The UK Information Commissioner's Office (ICO) has cast a shadow over data sharing between Facebook and WhatsApp in a move which could have complicated implications in the long-run.

Jamie Davies

November 8, 2016

5 Min Read
UK slams Facebook and WhatsApp data relationship

The UK Information Commissioner’s Office (ICO) has cast a shadow over data sharing between Facebook and WhatsApp in a move which could have complicated implications in the long-run.

The decision to share data between WhatsApp and Facebook was seen as slightly controversial when it was announced back in August, considering WhatsApp CEO Jan Koum had repeatedly promised the company would not sell users personal data. Strictly speaking WhatsApp has done nothing wrong, Facebook does technically own the data by virtue of owning WhatsApp itself, though the move is blurring the lines of contradiction.

“It’s one of the roles of the Information Commissioner to pull back the curtain on how organisations use personal data, and I wanted to give you an update on what we’ve done so far,” Information Commissioner Elizabeth Denham wrote on the organizations blog.

In short, the ICO has flagged up three concerns which are specific to the Facebook/WhatsApp deal, and a fourth with regard to the wider M&A activity in the industry. Let’s deal with the Facebook/WhatsApp deal first:

  1. The ICO believes Facebook has not offered enough information to the consumer on how personal data will be used. The team has loosely stated it would use the information to increase effectiveness of advertising across the social media platform, though no more detail than that

  2. Another concern is the means by which consent was collected from WhatsApp users. Denham simply stated “I don’t think WhatsApp has got valid consent from users to share the information”. Pretty up-front and no messing about there.

  3. Finally, the ICO highlighted the consent which is given by the consumer effectively hands over control his/her personal information after the 30-day period. This does in some ways contradict a lot of data protection and privacy concerns put forward by activists, and the ICO believes the user should have longer-standing control over how personal information is used.

“It’s important that we have control over our personal information, even if services don’t charge us a fee,” said Denham. “We might agree to a company using our information in a certain way in return for us getting a service for free, but if that information is then exploited more than agreed, for a purpose we don’t like, then we’re entitled to be concerned.”

The ICO has now asked Facebook and WhatsApp to pause data sharing activities while the concerns are still lurking, and should it continue, Facebook will face the sharp-end of the regulatory stick.

The ICO is making an important stand for the rights of users. The digital era is not going to disappear and the use of personal information as a currency will only become more prominent over the next few years. If correct precedents are not set in the early days, there could be a mess to sort out in the future, or even worse, the misuse of personal information due to loop-holes, patterns and nefarious characters.

“We all rely on digital services for important parts of our lives, whether it’s keeping in touch with loved ones or doing our weekly shop,” said Denham. “But our digital comings and goings create rich portraits of our lives, and vague terms of service when we sign up aren’t giving us the protection we need.”

The final point of contention from the ICO is more of a wider industry concern, but a theme which has been playing out quite prominently over recent months. More specifically, it ties back to the activity of acquiring a company to gain ownership of its data. Examples include the aforementioned $19 billion acquisition of WhatsApp by Facebook, and more recently Microsoft dropping $26 billion on LinkedIn. Twitter would be an example as well, but no-body wants to buy it.

Personal information is basically being commoditised, relegating it to the ranks of barrels of oil or coffee beans. Defining personal information in these terms removes the element of importance, and runs the risk of removing the sense of responsibility organizations should have when handling such sensitive information.

“It’s a particular concern when company mergers mean that vast amounts of customers’ personal data become an asset to be bought and sold,” said Denham.

“We’re seeing situations where companies are being bought primarily for this data, and when it is combined with information the purchasing company already holds, there’s a danger that consumers will have little control as datasets are matched and intrusive details revealed.”

This also leads onto an interesting debate on who owns the data itself. Yes, personal information should remain under the control of the individual, but if that individual accepts it is being used as a currency to procure services, he/she should also have to accept it will be used to make money for the company. ‘Nothing is free’ is a popular phrase, though it would appear some in the world have forgotten this. If they are not willing to part with cold, hard cash, they have to pay for services in another manner.

The merger and acquisition complication is an interesting one however, as an individual has entered into a contract with one organization but not another. Is there an implied agreement at the time of the initial contract that the consumer allows the free-flow of information in the event of an acquisition? In the case of Facebook/WhatsApp, the team are not technically doing anything wrong. It is not selling the data or in theory allowing it to leave the boundaries of its organization; it’s a complicated situation.

A comment from Christopher Whitmey at the foot of the blog post demonstrates this: “You say, ‘We’re seeing situations where companies are being bought primarily for this data, ‘. Is it lawful to sell my personal data to A.N.Other without my permission?”

Are these companies technically selling the individuals data as it is selling separate components of its own business as a collective asset? When does the company need to seek permission of the individual? It is technically benefiting financially from that individual’s personal information, even though not directly. It certainly is a complicated situation.

Although the answers are unlikely to be found in the short-term future, this is hardly surprising. The idea of data as a commodity is still very new and the industry is still going through growing pains. A precedent needs to be set and the ripples from the ICO’s actions could have very positive or negative repercussions on the wider information industry.

You May Also Like