Editor's Picks

WhatsApp’s legal challenges illustrate the stark difference in U.S. and EU internet privacy laws

What’s up with WhatsApp’s privacy Policies?

WhatsApp, a mobile messaging app that sends text messages without requiring the user to pay for SMS, recently announced that they would begin sharing some member information with Facebook, its parent company.  Specifically, WhatsApp will begin sharing the phone numbers and analytics data, such as the last time someone with the app logged on to the service, with Facebook and Facebook’s family of companies.  Facebook will also be able to access users’ contacts, profile pictures, and status messages.  Third-party businesses will now be able to contact users directly through the WhatsApp platform; but the app still has no plans to allow third-party banner adds.  A similar policy is currently being tested on Facebook Messenger.  Location information will continue to be collected per WhatsApp’s privacy policy.

The company has stressed that it will not be able to read users encrypted messages, that the user’s phone number will not be given to advertisers, and that users must supply a phone number to access WhatsApp.  Even though providing the number is mandatory for WhatsApp, the user can opt out of sharing his or her phone number with Facebook.  Messages on WhatsApp contain end-to-end encryption — meaning that no one at WhatsApp or Facebook can read the messages.

Because WhatsApp is now sharing user information with Facebook,  privacy policy have resulted in a significant legal response, including: orders from Germany’s privacy regulator, an order to delete data by India’s Delhi High Court, and complaints from U.S. privacy groups to the Federal Trade Commission (FTC).  Currently, the FTC is enforcing a consent order with Facebook from 2012 regarding the social media site’s privacy policies.  The consent order between Facebook and the FTC applies to WhatsApp and any other activity through a “corporation, subsidiary, division, website, or other device.”

The commissioner for data protection and freedom of information for the city of Hamburg, Germany, issued an administrative order that Facebook cease collecting and storing data the company had gathered from WhatsApp users located in Germany.  Information from approximately 35 million German users had already been transferred from WhatsApp to Facebook, and all of that information has been ordered to be deleted by the German regulator.  German regulators do have authority over Facebook’s activities because Facebook’s German subsidiary is based in Hamburg.  Facebook has commented that they are willing to address the data protection commissioner’s concerns about its data-gathering policy.  Facebook stated that it intends to appeal the administrative order.

A bench of the Chief Justice of the Delhi High Court also ordered WhatsApp to remove stored data collected from users that opt out of the company’s new privacy policies before September 25.  Additionally, the court instructed WhatsApp to not share data collected before September 25 with Facebook.  The pre-September 25th order applies even for users who have not chosen to opt out of the data-sharing policy with Facebook.  WhatsApp’s legal dispute in India began when two Indian students approached the court in August.  WhatsApp could appeal the ruling to India’s Supreme Court, an option worth considering, since India is one of the company’s largest markets with over 100 million active users.

As the enforcer of the Federal Trade Commission Act, the FTC has some ability to limit the behavior of Internet companies.

The legal disputes facing WhatsApp and Facebook arise at a time when privacy law in the United States is still developing.  Currently, the law in the European Union has a reputation for being more consumer-oriented, with greater monitoring and privacy protections for app users outside of the U.S.  In the U.S., Internet companies, such as Facebook and Google, are overseen by the FTC.  As the enforcer of the Federal Trade Commission Act, the FTC has some ability to limit the behavior of Internet companies and bring investigations like the 2012 privacy action brought against Facebook.

Specifically, the FTC has the authority to oversee advertising and marketing on the Internet through its statutory authority to prevent unfair methods of competition, false advertisements, or unfair or deceptive acts or practices.  However, the Federal Communications Commission (FCC) oversees internet service providers (ISPs).  Earlier in 2016 the FCC’s Chairman, Tom Wheeler, released a proposal that would require broadband providers to disclose what data they collect from users.  The FCC released a notice of proposed rule-making on the issue earlier in 2016, and Chairman Wheeler even wrote an op-ed in the Huffington Post, arguing that the information from an individual’s Internet usage collected from his or her broadband provider should have the same protections as information from the phone company about an individual user’s phone use.

