When it comes to online privacy, the European data protection authorities tend to be quite interventionist as they try to police the movement of personal data within and out of the EU. The concerns over the Safe Harbor and Privacy Shield frameworks are one manifestation of this. Another is the increasing EU scrutiny of Facebook’s purchase of WhatsApp.
Facebook has appealed to the administrative court against the order in the preliminary proceedings. The goal was to repeal the immediate enforcement. The court rejected this request today and clarified the fact that it does not see any legal basis for the planned data exchange. Facebook can not invoke interests of its own business because the complete data exchange is neither necessary for the purpose of network security or business analysis nor for advertising optimization. Furthermore, the court clarifies that there is no effective consent from WhatsApp users for a data exchange with Facebook. As a result, the administrative court is making a clear consideration in the context of the preliminary legal proceedings: the interests of the approximately 35 million German WhatsApp users predominates the economic interest of Facebook in a suspension of immediate enforceability.
That’s not the only problem Facebook faces in Europe. A little while after WhatsApp announced that it would be consolidating its user data with Facebook, the European Commission sent what is called a “Statement of Objections” to Facebook, alleging that:
the company provided incorrect or misleading information during the Commission’s 2014 investigation under the EU Merger Regulation of Facebook’s planned acquisition of WhatsApp.
The problem is that:
When reviewing Facebook’s planned acquisition of WhatsApp, the Commission looked, among other elements, at the possibility of Facebook matching its users’ accounts with WhatsApp users’ accounts. In its notification of the transaction in August 2014 and in a reply to a request of information, Facebook indicated to the Commission that it would be unable to establish reliable automated matching between the two companies’ user accounts.
Once WhatsApp and Facebook started carrying out precisely that kind of automated data matching last year, the Commission naturally wondered whether Facebook had been totally frank in its answers. The company had until January 31 to explain itself, and the Commission is now deciding whether it feels it was given misleading information. If it does, the consequences may be quite costly. Under EU law, Facebook could be fined 1% of its global turnover — which would amount to around $179 million based on 2015 revenues. On its own, that probably wouldn’t be too much of a problem for the deep-pocketed company. But combined with the ruling in Germany, and the possibility that data protection authorities in other countries will follow suit — the law is the same throughout the EU, after all — these European concerns about privacy are turning into a major a headache for Facebook.