Facebook, WhatsApp and mission creep

Emma RoakeGerman regulators have slapped down WhatsApp’s move to share its users’ data with parent company Facebook, calling it an “infringement of national data protection law”.

Despite Facebook and WhatsApp publicly committing in 2014 (when Facebook bought WhatsApp) that users’ data would not be shared between the two companies, recent changes to WhatsApp’s terms and conditions have reversed this position.  The new terms and conditions state that user data (including the mobile number and device information of the WhatsApp user) will be shared with Facebook, including for targeted advertising purposes.  The terms and conditions automatically opt in users to the data-sharing arrangement.

However, in the last few days of September, the Hamburg data protection commissioner issued an administrative order which:

  • prohibits Facebook from collecting and storing the data of German WhatsApp users; and
  • compels Facebook to destroy any data which has already been collected from German WhatsApp users.

The Hamburg data protection commissioner has said that the WhatsApp user’s consent needs to be obtained to the data-sharing for it to be lawful, and this had not happened.

Facebook is appealing the decision.

The changes to WhatsApp’s terms and conditions have caused widespread controversy since being announced, and have caused concern with data regulators around the world.

The UK’s data protection regulator (the ICO) has announced that it is investigating the data-sharing on behalf of WhatsApp users in the UK.  Elizabeth Denham (the new information commissioner) commented in an interview with BBC’s Radio 4 that there was a “lot of anger” amongst the UK’s WhatsApp users.  Ms Denham also addressed the WhatsApp / Facebook data-sharing arrangement in her first speech as information commissioner on 29 September 2016, commenting that “all of this is about transparency and individual control”.

Transparency and trust were the central themes of Ms Denham’s first speech, where she explained that her fundamental objective as information commissioner was to build a culture of data confidence in the UK.  She noted her concern that an ICO survey from earlier in the year had shown that only 1 out of every 4 adults trust businesses with their personal data.

Ms Denham made clear that the ICO would pick and choose its investigations carefully, making sure that those investigations were relevant to the public.  Unsurprisingly, she said that technology “is already at the forefront” of most of the ICO’s major investigations.  For example, in addition to investigating the change in WhatsApp terms and conditions, the ICO has in the last few weeks asked questions about the major Yahoo data breach.

The ICO has indicated that it will be putting out an update soon on its WhatsApp/Facebook investigation.  It will be interesting to see whether the ICO follows the approach of the German regulators.

Emma Roake is a senior associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at eroake@foxwilliams.com


Telegraph Media Group fined £30,000 by ICO

Laura Monro
Laura Monro

As 2015 draws to a close, the Information Commissioner’s Office has fined the Telegraph Media Group Ltd £30,000 for a serious breach of the UK Privacy and Electronic Communications Regulations (“PECR”). The PECR set out specific rules in respect of electronic communications. In particular, the PECR prevent the sending of unsolicited marketing and advertising by electronic means without the individual’s consent to such marketing and advertising.

On the day of the general election earlier this year, the Telegraph Media Group sent out its daily editorial e-bulletin which included a letter from the editor of the Telegraph newspaper urging its readers to vote Conservative. Whilst subscribers to the Telegraph Media Group had signed up, and hence consented to receiving, the editorial e-bulletin, the ICO found that by promoting a particular election campaign the nature of the e-bulletin had changed from an editorial communication to a ‘marketing communication’.

In order to amount to valid consent to receiving a particular electronic communication under the PECR, consent must be knowingly given, clear, and specific. In the circumstances, the Telegraph Media Group did not have the specific consent of the readers to send such a marketing communication and the communication was sent in breach of the PECR.  The ICO Head of Enforcement considered that the Telegraph had been negligent in sending the letter from the editor as part of the e-bulletin and explained that “people signed up to The Telegraph’s email service so they could catch up on the news or find out about subjects they were interested in. They did not expect to be told who they should be voting for.”

