 --The recent multibillion-dollar acquisition of mobile phone messaging application WhatsApp by Facebook Inc. raises privacy concerns over the possible merging of WhatsApp user data with that of Facebook, Thilo Weichert, data protection commissioner for the state of Schleswig-Holstein, told Bloomberg BNA Feb. 24.

Merging user data is a practice strictly regulated by German data protection laws, he said.

“The mixing of data is strictly regulated by German law, especially through the Telemedia Act and the Federal Data Protection Act,” Weichert said. “Both acts rely on the principle of purpose binding, that data stored for one purpose cannot be processed for any other purposes--there are no such restrictions in the U.S.”

Facebook announced in a Feb. 19 statement that it is acquiring the 450-million client WhatsApp for approximately $16 billion, as well as an additional $3 billion in stocks.

The Article 29 Working Party, the European Commission's data protection advisory body, and the data protection authority of the Netherlands are also considering the privacy implications of the WhatsApp deal.

Abandon WhatsApp?

Weichert expressed concern in a Feb. 20 statement that personal data from both Facebook and WhatsApp would be merged and commercially exploited for advertising purposes.

The Facebook acquisition has significant relevance in terms of data protection because some users of WhatsApp had switched to the service to escape the “data behemoth” that is Facebook, Weichert said in the statement. He urged WhatsApp users to leave the service and instead seek more privacy-friendly alternatives.

“Those for whom the confidentiality of private communications is worth something, should rely on trustworthy services,” he said. “These should be companies with an effective data protection regime and transparent technical safeguards such as end-to-end encryption, such as those offered by the Swiss providers Threema or myEnigma,” he said in the statement

WhatsApp data wasn't previously used for commercial purposes, he said. He noted that WhatsApp data weren't stored for long, “whereas Facebook on the contrary stores data for a long time for profiling purposes.” The “fear” is that Facebook's data retention will be applied to WhatsApp data, he said.

He said the Facebook takeover would also make it easier for the U.S. National Security Agency to access WhatsApp user communications data.

Too Early to Gauge Consequences

Jörg Hladjk of Hunton & Williams LLP, in Brussels, told Bloomberg BNA Feb. 24 that from a data protection authority's perspective, Weichert's concerns are valid.

“I also think it's probably a bit early to gauge the consequences of such a deal. There are a high percentage of users of WhatsApp in Europe and so there is potential for further investigation by the authorities in Europe and particularly in Germany,” he said.

Germany's Telemedia Act allows companies to produce user profiles but only under specific circumstances, he said.

The statute allows service providers to profile users “for the purposes of advertising, market research or in order to design the telemedia in a needs-based manner,” but only if the profile is “based on pseudonyms” and only if “the recipient of the service does not object.”

“The mixing of data is strictly regulated by German law, especially through the Telemedia Act and the Federal Data Protection Act.”  


Thilo Weichert, Data Protection Commissioner,
German State of Schleswig-Holstein

Hladjk said the legal provision on profiling is unique to German law, although it is being discussed as part of negotiations for the proposed European Union data protection regulation.

German or Irish Law?

The acquisition is also likely to reignite the debate over whether German or Irish data protection law applies to Facebook, Hladjk said.

On Feb. 14, 2013, the Schleswig-Holstein Administrative Court ruled against the Schleswig-Holstein Data Protection Authority, finding that Irish data protection law, rather than German law, was applicable to Facebook Ireland Ltd because data from the EU and the rest of the world--outside of the U.S. and Canada--are processed on servers located in Ireland (12 PVLR 1915, 11/11/13).

A German regional court has, however, ruled that having a subcontractor working within Germany was sufficient to find that Facebook USA had a “significant presence” in Germany (see related report).

A spokesman for Facebook told BNA Feb. 24 that WhatsApp would “continue to operate independently and would honor its current policies and commitments to user privacy and security.”

Art. 29, Dutch Concerns

Jacob Kohnstamm, who heads the Dutch DPA, told Bloomberg News Feb. 24 that the regulator is investigating data protection issues related to Facebook's takeover of WhatsApp.

The Art. 29 Party, which includes representatives from the 28 EU member states, may also look into the matter, Kohnstamm, who until Feb. 27 was the chairman of the Art. 29 group (see related report), said.

The risk with such a large database of consumer information is that “it is tempting to use” the information for a completely different purpose than that for which it was collected, he said.


To contact the reporter on this story: Jabeen Bhatti in Berlin at correspondents@bna.com; Stephanie Bodoni in Luxembourg at sbodoni@bloomberg.net

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Request Bloomberg Law Privacy and Data Security