WhatsApp has agreed not to share its users’ personal data with Facebook, its parent company, until the European Union’s General Data Protection Regulation (GDPR) is in force. It has also agreed that, if it continues with data sharing with Facebook for other purposes, it will be in accordance with the GDPR. This comes in response to the result of the U.K.’s Information Commissioner’s Office (ICO) investigation, which looked into the terms of the data sharing.
WhatsApp had to halt its plans to share user data with Facebook in 2016, when various groups raised concerns about its updated privacy terms and conditions. The new policy included sharing of user data with Facebook for certain purposes. The ICO launched a full investigation on the case that same year, with France and Germany following in its steps.
Ensuring lawful data sharing
The ICO found no lawful basis for the data sharing and that WhatsApp had failed to provide adequate information to its users regarding the sharing of their personal data. The planned data sharing would have also been incompatible with the original purpose for which existing users had provided personal data. Had such a data sharing taken place between the two companies, it would have been a breach of the U.K.’s current Data Protection Act (DPA). It should be noted that an updated Data Protection Bill (DPB) is now in Parliament to ensure U.K. laws are in line with the GDPR.
According to the ICO, it would not impose fines as no breach had been committed. WhatsApp gave its assurance that no U.K. user data had been shared with Facebook for purposes other than that of being a data processor of the company. The DPA — as well as the GDPR — does not prohibit data sharing per se as long as organizations follow legal requirements.
The GDPR as a data protection regulation does not completely prevent data sharing between organizations. However, it does set up standards for a safer, more transparent process of data sharing and transfer, with a focus on ensuring that users consent specifically to that sharing. As in the case of WhatsApp and Facebook, compliance with data-relevant regulations will play a big role in the future of data processing and sharing. The GDPR may pose a challenge for the continuity of data sharing between organizations, considering the stronger influence of user consent and transparency on data processing under it. Given that GDPR is a broader and stricter data regulation, compliance issues should be resolved with these in mind.
Organizations worldwide need to abide by GDPR’s comprehensive set of regulations to ensure sufficient protection over EU citizen data. This includes becoming better protected against cyberthreats and incorporating “state-of-the-art security” in data processing and protection. Aside from establishing well-defined roles, policies, and processes on data collection, processing, and transfer, another step in the right direction for organizations is using cybersecurity solutions that can protect the entire enterprise from cyberthreats.
Trend Micro solutions, powered by XGen™ security, deliver state-of-the-art security capabilities that can be used to help address GDPR compliance. Trend Micro™ XGen™ security provides a cross-generationalblend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features multiple advanced capabilities, including high-fidelity machine learning, to secure gateway and data, and seamlessly protects physical, virtual, and cloud workloads. With additional capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen protects against today’s purpose-built threats that bypass traditional controls and exploit known, unknown, or undisclosed vulnerabilities. Smart, optimized, and connected, XGen powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.