Remember the backlash over the privacy policy update pushed out by Facebook's messaging service? A consumer protection complaint over the messaging platform's aggressive push to make users accept impenetrable terms changes continues to rumble on in the European Union, now shifting up a gear into a formal investigation.
The European Commission wrote to the messaging service to clarify the changes and explain how they comply with the bloc's consumer protection law.
It said that consumers should be better informed about the use of their data.
A number of EU-based consumer protection organizations filed a complaint against the updated T&Cs. It pointed out that the Facebook/Meta-owned messaging giant has been pushing the opaque terms on users, viapersistent, recurrent and intrusive notifications, and giving people little time to consider what the changes might mean.
The user backlash over theWhatsApp privacy policy update got so fierce that rival messaging apps saw a huge spike in sign-ups a year ago.
The EU consumer groups lodged a complaint with the European Commission and the regional network of national consumer authorities about the company's actions.
The European network of national consumer authorities, led by the Swedish Consumer Agency, appear to have arrived at the same conclusions as the Commission.
Specific concerns are whether enough information is given to consumers on the consequences of their decision to accept or decline the company's new terms of service.
The EU's executive and consumer authorities are concerned about the exchange of users' personal data between third parties and Facebook, following a controversial 2016 Facebook reversal. The tech giant was fined $122 million under EU M&A rules after it told regulators it couldn't automatically match user accounts between its own platform and WhatsApp.
The EU commissioner for justice said thatWhatsApp must ensure that users understand what they agree to and how their personal data is used, in particular where it is shared with business partners. EU rules protect consumers and their privacy, and I expect that the company will fully comply with them. The official dialogue was launched today. They have until the end of February to make concrete commitments on how they will address our concerns.
The European consumer organization, BEUC, welcomed the Commission-CPC investigation.
The deputy director general of BEUC said thatWhatsApp bombarded users for months with pop-up messages. Consumers didn't know what they were being pushed to accept. It was deliberately vague about this, laying the ground for far-reaching data processing without valid consent from consumers. We welcome the decision to investigate. We expect the company to clarify and amend its policies in full respect of consumers, including those who agreed to the new terms due to the company's unfair practices.
A spokesman for the messaging service sent us this line: They were contacted for a response to the development.
“We look forward to explaining to the European Commission how we protect our users’ privacy in compliance with our obligations under EU law.”
The update it made to its European Region privacy policy came in November 2021.
It is not clear if the attempt to force through the update in Europe has been abandoned. There is precious little clarity on offer from WhatsApp.
The messaging app seems to have stopped sending out pop-ups that push users to accept the updated policy.
In the EU users don't accept the privacy policy, which is a transparency notice, according to the spokesman.
The person told us that they were no longer showing in-app notifications related to the Privacy Policy and Terms of Service update to avoid confusion with the November privacy policy.
For a small number of users still to accept the terms of service, there will be other opportunities to accept, for example when they re-register or where they want to use a feature related to the Terms of Service update.
It stopped pushing users to accept its terms until it could come up with a new way to make them do so.
The spokesman said that EU users didn't need to accept the January 2021 terms at all.
The updated T&Cs have some legal nuances vis-a-vis EU law. Most users probably agreed to whatever it wanted anyway, even if the upshot of how it operated is that.
It seems to have done a poor job of ensuring users are informed about how the app works.
When we asked if there had been any changes to the practices around the policy update, BEUC was unsure.
The spokesman told us that they were raising the alarm based on what they had seen. We trust the Commission and consumer protection authorities to shed light on the practices.
Privacy complaints about Facebook's data terms have been stacking up for years despite a major update to the bloc's framework in 2018, as the General Data Protection.
Major limits on tracking-based business models were expected to be put in the GDPR. Data protection regulators have been unwilling to enforce clear legal standards against the adtech industry.
Ahead of an annual day celebration of regional privacy rights tomorrow, the European Commission has issued another high level call for data protection enforcement.
“With the General Data Protection Regulation now well established in our Union, full implementation and enforcement of data protection rules remain a priority for the Commission. Robust enforcement by data protection authorities, cooperating in a truly European way in the European Data Protection Board (EDPB), is key for the success of the GDPR. The year 2021 has seen a ramping up of enforcement actions, with several high-profile cases resulting in significant fines. It is important that this approach is pursued and amplified in the coming months and years.”
Last month the Commission warned that the need for enforcement of the EU's General Data Protection Regulation must become a priority.
The problem with enforcement against the most powerful tech platforms is that there is a one-stop-shop mechanism in the Regulation, intended to simplify compliance for companies offering cross border services.
This has meant that complaints against tech giants are often either ignored or dropped and that the companies have plenty of time to reconfigure ops and route around any risk/damage to data streams.
Ireland's Data Protection Commission (DPC), for example, still hasn't made a decision on a complaint against two services.
If consent is the legal basis for the processing, users should be given a free choice.
There is another twist to this story. In October, after European privacy advocacy not-for-profit noyb published a draft DPC decision in relation to a GDPR complaint over the legality of Facebook's T&Cs, the Irish regulator can be seen writing.
The actual service Facebook provides is not connecting you to your friends, it is connecting your eyeballs to ads.
Meta's lead EU data supervisor seems okay with that. The DPC has been accused of trying to gag it from publishing by filing a criminal corruption complaint.
The long delay in EU data protection enforcement against adtech has given rights-trampling giants like Meta ample room to cynically reconfigure their compliance claims without having to.
The EU consumer protection law might prove to be a more effective enforcement tool against adtech giants.
We are still waiting for the hammers to fall on the issue of adtech T&Cs vs EU privacy rights.
Ireland’s draft GDPR decision against Facebook branded a joke
Controversial WhatsApp policy change hit with consumer law complaint in Europe