Hamburg DPA orders WhatsApp to stop sharing data with Facebook; GAO: HHS Needs to Improve is Digital Health Protection Rules; Notice and Choice Becoming Par for the Course for Interest-Based-Ads in Apps

German Data Protection Authority of Hamburg orders WhatsApp to stop sharing data with Facebook

On September 27, 2016, the Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA) has issued an order against WhatsApp to immediately stop the companies’ data sharing plans. The order comes shortly after a German consumer group, VZBW, had given WhatsApp an ultimatum until September 21, 2016 to stop sharing user’s mobile phone numbers with Facebook.

According to the Press Release of the Hamburg DPA, it is prohibited to Facebook with immediate effect to collect and store data of German WhatsApp users and Facebook has to delete all relevant data that had already been forwarded. The main accusation of the Hamburg DPA: Facebook has neither obtained effective approval from the WhatsApp users for the sharing of the data, nor does any other legal basis for the receipt of the data exist.

In the course of the acquisition of Whatsapp by Facebook in 2014, both companies had originally assured not to share data or to lower the thresholds in WhatsApp’s strong privacy policy. That the companies now have decided to do otherwise, in the eyes of the authority constitutes “not only a misleading of their users and the public, but also […] an infringement of national data protection law.”

The order of the Hamburg DPA is limited to the data of German WhatsApp users. Nevertheless, it can be expected that other Member States’ data protection authorities might follow the German example, in particular should complaints be raised by individuals.

GAO: HHS Needs to Improve its Digital Health Protection Rules

Following a review of HHS, the US Government Accountability Office (GAO), instructed HHS to improve its security and privacy guidance. Specifically, the GAO admonished HHS for failing to ensure that its regulations are implemented properly and for not properly addressing how covered entities should tailor implementations to NIST standards. The GAO also criticized HHS for the technical assistance that it provided to audited entities, writing that the “assistance was not pertinent to the identified problems.”

Covered entities can expect more clarity, more assistance, and more robust standards as a result of the GAO report. HHS is also likely to incorporate NIST standards into revised regulations. Government agencies have long been subject to NIST standards, and recently government contractors have been expected to adhere to NIST standards as well. Given the recent recommendations, it is likely HHS will follow this trend.

Notice and Choice Becoming Par for the Course for Interest-Based-Ads in Apps

Recent actions by self-regulatory agencies and FTC signal that notice and choice may now be required when app developers allow the collection of information for interest-based-advertisements (IBAs) in mobile applications. The Council of Better Business Bureaus’ Online Interest-Based Advertising Accountability Program issued two decisions finding that mobile app developers must provide “enhanced notice,” in addition to (1) notice in a privacy policy and (2) notice in the applications’ settings, when apps collect information for IBA purposes. Developers should provide this “enhanced notice,” before a user downloads the app (for example in the app store), during download, on first opening the app, or at the time that data is first collected.

The Accountability Program also made clear that developers should craft different forms of notice based on the type of information collected. It explicitly stated that when an app allows third parties to collect precise location data for IBA purposes, the app must specifically disclose the fact that location data will be passed to third parties for IBA purposes. Additionally, the Accountability program will review specific disclosure practices for other types of sensitive data collection such as personal directory data, health data, and data for users under. This summer FTC also brought an enforcement action against a mobile advertising network for allegedly allowing third parties to collect location information by bypassing users’ location settings.

These actions show an increased interest in mobile privacy. Based on this increased scrutiny, developers should (1) examine how and what information their apps collect, (2) whether the app authorizes third parties to collect this information, (3) when and how their apps provide notice to consumers about data collected for IBA, and (4) how the app provides notice to users of the collection of particularly sensitive information – location information, data about children, and personal directory data.