WhatsApp announced the policy changes in January, but was forced to delay its introduction until May, because of confusion and user backlash over what data the messaging service collects and how it shares that information with parent Facebook.
Earlier this week, consumer-rights campaigners filed a complaint against WhatsApp over its allegedly “aggressive” roll out of a policy that remains “opaque.”
In Thursday’s decision, the EDPB stopped short of imposing a provisional EU-wide ban on data access, as requested by the Hamburg data privacy commissioner.
The German authority in May imposed a three-month banning order on Facebook to stop it collecting German users’ data from its WhatsApp unit, and asked EU regulators to take a bloc-wide decision.
A new Irish probe into Facebook and WhatsApp over how user data is being processed or shared would add to some 28 investigations the Irish Data Protection Commission has open into Silicon Valley giants, including Apple Inc. and Google—which all have their EU base in Ireland. Facebook accounts for nine of these investigations and more are pending into its WhatsApp and Instagram businesses.
WhatsApp said it welcomed the decision not to extend the German regulator’s order across the EU, saying it “was based on fundamental misunderstandings as to the purpose and effect of the update to our terms of service.”
“We remain fully committed to delivering secure and private communications for everyone and will work with the Irish Data Protection Commission as our lead regulator in the region in order to fully address the questions raised by the EDPB,” WhatsApp said.
The EU’s General Data Protection Regulation, or GDPR, gave data regulators unprecedented powers to fine companies as much as 4% of their annual sales.
Considering “the lack of information as regards how data are processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp,” the EU watchdogs said the Irish authority had to investigate the role of Facebook in the data processing.