Without the ability to provide targeted ads to wireless subscribers, companies like AT&T will find it much more difficult to monetize advertisements.

The position of the Chairman has drawn criticism from companies such as AT&T.  The FCC’s proposed rules would require ISPs to ask consumers whether they would like to allow any sharing of their data with third-parties, it would require the ISP to disclose its policy on data-sharing and data-protection, and it would increase disclosure requirements in the case of data breaches.  AT&T’s main criticism is that the FCC’s proposed rules for ISPs are stricter than the regulations imposed on Internet companies, which are regulated by the FTC.  As a wireless carrier, AT&T has attempted to grow its advertising business in a similar vein as Google and Facebook, but as an ISP for mobile and fixed-line Internet services the company is subject to different regulatory oversight.  Because the FTC only has authority to monitor data collection practices and not create new rules for online privacy, companies like Google and Facebook are not subject to the same privacy restrictions as ISPs.

On its own, AT&T has decided that it will no longer provide Internet Preferences for its GigaPower fiber internet service, which was a targeted ad program that offered lower rates in exchange for customer’s data.  Previously, customers could choose to prevent AT&T from accessing their data by paying an extra $40.  Perhaps as a result of the FCC’s proposed rules, AT&T has agreed to simply offer the lower rate to customers and shut off all data collection and targeted ads.

Moody’s, the bond credit rating business of Moody’s Corporation, stated that — absent the FCC regulations — wireless carriers have the potential to earn significant revenues from advertising.  However, without the ability to provide targeted ads to wireless subscribers, companies like AT&T will find it much more difficult to monetize advertisements.

Without pushback from the FCC earlier this year, it is unlikely that AT&T would have altered its profitable advertising policies. 

The contrast between the approach to privacy law in the U.S. other nations, specifically Germany and India, illustrates the dichotomy between protecting the privacy rights of consumers and facilitating the growth of capitalist industry.  WhatsApp has not faced the same degree of criticism in the U.S. as they have in the EU; as an example AT&T, one of the U.S.’s largest internet service providers, carried out monitoring of consumers’ data in exchange for lower GigaPower fiber internet from 2013 to mid-2016.  Without pushback from the FCC earlier this year, it is unlikely that AT&T would have altered its profitable advertising policies.

The new proposal from the FCC is unsurprising after its statement in 2015 that broadband internet service providers should be treated like a public utility.  This statement was hailed as a milestone for supporters of net neutrality.  Some commissioners within the FCC view the agency’s regulations as unnecessary “meddling in a vibrant, competitive market,” and that the changes would be “likely to deter investment.”  Most of the views on regulation of ISPs, at least at the federal level, have fallen along party divisions.  The classification of ISPs as a public utility was determined on a 3-2 vote.  The U.S. may be leaning toward a consumer based privacy law in this regard, but by no means is it up to the level of its European friends.  This privacy battle should continue on for the next few decades.

Meredith Ballard, Senior Staff Writer Emeritus
About Meredith Ballard, Senior Staff Writer Emeritus (15 Articles)
Meredith Ballard is a 2017 graduate of Campbell Law School and served as a Senior Staff Writer for the Campbell Law Observer. She is originally from New Bern, North Carolina and graduated from Appalachian State University in 2014 with a Bachelor of Science in Psychology. She is also a graduate of the Mira Foundation’s guide dog program in Quebec, Canada. After her first year of law school, Meredith interned at Disability Rights North Carolina, a protection and advocacy organization tasked with providing legal representation to individuals with disabilities. During her second year of law school, Meredith’s moot court team became regional finalists in the American Bar Association’s National Appellate Advocacy Competition. During the summer of 2016 Meredith will be interning at the North Carolina Medical Board. Meredith is a member of the Campbell Public Interest Law Student Association and her interests are in health law, disability law, and employment discrimination law.