WhatsApp says the claims of the German regulator are wrong and does not affect the proposed rollout of its new privacy policy.
Germany’s lead data protection regulator for Facebook is banning the social network from processing personal data from WhatsApp users because it views the messaging app’s new terms of use as illegal, it said on Tuesday.
The decision follows emergency proceedings opened by the regulator in the city-state of Hamburg last month after WhatsApp required users to consent to new terms or stop using the service.
“This order seeks to secure the rights and freedoms of the many millions of users who give their consent to the terms of use throughout Germany,” Hamburg’s data protection officer Johannes Caspar said.
“My objective is to prevent disadvantages and damages associated with such a black-box procedure.”
Caspar, who leads domestic oversight of Facebook under Germany’s federal system as its country office is in Hamburg, announced his decision before a May 15 deadline for consenting to WhatsApp’s new terms.
WhatsApp, which is owned by Facebook, said the action by the Hamburg data protection authority rested on a fundamental misunderstanding of the purpose and effect of its update and therefore had no legitimate basis.
“As the Hamburg DPA’s claims are wrong, the order will not impact the continued roll-out of the update. We remain fully committed to delivering secure and private communications for everyone,” a WhatsApp spokesperson said.
The regulatory action has opened a new front in Germany over Facebook’s privacy policies, with its national antitrust regulator waging a legal battle over data practices it says amount to an abuse of market dominance.
Since 2018, online privacy has been subject to a European Union rulebook, called the General Data Protection Regulation (GDPR). Under the GDPR, Ireland leads oversight of Facebook because the company’s European headquarters is there.
Caspar said he was using his power to impose a three-month freeze on Facebook’s collection of WhatsApp user data under extraordinary powers foreseen in the GDPR.
He said he would also seek an EU-wide ruling at the European Data Protection Board, a forum that groups regulators from the bloc’s 27 member states.