The French regulator noticed that WhatsApp was sharing user data like phone numbers to Facebook for "business intelligence" reasons. When it repeatedly asked to see the data, Facebook said that it is stored in the US, and "it considers that it is only subject to the legislation of the country," according to the CNIL. The regulator countered that any time data is gathered in France, it becomes the authority in charge.
France said that while the notice was issued to Facebook, it's also meant to advise users that this "massive data transfer from WhatsApp to Facebook" was taking place. "The only way to refuse the data transfer for 'business intelligence' purposes is to uninstall the application," it adds.
WhatsApp cannot claim a legitimate interest to massively transfer data to the company Facebook Inc. insofar as this transfer does not provide adequate guarantees allowing to preserve the interest or the fundamental freedoms of users since there is no mechanism whereby they can refuse it while continuing to use the application.
"We will continue to work with the CNIL to ensure users understand what information we collect, as well as how it's used," Facebook told Engadget. "And we're committed to resolving the different, and at times conflicting, concerns we've heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018."
Facebook is also in trouble in Germany, where the competition authority accused it of transferring user data in an "abusive" way to third party sites. The cartel office (FCO) said Facebook was exerting its "market dominant" position to gather excessive amounts of data, the Financial Times reports. "From the current state of affairs we are not convinced that users have given their effective consent to Facebook's data tracking and the merging of data into their Facebook account," said FCO head Andreas Mundt.
As Facebook noted in its comment, new EU data protection rules will kick in next year, and they will have a lot more bite. Privacy violations can be fined up to four percent of a company's global turnover, which is in the case of Facebook, is a hell of a lot. In the meantime, France's CNIL commission said that Facebook has 30 days to comply with the ruling or it will face an investigation and possible sanction.
Update: Facebook's full statement to Engadget about the WhatsApp data privacy issue is below.
Privacy is incredibly important to WhatsApp. It's why we collect very little data, and encrypt every message. We will continue to work with the CNIL to ensure users understand what information we collect, as well as how it's used. And we're committed to resolving the different, and at times conflicting concerns, we've heard from European Data Protection Authorities with a common EU approach before the General Data Protection Regulation comes into force in May 2018.