On September 27, the Hamburg Commissioner for Data Protection and Freedom of Information, Johannes Caspar, issued an administrative order requiring that Facebook, which bought the WhatsApp messenger service in 2014, immediately stop collecting data from 35 million WhatsApp users in Germany, and delete all such data that it already holds. The commissioner claims this will protect consumer privacy, but it will do nothing of the sort. If this type of action becomes the norm, it would only establish redundant regulations that threaten the ability of companies—especially start-ups—to provide new data-driven services.
In April, WhatsApp announced a change to its privacy policy that added a provision to share users’ phone numbers and contacts with Facebook, in order to sharpen up the latter’s “friend” recommendations and advertising. WhatsApp alerted every user to these changes through the app itself, and gave them the choice to decline to share this data with Facebook. WhatsApp still advertises this option on its website. Moreover, many media outlets reported both the changes and the ability to opt out.
However, the commissioner says that the exchange is permissible only if both the data provider (WhatsApp) and the receiver (Facebook) each seek users’ consent. This presents a paradox: How was Facebook supposed to get WhatsApp users’ consent to collect their data before WhatsApp had given them access to those customers? Mr. Caspar’s condition requires both that Facebook does access users’ data and that it does not. Clearly, the only logical basis on which consent can be established here is via WhatsApp—which is exactly what happened.
Putting that paradox to one side, this order still does nothing to protect privacy or consent. Mr. Caspar’s argument is that it is not enough for WhatsApp to get permission to share data with Facebook: Facebook also had to get users’ permission to receive it. How much additional privacy or control do consumers gain from answering the same question twice? How many customers would not understand that sending something to somebody else should normally involve that person receiving it? The burden of a requirement for “double consent” will only make it harder for companies to provide data-driven services after a merger or acquisition, or in partnership with one another. Not only will this stifle innovation generally; it will have an especially pernicious effect on German tech start-ups, for whom partnerships, mergers, and acquisitions are an important means by which they turn their ideas into widely available services. Worse, rules like this benefit incumbent firms that already hold large stores of user data and freeze would-be competitors out of the market.
Facebook and WhatsApp did themselves no favors in Europe by saying they would not make changes to the use of WhatsApp user data at the time of their merger in 2014, as the European Commission does not consider privacy when deciding whether to approve acquisitions. Those statements may lie behind at least some of the scrutiny today; not only in Germany, but also in Spain, Italy and the United Kingdom, where government agencies responsible for data protection are taking an interest. There is certainly a lesson to be learned here about making promises one cannot keep, but neither firm has breached any conditions imposed by the EU.
But another reason for interest by privacy regulators in Europe is the cheerleading by European telecom companies. European telecoms giants, like Deutsche Telecom, have been aggressively lobbying regulators to hobble their nimbler Internet competitors. WhatsApp poses a major challenge to telecoms firms, because it allows smartphone owners to exchange messages over the Internet without paying SMS rates. As The Economist writes, Deutsche Telecom has “long pushed for a ‘level playing’ field with online rivals.” Pointless restrictions of the kind Mr. Caspar wants serve the interests of these powerful incumbents well.
The bottom line is that WhatsApp users’ privacy remains intact: They were given the opportunity to deny Facebook permission to use their account data for advertising, and many took it. Requiring companies to ask for consent twice only creates more red tape. And if regulators really think it does protect privacy somehow, then why stop there? Perhaps consumers should be asked three times, just to be sure. Or maybe once per day, just as a friendly reminder— “Good morning! Are you absolutely sure you got it right yesterday? Take a moment to read our terms all over again, because your privacy is important to us!” Clearly, the double consent standard does nothing to protect privacy, so the commissioner should retract this order and turn his attention to genuine privacy issues.
Image credit: Flickr user Marius Brede