The Spanish Agency for Data Protection (AEPD) has sanctioned 600,000 euros to the WhatsApp and Facebook companies (300,000 euros each) for the transfer and processing of personal data of their users without consent.
The Agency has concluded that there are two severe infractions of the Organic Law of Data Protection, in the case of WhatsApp for communicating data to Facebook without authorization from the user and in Facebook for the treatment of that data for their purposes.
The resolution of the AEPD concludes that the communication and treatment of data made by WhatsApp to Facebook do not meet the requirements of Spanish and European data protection regulations.
WhatsApp has responded to the fine alleging that “it is deeply concerned about the privacy of users, we collect very little data, and each message is encrypted end-to-end, as we have repeatedly clarified during the last year, we do not share or share data that the Authority Spanish Data Protection has expressed concern about any part of Europe. ”
No option to refuse
The acceptance of the new conditions was imposed as mandatory to be able to make use of the messaging application, and the communication of personal data to Facebook was carried out without adequate information to the users, who were deprived of the possibility of refusing to these conditions.
In the case of users who already had the WhatsApp application installed, informs the AEPD, the company allowed to reject that the information provided could be used to improve the experience with the products and advertising on Facebook, but not for other purposes, and obliged them to accept the new conditions before a specific period to continue using the service.
New users did not have the option to refuse their data to be transferred to Facebook for advertising or experience improvement purposes and could not use the app if they did not accept the new terms of service. The AEPD recalls that according to Article 11 of the Organic Law on Data Protection, the communication of personal data requires the consent of the affected party and that said permission must be free, specific and informed.
Therefore, the requirement that users give their consent as a requirement to be able to use the application “exerts a real influence on the freedom of choice of the interested party” and this permission can not be considered free, details the note. Also, the AEPD resolves that the absence of information or insufficient information also determines the lack of consent.
In the case of Facebook, the AEPD considers that the social network uses the user information provided by WhatsApp for the benefit of its activity and that it requires free, specific and informed consent from the user, which does not exist when the deficiencies are reproduced. Observed in the performance of WhatsApp.