Watch Out: Your Privacy Policy may have International Implications
By Gary Gonzalez
“We believe the customer should be in control of their own information. You might like these so-called free services, but we don’t think they’re worth having your email, your search history and now even your family photos data mined and sold off for god knows what advertising purpose. And we think someday, customers will see this for what it is.” –Tim Cook, CEO, Apple
Before acquiring a company with a predominately international customer base, it is important to look at your company’s current privacy policy and any proposed changes that will take place in the future. Failure to do so may result in injunctions from foreign nations and international litigation.
In February of 2014 Facebook acquired WhatsApp for a staggering $19BN.[1] For those unfamiliar, WhatsApp is a mobile application actively used by an estimated 450 million people, primarily in Europe, India and Latin America.[2] WhatsApp actively advertised its security and privacy through message encryption and a policy to not store messages on servers.[3] Lastly, WhatsApp is entirely advertisement free because users pay an annual fee of $0.99.[4] Throughout the buyout, the founders of WhatsApp told users this model would remain unchanged.[5]
Fast forward to 2016, Facebook updated its privacy policy to begin sharing data from WhatsApp users to Facebook, thus allowing targeted advertisements, including direct messages from advertisers.[6] The change in the privacy policy resulted in joint complaint by two consumer privacy groups to the Federal Trade Commission.[7] Under a 2011 agreement with the Federal Trade Commission, Facebook must seek customers’ permission before changing privacy practices.[8] However, and more relevant here, Facebook’s proposed changes has resulted in legal issues on an international level.[9]
At the end of September, the Hamburg commissioner for data protection and freedom of information, Johannes Caspar, issued an order banning Facebook from sharing information with WhatsApp across Germany.[10] The ban in Germany has prompted action by other countries.[11] Spain announced plans to investigate the data transfers to determine if they meet Spanish data protection legislation.[12] And, Spain isn’t going at it alone, they plan on working with Germany, Italy, and Britain, all of which announced comparable probes.[13]
Outside the European Union, India has also taken action to protect its citizens’ data.[14] The Delhi High Court, taking a different approach from Germany, ordered two alterations to the changes in the privacy policy. The Court did not issue a blanket ban.[15] The Court ordered WhatsApp to delete all the user data for users who opted out of the new information sharing agreement before September 25, 2016.[16] And, the Court ordered WhatsApp to refrain from sharing user data obtained before September 25, even if the user chose not to opt out of sharing agreement.
So what should companies do to avoid these investigations and court orders? Research the data privacy laws of the countries in which your users or potential users live. Then, draft a policy acceptable in all jurisdictions.
As Facebook now realizes, United States laws regarding data privacy are insufficient when customers are citizens of foreign nations. The United States, unlike the European Union, does not have a general data privacy law.[17] Rather, the United States takes a sectoral approach and only regulates certain types of data such as: financial information under Gramm-Leach-Bliley Act, health related information under the Health Insurance Portability and Accountability Act (HIPAA), consumer reporting agencies under the Fair Credit Reporting Act, and collection of telephone numbers under the Telephone Consumer Protection Act.[18]
The European Union, Iceland, Norway, and Liechtenstein follow the EU Data Directive.[19] The EU Data Directive prohibits the transfer of “personal data” to anyone, including affiliates, vendors, and customers outside the European Economic Area, unless an adequate level of data protection is provided by the destination nation.[20] “Personal data” under the EU Data Directive is very broadly defined to “include any information relating to an identifiable individual.”[21] This requirement and definition will continue to exist when the EU Data Directive is replaced by the General Data Protection Regulation on May 25, 2018.[22]
The piecemeal approach to data privacy in the United States does not meet the adequacy requirements of the EU Data Directive.[23] This is evidenced by the EU refusing to give a blanket approval of data transfers to the United States.[24] Because the United States has not been approved by the EU, Facebook should have known this change in WhatsApp’s privacy policy would affect a large amount of EU citizens and would come under scrutiny by EU courts.
In conclusion, companies should strive to meet the data privacy requirements of the countries in which its users are residents. Companies should not rely solely on the laws of their home nation, especially the United States, which arguably has some of the least protective data privacy laws amongst developed nations. Companies may argue stricter privacy policies limit the ability to sell data or offer additional products or services, but this is not so. Companies only need to draft policies in which users opt in, instead of opting out. By seeking affirmative consent to data sharing, corporations can avoid having the issues Facebook and WhatsApp are currently facing, and avoid the cost of international investigations and litigation.
* * * * *
[1] Parmy Olson, Facebook Closes $19 Billion WhatsApp Deal, Forbes (Oct. 6, 2014, 1:25 PM), http://www.forbes.com/sites/parmyolson/2014/10/06/facebook-closes-19-billion-whatsapp-deal/#756fd13e179e.
[2] Chandra Steele, What Is WhatsApp? An Explainer, PC Mag (Feb. 20, 2014, 1:51PM EST), http://www.pcmag.com/article2/0,2817,2453710,00.asp.
[3] Id.
[4] Id.
[5] Id.
[6] David McLaughlin & Stephanie Bodoni, Facebook’s WhatsApp Privacy Changes Raise EU, U.S. Concerns, Bloomberg (Aug. 29, 2016, 6:11 PM EST), https://www.bloomberg.com/news/articles/2016-08-29/whatsapp-privacy-changes-raise-eu-concern-over-user-data-control.
[7] Id.
[8] Id.
[9] Id.
[10] Adrew Griffin, Whatsapp Banned from Sharing Data with Facebook in Germany, Independent (Sept. 26, 2016), http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-facebook-data-sharing-update-ads-germany-hamburg-banned-a7332606.html.
[11] The Associated Press, Spanish Agency to Probe Facebook and WhatsApp Data Swap Deal, CTV News (Oct. 6, 2016, 5:16 AM), http://www.ctvnews.ca/sci-tech/spanish-agency-to-probe-facebook-and-whatsapp-data-swap-deal-1.3103988.
[12] Id.
[13] Id.
[14] Manish Singh, Indian Court Orders WhatsApp to not Share User Data with Facebook Collected before Sept. 25, Mashable (Sep. 23, 2016), http://mashable.com/2016/09/23/india-delhi-high-court-whatsapp-facebook/#hU4AScI_fgqf.
[15] Id.
[16] Id.
[17] Ieuan Jolly, Data Protection in the United States: Overview, Practical Law, http://us.practicallaw.com/6-502-0467 (last visited Oct. 16, 2016).
[18] Id.
[19] Lothar Determan et al., The EU-U.S. Privacy Shield Versus Other EU Data Transfer Compliance Options, Bloomberg BNA (Sept. 12, 2016), http://www.bna.com/euus-privacy-shield-n57982076824/.
[20] Id.
[21] Id.
[22] Id.
[23] Id.
[24] Id.