The ICO has the power to impose a monetary penalty on a data controller of up to £500,000 in respect of such a breach. However, the relatively low amount of £30,000 was determined by the fact that only 17 complaints were received, and that the email in question was a late addition to the usual mailing. The ICO acknowledged that there was pressure to distribute it quickly and little time to properly consider whether it should be included in the mailing.

This case serves as a reminder of the scope of the PECR and the enforcement action open to the ICO for those who ignore the rules.

Privacy and mobile apps

As with any other business or project, developers of mobile apps need to comply with the Data Protection Act.

A typical mobile ecosystem contains many different components, including mobile devices themselves, their operating systems, plus apps provided through an app store. In many ways these are simply developments of earlier technologies used on less portable hardware, but the mobile environment has some particular features that make privacy a particular concern.  For example:

  • Mobile devices such as smartphones and tablets are portable, personal, frequently used and commonly always on.
  • A mobile device typically has direct access to many different sensors and data, such as a microphone, camera and GPS receiver, together with the user’s combined data including email, SMS messages and contacts.
  • There are many different app configurations possible, and it is not necessarily obvious how an app deals with personal information behind its user interface.
  • Mobile devices often have small screens, typically with touch-based interfaces. This can make it more challenging for apps to effectively communicate with app users.
  • Consumers’ expectations of convenience can make it undesirable to present a user with a large privacy policy, or a large number of prompts, or both.

A survey of over 1,200 mobile apps by 26 privacy regulators from across the world has shown that a high number of apps are accessing large amounts of personal information without adequately explaining how people’s information is being used.

The key findings of the survey are:

  •  85% of the apps surveyed failed to clearly explain how they were collecting, using and disclosing personal information.
  • More than half (59%) of the apps left users struggling to find basic privacy information.
  • Almost 1 in 3 apps appeared to request an excessive number of permissions to access additional personal information.
  • 43% of the apps failed to tailor privacy communications to the small screen, either by providing information in a too small print, or by hiding the information in lengthy privacy policies that required scrolling or clicking through multiple pages.

The research did find examples of good practice, with some apps providing a basic explanation of how personal information is being used, including links to more detailed information if the individual wants to know more. The regulators were also impressed by the use of just-in-time notifications on certain apps that informed users of the potential collection, or use, of personal data as it was about to happen. These approaches make it easier for people to understand how their information is being used and when.

The Information Commissioner’s Office (ICO) has recently published ‘Privacy in Mobile Apps’ guidance to help app developers in the UK handle people’s information correctly and meet their requirements under the UK Data Protection Act.

As with all aspects of software, privacy is much easier to consider from the outset of a project rather than as an afterthought. This concept is often referred to as ‘privacy by design’.

If the app which you are developing may handle personal data, then you must comply with the Data Protection Act.  Personal data is not simply the usual identifier’s such as names and address, it could include a unique device identifier such as an IMEI number: even though this does not name the individual, if it is used to treat individuals differently it will fit the definition of personal data.

Some specific guidance points are as follows:

