Facebook’s WhatsApp Privacy Changes Raise EU, U.S. Concernsby and
U.S. reviewing claim that change amounts to deceptive practice
Italy, U.K. to probe how data will be shared with Facebook
Facebook Inc. is coming under scrutiny in the U.S. and Europe for revisions to privacy policies for the free messaging service WhatsApp, which promised users those practices wouldn’t change when it was sold to the social networking company two years ago.
Last week, Facebook said it would start using data from the messaging app to allow advertisers to better target those users on Facebook and Instagram, in addition to allowing businesses to send messages to WhatsApp users directly. The policy shift may help WhatsApp generate revenue, but also could irk users drawn to its strong stance on privacy.
The U.S. Federal Trade Commission is reviewing a joint complaint from two consumer privacy groups filed Monday claiming that Facebook’s move violates federal law banning unfair and deceptive practices, a person familiar with the matter said. Earlier Monday, European Union regulators indicated that European users need to remain in charge of their personal data.
The Electronic Privacy Information Center and the Center for Digital Democracy said the policy changes violate an agency directive following Facebook’s acquisition of WhatsApp that the company must get opt-in consent from consumers. Instead, under Facebook’s new policy, the onus is on users to opt out of the data transfer, they said. The FTC declined to comment on the complaint.
Facebook is obliged to ask users for their permission to make any changes to its privacy practices under a 2011 settlement with the FTC, in which the agency accused Facebook of deceiving consumers by telling them they could keep their information private and then allowing it to be shared and made public. The agency has the power to levy fines if it finds Facebook violated that agreement.
"WhatsApp made a commitment to its users, to the Federal Trade Commission, and to privacy authorities around the world not to disclose user data to Facebook," Marc Rotenberg, president of EPIC, said in a statement. "Now they have broken that commitment."
After the sale to Facebook was announced in 2014, WhatsApp Chief Executive Officer and co-founder Jan Koum repeatedly said nothing would change with the company’s privacy practices.
“If partnering with Facebook meant that we had to change our values, we wouldn’t have done it,” Koum wrote in a blog post at the time.
WhatsApp’s changes are the first steps by Facebook toward making money from the platform since the social network paid $22 billion for the app. From the start, the transaction raised European regulators’ concerns about the collection of data from people’s contacts. A Dutch probe was closed last year after WhatsApp addressed concerns.
“Privacy-policy changes are followed with extreme vigilance” by EU and national data-protection regulators, the Article 29 Working Party, made up of the EU’s 28 privacy chiefs, said in a statement on Monday. “What’s key is that the individual keeps control over his data when these are combined by the big Internet players.”
WhatsApp said in a blog post announcing the changes on Aug. 25 that its users’ “encrypted messages stay private and no one else can read them. Not WhatsApp, not Facebook, nor anyone else” and that they “won’t post or share your WhatsApp number with others, including on Facebook, and we still won’t sell, share, or give your phone number to advertisers.”
The changes will connect users’ phone numbers with Facebook’s systems and allow it to “offer better friend suggestions and show you more relevant ads if you have an account with them,” according to the blog post. The new policy will also allow businesses to send messages to users, including appointment reminders, delivery and shipping notifications and marketing pitches.
In other European reaction, the Italian data-protection authority said the changes raise concerns for “the protection of the data of millions of citizens and numerous users of WhatsApp.” The U.K. Information Commissioner said in an Aug. 26 statement that its role is to “pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared.”