1 December 2016

DPA decision on Facebook, Whatsapp & Talk Talk

Recent high profile decisions by European Data Protection Agencies (DPAs) emphasise how important it is for businesses to remain vigilant regarding their data protection obligations. As Facebook and TalkTalk have discovered, the consequences can have a dramatic effect on business models, and include high level fines.

Facebook & WhatsApp

The German data protection agency has ordered Facebook to stop collecting user data from its WhatsApp messenger app and delete any data it has already received.

In August this year, Facebook announced that it was importing data from WhatsApp users, who number over 1 billion, with Facebook.  This data would be used for targeted ads.  Users have the option of opting out of the data being used for advertising purposes, but there is no option to stop the data being shared with Facebook. 

Hamburg’s Commissioner for Data Protection and Freedom of Information Johannes Caspar ruled on Tuesday that Facebook 

‘neither has obtained an effective approval from the WhatsApp users, nor does a legal basis for the data reception exist. […] It has to be [the users’] decision whether they want to connect their account with Facebook. Facebook has to ask for their permission in advance.’

It was particularly noted that after the 2014 acquisition of WhatsApp by Facebook, the social network had promised that they would not be harvesting user data. As Facebook and WhatsApp are separate entities, the German ruling stated that they should process data based on separate terms and conditions and data privacy policies. 

Facebook has been ordered to delete any data gathered from WhatsApp in Germany. 

Facebook has responded that it will appeal the ruling and ‘will work with the Hamburg DPA in an effort to address their questions and resolve any concerns.’

Facebook also noted that it had introduced data encryption to WhatsApp and any information shared between the two entities is designed to ensure an improved service for users.

In the face of numerous challenges from data protection regulators in Europe, Facebook has maintained that it operates in Europe from its headquarters in Ireland and that its actions are therefore governed by Irish law. In the wake of the German ruling, Ireland’s Data Protection Commissioner is examining the revised privacy policy between WhatsApp and Facebook. 

“The Data Protection Commission is focusing its attention on the type of information shared between WhatsApp and Facebook on foot of the revised policy, particularly in cases where consumers have exercised their right to opt out.”

Italy’s data protection agency also announced that it had also opened an inquiry and had requested WhatsApp to explain what data it planned to share with Facebook and what steps were being take to explain to users how their data would be used.

Talk Talk

TalkTalk, the internet service provider, has been fined a record £400,000 by the UK Information Commissioner’s Office (ICO), as a result of security failings leading to its customers’ data being accessed.  

TalkTalk was hacked in October 2015, and details of 150,000 customers of the internet service provider were retrieved.  These included sensitive financial information for over 15,000 individuals. 

The ICO found that that the attack could have been prevented had basic security measures been implemented.  Consequently, TalkTalk had not fulfilled its obligation to keep customer data secure. 

A number of factors led the ICO to conclude that TalkTalk was not complying with its security obligations.  

The hack targeted a customer database which had been acquired as part of TalkTalk’s acquisition of Tiscali in 2009.  The acquisition included inherited infrastructure which TalkTalk failed to scan for security threats.  As a result, TalkTalk was unaware that three vulnerable webpages existed, that enabled the hacker to access a customer database.  TalkTalk was also unaware that the version of the database software it was operating was out of date and no longer supported.  The software contained a bug, for which a fix was available but which was not installed as a result of the software being unsupported. 

Furthermore, the hackers had used a well-known method for penetrating the network called ‘SQL injection’ to which there are existing, established defences.  TalkTalk should have been aware that SQL injection posed a threat and applied protective measures. Furthermore, TalkTalk had been subject to two prior attacks using the same method of which it had not been aware.

TalkTalk had already been subject to criticism having fallen victim to a number of security breaches in the last few years.  In combination with the issues outlined above this led to the ICO issuing its highest ever fine, not far shy of the permitted maximum fine of £500,000. 


These two DPA decisions illustrate that the obligations under the European data protection regime cannot be neglected or ignored.  Companies would be well advised to regularly review their compliance, including privacy policies, customer notifications and security measures. 

The findings against Facebook highlight the perils of sharing personal data between a group of companies.  There are factors to consider when deciding to share data with other entities, including related entities. These include:

1.    What is the objective of the sharing?
2.    What information needs to be shared? Do not share more than you need to achieve your objective. 
3.    Who requires access to the shared data? Access should be restricted to those that need it to achieve the objectives. 
4.    When should it be shared? Is this an ongoing process or a response to certain events. 
5.    How should it be shared? Consider the security of any transfers of personal data. 
6.    Can the data be anonymised?

It is necessary to consider the fundamental principles which apply to data processing and whether these are satisfied in the context of the data being shared with a related entity. Is the processing by the related entity: 

1.    Necessary to fulfil a contract with the individual or because the individual asked for something to be done in order to enter into a contract?
2.    Necessary as a result of a legal obligation?
3.    Necessary to protect the individual’s vital interests or for the administration of justice?
4.    In accordance with the legitimate interests condition, which allows processing of data if it is necessary to do so for a legitimate reason, which has been balanced against the interests of the individual concerned, and is fair, lawful and in accordance with all the data protection principles. 
5.    Done with the consent of the data subject?

It is always advisable to obtain consent for the processing, and consequently to notify users if their data is being shared and for what purpose. Actively sharing a privacy notice is recommended, particularly if failure to do so would result in any unfairness to data subjects. The ICO advises to draw an individual’s attention to the policy and sharing of data if the individual would not expect their data to be shared or would object to their data being shared. 

Meanwhile, the TalkTalk decision is a stark reminder that businesses are expected to maintain adequate security measures.  Although hacking cannot be condoned, this does not justify ignoring obvious security threats. Businesses must stay alert to potential threats, and audit their infrastructure for weak spots.  This includes being aware of known techniques for accessing data, as well as established defences to these methods, and ensuring these defences are implemented.  While an isolated incident is unlikely to result in unduly harsh penalties from the ICO, repeated offenders will be hit with prohibitive measures, including heavy fines.