  • If you are a data controller, you need to register with the ICO.  Failure to do so is a criminal offence.
  • Carry out a privacy impact assessment to identify what personal data should be kept confidential, and a security assessment as to whether the app does in fact ensure confidentiality of the relevant data.
  • If any personal data is to be transferred outside the European Economic Area (EEA), you will have to ensure that legal safeguards are implements to provide adequate protection for it.
  • You should only collect and process the minimum data necessary for the tasks that you want your app to perform. Collecting data just in case you may need it in future is bad practice, even when the user has consented to provide that information.
  • Additionally, you must not store personal data for longer than is necessary for the task at hand. You should therefore define retention periods for the personal data you will hold.
  • If your app is aimed at children pay particular attention to what personal data you may be collecting.
  • You should allow your users to permanently delete their personal data and any account they may have set up with you. You should only make an exception if you are legally obliged to keep the data.
  • If you want to collect usage or bug report data, this is possible, but typically must be done either with informed consent from the user; or using anonymised data.
  • Users of your app must be properly informed about what will happen to their personal data if they install and use the app.
  • Privacy information is typically provided via a privacy policy. There is no requirement for this to be in one large document. In fact, in the mobile environment, this approach can be a hindrance. The relevant information can be provided in ways that better suit the small screen and touch-based interface of a typical mobile device.
  • Make relevant privacy information available as soon as practicable. Ideally this would be done before the user downloads the app, and could be done via an app store or via a link to your privacy policy. Where you provide privacy information after an app is downloaded and installed, make sure that this is done before the app processes the relevant personal data.
  • If appropriate, use a ‘layered’ approach where the most important points are summarised, with more detail easily available if the user wants to see it.
  • Give users a granular choice where possible. This allows the user to make meaningful decisions rather than giving the user a single ‘all or nothing’ choice.
  • Allow your users to easily review and change their decisions once the app is installed and in use. Give them a single and obvious place to go to configure the various settings within the app and give them privacy-friendly defaults. It should be as quick to disable a setting as it was to enable it.
  • If your app processes personal data in an unexpected way or is of a more sensitive nature you might need to consider the use of additional ‘just-in-time’ notifications or other alert systems to inform the user what’s happening. For example, if geo-location services are running in the background or you are uploading data to the internet, consider using clear and recognisable icons to indicate that this is occurring and where necessary the option to stop (e.g. to cancel an upload).
  • Take advantage of encrypted connections to ensure security of data in transit, by using SSL / TLS for instance. You should always use encrypted connections for transmitting usernames, passwords and any particularly sensitive information, including device IDs or other unique IDs.
  • You should be particularly careful if your app accesses data from other apps or locations; respect the sensitivity of the data in the context of its original purpose, not solely in the context of your app.

The way the cookies crumble

Laura Monro
Laura Monro

This article was originally written for and featured in Childrenswear Buyer Online.

An informal review of the websites of various businesses referred to in the August edition of Childrenswear Buyer found that only half of these businesses have policies relating to the use of cookies on their websites! Even less so have registered with the Information Commissioner’s Office (“ICO”) as a data controller of personal information.

Why do these issues matter?

The use of cookies is regulated in the UK by certain privacy and electronic communication regulations (the Regulations) designed to protect the privacy of internet users. The ICO is responsible for enforcing compliance with the Regulations and has the power to take action where necessary. This includes:

  1. committing a business to a particular course of action in order to improve its compliance with the Regulations;
  2. compelling a business to take action to bring about compliance with the Regulations; and
  3. although unlikely, fining a business up to £500,000.

But the non-legal consequences of not complying with the Regulations should be of equal concern to businesses.

So what are cookies? Cookies are small files downloaded onto a device such as a computer, tablet or mobile phone when the user accesses certain websites. Cookies collect information about the user’s internet activity including, their user preferences. The Regulations apply to all information collected by cookies, including personal data. However, where cookies collect personal data such as the user’s name, postal address or email address, businesses need to ensure that they comply with the additional requirements of the UK Data Protection Act. In addition, any business collecting personal data through its website should have an online privacy policy setting out the business’ practice in relation to the collection, storage and use of that personal data.

The Regulations require that users are told about the cookies placed on a website and given the choice as to which of their online activities are monitored in this way. A cookie may only be used if users have given their consent having been provided with clear and comprehensive information about the purpose of that cookie. Consent must involve some form of communication where the user knowingly indicates their acceptance – obtaining consent that relies on a user’s ignorance about what they are agreeing is unlikely to comply with the Regulations.

Between April and June 2014, the ICO received 38 concerns reported about cookies. The ICO has stated that it is taking a practical and proportionate approach in enforcing the Regulations where organisations are making the effort to comply. However, its current focus is on ensuring compliance with the Regulations by websites that are doing nothing to raise awareness of cookies, or to obtain the user’s consent to the use of various cookies. The ICO will look unfavourably on a business with a casual approach to data protection and the privacy of its customers, particularly at a time of heightened interest following, for example, the trial of Rebekah Brooks and Andy Coulson.

What do you need to do to comply? As a first step, if you have an online presence you should undertake a “cookie audit” to assess the cookies used on your website, and the purposes of each cookie. Once identified, you will be able.