WhatsApp and Facebook in the spotlight due to infringement of data protection laws

On 2nd March 2018, the AEPD passed sentence to fine Facebook Inc. and WhatsApp Inc. 300,000 euros each. These fines were imposed because WhatsApp Inc. gave Facebook Inc. the personal details of users of the “WhatsApp” instant messaging service, and due to the treatment of this data by the latter in its capacity as the processor, without the authorisation of the owners of said data.

The AEPD believes that this is an infringement of Article 11 of the current Spanish Data Protection Act, according to which personal details may only be given to a third party following the consent of the interested party. Although Point 2 of this article sets forth a series of exceptions to the requirement of prior consent, this case does not fulfil any of them.

In accordance with Article 15 of the regulation implementing the Data Protection Act, when consent is requested for the processing of personal details within the framework of a contractual relationship (such as the one binding WhatsApp Inc. and the user of the app) for purposes not directly related to the contract, the affected party must be allowed to expressly refuse the processing or transferral of his or her details.

WhatsApp Inc. set up mechanisms to communicate the updating of its Service Terms and Conditions and Privacy Policy, and to gather the consent of new and existing “WhatsApp” users. However, the AEPD believes that full acceptance of the new Service Terms and Conditions and of the Privacy Policy must be given before the app can be used or installed on devices, in the case of new users. Therefore, this consent does not adapt to the regulation.

Moreover, the AEPD believed that the information relating to the recipients of the personal details, the purposes of transferral or the use to be made of the data by the assignees was inaccurate, inexact and confusing.