Matthew B. Welling

ICO investigating into Facebook and WhatsApp Data Sharing Plans; Germany and France publish joint action plan against encryption; PrivacyShield now covering 200 U.S. companies.

UK DPA investigating into Facebook and WhatsApp Data Sharing Plans

The United Kingdom’s Information Commissioner (‘ICO’) is taking a closer look into WhatsApp’s plan to share more user data with parent company Facebook for the purposes of targeted advertising.

According to a recent WhatsApp blog post, WhatsApp has changed its Privacy Policy on August 25. This move will allow the company to share further personal information, in particular the mobile phone numbers of its users, with parent company Facebook. According to information published earlier this week, users should have 30 days to decide whether they want to receive targeted advertising, but they should not be allowed to object the data sharing as such.

Actually, the new approach of WhatsApp is not such a big surprise, as similar concerns had already been raised in the debate around the acquisition of WhatsApp by Facebook. However, the European Commission had explicitly made clear that the assessment of privacy issues does not fall within its competence as a Competition authority, and approved the merger.

Germany and France publish joint action plan against encryption

On August 23, 2016, the German ministry of internal affairs (‘BMI’), in cooperation with the French ministry of the interior, has published a position paper proposing several measures which should lead to an increased level of security in Europe, in particular in the light of the recent attacks of Islamic terrorists in France and Germany.

In particular, the paper suggests that telecommunication providers should assist in the fight against terrorism by enabling investigations into encrypted communications between terrorists, while at the same time maintaining a high level of digital privacy for EU citizens. The ministers urge the Commission to discuss a potential bill that might oblige providers of communication services to remove illegal content or decrypt messages, if needed. How the plan should be carried out in practice, however, does not become entirely clear and even the French and German ministers do not seem to be on the same line yet.

The French-German action plan is not the only anti-terrorism measure that might raise concerns from a Privacy point of view. About 2 weeks earlier, the German ministry had already published another paper, announcing its plans to extend data preservation, video surveillance and the use of biometric data for national security purposes.

PrivacyShield now covering 200 U.S. companies

Almost 1 month after the official launch of self-certifications under the newly concluded “EU-U.S. Privacy Shield” (‘Privacy Shield’), the new framework for data transfers from Europe to the U.S., about 200 U.S. companies have been approved as successfully self-certified under the new mechanism.

The International Trade Administration (‘ITA’) of the U.S. Department of Commerce (‘DoC’), which is responsible for checking whether the self-certification forms have been filled in correctly by the companies, has so far been able to process 90 subscription requests, which relates to a total of 200 companies including additional covered entities.

The predecessor to ‘Privacy Shield’, the former “U.S.-EU Safe Harbor Framework” (‘Safe Harbor’), had been invalidated by the European Court of Justice in October 2015, based on a complaint of Austrian lawyer Max Schrems against Facebook. Before its invalidation, the old framework had covered EU-U.S. data transfers of more than 4,400 U.S. companies.