Included in this issue: ICO intervention results in "pause" in Facebook's plan to use data from UK users of WhatsApp; Regulator to scrutinise marketing used in online gambling arena; Russia to ban LinkedIn over data protection fears and more...


United Kingdom

ICO intervention results in "pause" in Facebook's plan to use data from UK users of WhatsApp

Following a request from the UK Information Commissioner Elizabeth Denham, Facebook has agreed to temporarily halt its proposed data sharing arrangements with instant messaging platform WhatsApp. Facebook bought WhatsApp in February 2014 for reportedly an estimated $19 billion in cash and shares.

Facebook has made clear this year that it intends to use data from an individual's WhatsApp user account to inform the use of targeted advertising and other commercial activities on an individual's Facebook profile.

Ms Denham voiced her concerns on the Facebook/ WhatsApp acquisition in September stating that users have not been told, "enough information about what Facebook plans to do with their information, and I don't think WhatsApp has got valid consent from users to share the information".

WhatsApp recently updated its privacy policy offering users the ability to opt out of the sharing data scheme with Facebook. However users were given only a 30-day window to comply after which users are unable to withdraw their consent. This point was criticised by Ms Denham, who stated, "users should be given ongoing control over how their information is used, not just a 30-day window".

Although Facebook has announced a "pause" it is yet to agree to any permanent changes to satisfy the Information Commissioner's Office (ICO's) concerns. As reported in our bulletin last week, Facebook's data sharing arrangements are also currently being investigated by the Article 29 Working Party.

For coverage of this story in the Guardian please click here

To view ICO's recent update on its investigation please click here

Regulator to scrutinise marketing used in online gambling arena

As part of the ICO's investigation into the use of spam texts linked to the online gambling sector, the ICO is to contact hundreds of companies requesting that they reveal how they use personal information to promote online gambling via the use of spam text messages.

The ICO is writing to firms involved in 'affiliate marketing', a process under which a company rewards its affiliates for each new customer it receives from marketing carried out by that affiliate. This kind of arrangement has started to raise the question as to who is the data controller? The ICO has pointed out that this can lead to, "a situation where neither party is taking any responsibility for complying with the rules".

The ICO has requested that companies clearly set out how they have obtained an individual's personal data, as well reviewing the number of spam texts they are sending out as promotional material. Businesses are advised to review the ICO's direct marketing checklist which is available here.

For more coverage of this story from the ICO please click here

Rest of the World

Audit of international data transfers announced by German Authorities

German Data Protection Authorities (DPAs) have announced that they have commenced a coordinated audit of five hundred German companies in relation to the transfer of data outside of the EU.

The assessment has been launched after the DPAs expressed concerns with regards to (1) the level of protection companies currently have in place; and (2) a lack of awareness as to what qualifies as an international data transfer. The DPAs have highlighted a particular focus on the increased use of cloud based services, many of which are based in the United States. Companies are reminded to review their cloud agreements, where the cloud is based and what level of security is being used by the cloud provider.

Under the current law the transfer of personal data outside of the EU is only compliant with the law if data can be protected in a country to where it is being transferred to a similar adequate standard as it had been protected within the EU. For US – EU transfers many US based companies have signed up to the Privacy Shield which came into force in August of this year.

The German DPAs intend to send out specially designed questionnaires which ask companies to describe their data transfers in detail. Interestingly the questionnaires cover the use of collaboration platforms such as messaging systems and document exchange servers. Depending on the results received, the DPA's may launch further more in depth assessments if required.

To view a copy of the German press release please click here

Russia to ban LinkedIn over data protection fears

LinkedIn has lost its appeal against a decision to block the use of its website in Russia after a court upheld the decision taken in August. LinkedIn was found guilty of violating a law passed in 2014 which requires websites operating in Russia, which collect personal data on Russian citizens to store the information collected on Russian servers.

This is the first time the law has been enforced. LinkedIn has over six million registered users in Russia, these being individual members and businesses who will be affected by the block.

The decision has now set a precedent as to how foreign firms accessing Russian data must operate within Russia and could force other website operators to comply with the law or face the same consequences. The block is expected to take effect in the next week.

NY Times coverage is available here

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile