6. April 2016
WhatsApp is an online messaging service, that has grown into one of the most used applications, owned by Facebook. Messages, phone calls and photos are exchanged via WhatsApp by more than a billion people. Therefore, only Facebook itself operates a larger communications network.
This week was revealed that the company has added end-to-end encryption to every form of communication developed by a team of 15 of out of 50 overall employees for any person using the latest version of WhatsApp, so that all messages, phone calls and photos are encrypted. This regards any smartphone, from iPhones to Android phones to Windows phones. By encrypting end-to-end not even WhatsApp’s employees have access to the data sent through this communication network. This means that WhatsApp will not be able to comply with a court order demanding the disclosure of the content of messages, phone calls and photos sent by using its service.
This way of encryption has generally led to a public discussion between technology companies and governments. For example, in the UK, politicians have proposed banning this encryption so that companies should be forced to install “backdoors” in order to be able to disclose the content only to law enforcement.
12. February 2016
On the 8th February, the French DPA (CNIL) announced that it issued a formal notice in which it gives Facebook Inc. and Facebook Ireland Limited 3 months to comply with the French Data Protection Act.
After Facebook informed about changes in its privacy policy at the beginning of 2015, a group formed by the French, the Belgian, the Dutch, the Spanish and the DPA of the German Federal State of Hamburg carried out online and on site audits in order to find out if the updated privacy policy is compliant with the respective data protection legislations.
These audits revealed several incompliances with the French Data Protection Act regarding Facebook´s data processing activities:
- Facebook collects data of internet users that do not have a Facebook account by using cookies when these users visit a public Facebook page, such as public events or the page of a friend. As a result, the cookie provides Facebook with information about third-party websites with Facebook plug-in buttons, such as “like” button, that are visited by the user.
- Sensitive data such as religious beliefs or sexual orientation are also processed by Facebook without prior explicit consent of the account holders.
- Users are not informed in the sign up page about their rights as data subjects and the processing of their personal data.
- Cookies are also set up in the Facebook website without informing users properly and obtaining their consent.
- The company does not provide its users with tools to opt-out targeted advertising.
- Data transfers to U.S. take place on the basis of the Safe Harbor Decision, although it was declared invalid by the ECJ in October 2015.
According to CNIL, this formal notice is not a sanction. However, if Facebook fails to rectify these incompliances within 3 months, the matter will be referred to the CNIL´s Select Committee in order to impose the corresponding sanction.
These findings are also being analyzed by the Belgian, the Dutch, the Spanish and the the DPA of the German Federal State of Hamburg within a cooperation framework in order to act accordingly.
