In its decision, the CNIL found that WhatsApp violated the French Data Protection Act of January 6, 1978, as amended (Loi relative à l’informatique, aux fichiers et aux libertés) by: (1) sharing data with Facebook without an appropriate legal basis, (2) not providing sufficient notice to the relevant data subjects, and (3) not cooperating with the CNIL during the investigation.
Lack of Legal Basis
While WhatsApp shares its users’ data with Facebook for both business intelligence and security purposes, the CNIL focused its analysis on the “business intelligence” purpose. WhatsApp represented that such sharing was based on consent and legitimate interest as legal grounds. In its analysis of both legal bases, the CNIL concluded that:
- WhatsApp cannot rely on consent to share users’ data with Facebook for “business intelligence” purposes on the grounds that: (1) the consent is not specific enough, and only refers to the messaging service and improving Facebook’s services, and (2) the consent is not freely given, as the only way for a user to object to such processing is to uninstall the application.
- WhatsApp cannot rely on a legitimate interest to share users’ data with Facebook for “business intelligence” purposes because the company has not implemented sufficient safeguards to preserve users’ interests or fundamental rights. There is no mechanism for the users to refuse the data sharing while continuing to use the application.
Lack of Notice to Data Subjects
The CNIL found that WhatsApp did not provide sufficient notice on the registration form to data subjects about sharing personal data with Facebook.
Lack of Cooperation with the CNIL
The CNIL found that WhatsApp did not provide necessary cooperation during the investigation, such as refusing to provide the CNIL with data pertaining to a sample of French users on the basis that such request conflicts with U.S. law.
The CNIL’s Requests
In its formal notice, the CNIL requires WhatsApp to, within one month:
- cease sharing users’ data with Facebook for the purpose of “business intelligence” without a legal basis;
- provide a notice to data subjects that complies with the French Data Protection Act, and informs them of the purposes for which the data is shared with Facebook and their rights as data subjects;
- provide the CNIL with all the sample personal data requested (i.e., all data shared by WhatsApp with Facebook for a sample of 1,000 French users); and
- confirm that the company has complied with all of the CNIL’s requests above within the one month deadline.
If WhatsApp fails to comply with the terms of the formal notice within one month, the CNIL may appoint an internal investigator, who may propose that the CNIL imposes sanctions against the company for violations of the French Data Protection Act.