In August 2016, two years after WhatsApp was acquired by Facebook, the former changed its terms and conditions to force users to agree to data transfers to Facebook. That, however, appears to be in violation of the French Data Protection Act.

The¬†Commission nationale de l’informatique et des libert√©s, or the CNIL, is France’s privacy watchdog, and it takes data sharing violations very seriously.

In WhatsApp’s case, the regulatory body found that the user data transfers of some 11 million French users were never used for some of the purposes originally intended, one of which is targeted advertising.

Two other reasons were given by WhatsApp for sharing user data with Facebook: business intelligence and security. While the CNIL found that there was cause to share data for security purposes, no such legal basis exists for business intelligence per the Data Protection Act.

What worsened the situation was that WhatsApp declined to provide data transfer samples after repeated requests from the CNIL. The reason given was that since WhatsApp was located in the United States, it did not consider France as having jurisdiction in the matter.

As such, the Chair of the CNIL has ordered WhatsApp to bring itself into compliance with the Data Protection Act within one month, and no further action will be taken if the company meets the deadline.

Failure to keep the deadline will lead to an official internal investigation that could result in the CNIL’s committee responsible for Data Protection Act violations bringing to bear sanctions against the company.

+++ + +++