Photo of Sheila MillarPhoto of Tracy Marshall

Nearly one year after it was first warned its privacy practices were inadequate under European law, popular messaging platform WhatsApp has been cited with privacy deficiencies for a second time. The Article 29 Data Protection Working Party (WP29), which is made up of data regulators from EU Member States and the Commission, sent a letter to the messaging app’s CEO on October 24, 2017 alleging that the company’s consent mechanism for sharing personal data of EU users remains “seriously deficient” and announcing the formation of a taskforce to implement a resolution. This action comes just months before the new EU General Data Protection Regulation (GDPR) takes effect on May 25, 2018, and reinforces the need for companies that process personal data of EU residents and individuals residing in the EU to carefully assess their privacy practices and take steps to align them with the new requirements.


WhatsApp, a popular messaging app that was purchased by Facebook in February 2014, issued an updated Terms of Service and Privacy Policy in 2016 that allowed it to share personal data collected from users with Facebook and its other companies (including Instagram and Facebook Messenger). WhatsApp notified users about the privacy changes through the app, and gave them 30 days to consent or opt out using pre-checked boxes. The WP29 expressed concern that the notice was not sufficient for users to give informed consent in a manner that complies with EU law. That prompted a subsequent letter to WhatsApp on October 24, 2017.

Other European data privacy regulators have questioned the privacy practices of Facebook and other U.S.-based companies in recent years.  Areas of focus have included online tracking of users without their knowledge and the use of user data for advertising purposes without consent. Against that backdrop is a significant decision by the Irish High Court in October that referred the case of Data Protection Commissioner v. Facebook Ireland Limited & Maximilian Schrems, which concerns the validity of standard contractual clauses as a permissible mechanism for transferring personal data from the EU to the United States, to the Court of Justice of the European Union (ECJ). These actions are instructive for all companies involved in the processing of data of EU users as they seek to implement the GDPR and assess appropriate data transfer mechanisms that will survive legal challenge.

The EU Consent Requirement

The WP29’s actions against WhatsApp focus on the way the social media platform obtains consent from users to share their data with third parties. Consent is one of the lawful bases for processing personal data under EU law. The concept of consent as a lawful basis for processing data is grounded in the 1995 Data Protection Directive (95/46), and has been expanded upon in WP29 Opinions and the GDPR (2016/679).  Directive 95/46/EC established that consent must be unambiguous, freely given, specific, and informed, and the GDPR goes a step further and requires that consent: consist of a statement or clear affirmative action; be demonstrable, clearly distinguishable, intelligible, and easily accessible; use clear language; and be capable of being withdrawn.

The WP29 determined that WhatsApp’s consent mechanism does not sufficiently allow for user consent that is unambiguous, freely given, specific, and informed, primarily because:

  • Users are not appropriately informed of the intended collection, processing, and use of data, as well as the specific information that is shared with third parties and for what purposes;
  • WhatsApp employs a “take it or leave it” approach whereby users must either consent to the sharing of data or stop using the services;
  • A blanket consent mechanism is insufficiently precise to ensure specific consent for a particular transfer or category of transfers;
  • A pre-checked box is ambiguous and leaves doubt as to the data subject’s intention; and
  • There is no process for consent to be easily withdrawn, as required by the GDPR.

The next step is for the company to work with the newly established taskforce to address the alleged deficiencies.


Having a lawful ground for processing personal data (and adhering to standards for obtaining consent when that is the legal basis of processing) is just one of the many requirements under the GDPR that companies must consider as they work on GDPR compliance strategies.   The GDPR will give regulators the power to fine companies – at present, capped at 1 percent of global profits – up to 4 percent of their global profits or 20 million euros – whichever is higher. So, while Facebook’s latest fine of $1.4 million, is a drop in the bucket for a company that pulled in roughly $27 billion in 2016, it is a fraction of what it could be under the GDPR and the new rules should make everyone nervous.