Skip to content
A German privacy watchdog banned Facebook on Tuesday from gathering data on users of its WhatsApp chat app, citing an update to its privacy policy that it said breaches stringent European data protection rules. Hamburg’s data protection commissioner, Johannes Caspar, said he issued an emergency three-month order prohibiting the social network from processing WhatsApp personal data for its own purposes.
“The order is intended to safeguard the rights and freedoms of the many millions of users who approve of the terms of use throughout Germany,” Caspar said in a statement. “The aim is to prevent disadvantages and damage associated with such a black-box procedure.”
Caspar’s office said the updated terms and privacy policy allowing Facebook access to a lot more information on WhatsApp users were too broad and not transparent.
The watchdog opened urgent proceedings last month because of concerns that WhatsApp users were being required to agree to the update by 15 May or else they wouldn’t be able to continue using the service.
WhatsApp denied the update is connected with any expansion of data sharing with Facebook, pointing out it is related only to messages between businesses and customers.
The order “is based on a fundamental misunderstanding of the purpose and effect of WhatsApp’s update and therefore has no legitimate basis,” WhatsApp said in a statement, adding that because the Hamburg regulator’s claims are wrong, it wouldn’t affect the update’s rollout.
WhatsApp initially tried to introduce the update at the start of the year but backed off after a wave of confusion and misinformation among users, many of whom flocked to rival chat apps such as Signal and Telegram.
Caspar warned that with 60 million users in Germany, there’s a danger WhatsApp could be used to influence voters in September federal elections through Facebook ads. He said he would refer the case to the European Data Protection Board to get a European Union-wide decision.
Facebook’s German headquarters is based in Hamburg, giving Caspar jurisdiction at the national level to enforce the EU’s strict General Data Protection Regulation for the company.
