Germany bans Facebook from processing WhatsApp data

German data regulator says Facebook's new privacy policy could violate European data protection rules

The lead German data protection regulator, Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI), has said that it will use an emergency GDPR procedure to prevent Facebook from collecting and processing personal data from WhatsApp, for the next three months.

The regulator views Facebook's new privacy policy as illegal and in violation of European data protection rules. Under the GDPR, companies holding data about users, customers or employees cannot share the data without legitimate reasons.

"The order is intended to safeguard the rights and freedoms of the many millions of users throughout Germany who give their consent to the terms of use," Hamburg's data protection commissioner Johannes Caspar said.

"My objective is to prevent disadvantages and damages associated with such a black-box procedure."

Caspar is now seeking an EU-wide order from the European Data Protection Board (EDPB), whose members include regulators from the bloc's 27 member states.

The EDPB doesn't normally get involved in making binding GDPR decisions related to individual cases, unless the bloc's various data protection agencies cannot agree on a decision. In that case, the EDPB would have a deciding vote.

Caspar added that the Cambridge Analytica scandal and recent Facebook data leak "show the scale and dangers posed by mass profiling".

"Without the trust of the users, no data-based business model can be successful in the long run," he said.

The move from the Hamburg data protection authority comes just before a 15th May deadline that WhatsApp users have to consent to its new terms.

In response to the HmbBfDI's stance, WhatsApp said the decision was based on a fundamental misunderstanding of the purpose and effect of its policy update, and therefore had no legal basis.

"As the Hamburg DPA's claims are wrong, the order will not impact the continued roll-out of the update," a WhatsApp spokesperson told Reuters.

"We remain fully committed to delivering secure and private communications for everyone."

The company rejected claims that the policy update was related to expanding data sharing with Facebook. It said the new terms were connected only to messages between customers and businesses.

WhatsApp announced the update to its new user policy earlier this year, scheduling it to come into effect on the 8th February. It also said that it reserved the right to share some user data with the Facebook.

The move angered millions of users, who switched to competing apps Signal and Telegram. Signal even became the number one app in its category in many parts of the world, with so many new subscribers joining that it has struggled to scale up.

Privacy advocates criticised WhatsApp's announcement, concerned that the new policy would grant Facebook sweeping access to private data.

Following the criticism, WhatsApp announced that it was delaying the introduction of the new policy by three months, to better explain to users what type of data it collects and how the information is shared with Facebook.

WhatsApp said that it would always protect users' private messages with end-to-end encryption, so that nobody, including WhatsApp and Facebook, is able to read them.

It added that it expects more people to use the service for business purposes and wants them to be aware of various features available on the app.