I wonder what the legal argument is behind this ruling. If one newspaper acquired another, couldn't the parent then market to the subsidiary's subscribers even if they continued to operate separately? The parent now owns everything anyway.
The argument is that WA always told us that they wouldn't share our data. This was a reason people signed up, you can't just "Oops we did it anyway" on so many people. At least not on People who have a government with their best interest in mind.
Is there legal precedent for "sharing" when the only entity you're providing the data to is your owner? Presumably if I bought WhatsApp, I would legally be allowed to query some database for someone's phone number if I so chose because I now own the database.
You might own the database, but you will never own the personal data that is stored in it. And in France (and in the near future the whole EU with GDPR) this personal data has a specific set of allowed uses (explicit or implicit when the user provided the data) attached to it, that you cannot change without asking the owner of the data (the user).
So you own the database, but you cannot use the personal data inside for purposes that were not allowed by the user when they provided it.
Seems like in that case it should be Facebook being reprimanded if they do something with the data that violates the original terms of use. "Sharing" is a bit misleading because as soon as Facebook acquired WhatsApp, they became the legal owners of the user database and data insofar as anyone can "own" user data. WhatsApp is Facebook.
But I think that's the point, WhatsApp doesn't own the data, and that carries over to Facebook. From what I gather, what they own is the database schema and whatever business logic is specific to WA/FB, and they 'lease' the data from users to populate their databases.
You could but you'd have to tell the users in the terms of service. If you tell them that you won't query the database and then go on and decide to do so anyways you'd get sued. With WhatsApp having a quasi monopoly on messaging it's difficult for the to change the terms of service without giving their opponents the argument that the change was forced.
Sure, that makes sense to me. But this seems more like "the company said it wouldn't allow anyone else to query the database" before I bought it. Now that I'm owner, do I still count as "anyone else?" I'd argue not.
Edit: that's from a US perspective. Sounds like France (& the EU) put additional restrictions on how personal data may be used even after it's voluntarily provided.
> on how personal data may be used even after it's voluntarily provided.
That feels wrong. The personal data was provided under a contract. Now, you can pretend you're Vader and change your deal, but people can still attack you for changing the contract to terms they have not agreed on.
And so far in court, long lengthy legalese Terms & Conditions haven't always held up to scrutiny, and nor has any contract that states "we can change these terms at any time". [0]
Just buying the database doesn't let you do anything with it - you just bought the responsibility of fulfilling the contract.
> And so far in court, long lengthy legalese Terms & Conditions haven't always held up to scrutiny, and nor has any contract that states "we can change these terms at any time". [0]
Especially not in the EU, many ToS that are completely legal in the US wouldn't see the light of the day in the EU due to consumer protection rights.
> Sure, that makes sense to me. But this seems more like "the company said it wouldn't allow anyone else to query the database" before I bought it. Now that I'm owner, do I still count as "anyone else?" I'd argue not.
I don't think the change of ownership matters. If I say that I won't allow anyone else to query the database, that statement isn't about restricting others from wandering into my offices and pulling up a Python prompt. What I'm really saying is that I commit to not querying the data with the purpose of sending it to others. Maybe that means I commit to not building something to query it for them; maybe it means I commit to not running a mysqld that accepts connections from them; maybe it means I commit to not doing a database dump and sending it, but in all cases, I'm the one not doing a thing.
So, the fact that you "own" the data doesn't mean you have the right to use it how you want - because if you could in fact use it how you want, you could send it to anyone you want. And if you transfer it, e.g., by selling your company, you don't transfer rights that you never had.
The issue here, I think, is that you assume they have a blanket right to access the data. But EU regulations restrict not just transfers between companies, but set down principles for how personal data should be handled.
And those include among others that data should be collected for specified purposes, and should only be used for the purposes the person consented to, unless you obtain additional consent.
If I consent to sharing my data for use on site A, and site B buys site A, the fact that they are now owned by the same company is not necessarily relevant unless the permissions collected very explicitly allowed the data collected by site A to be used for purposes related to site B too.
That the sites suddenly have the same corporate owner is no guarantee that the consent collected made it expressly clear to users of site A that they could expect that their data might be shared with site B in the future.
Some sites do collect very broad consent and make very clear to their users that data may be transferred elsewhere, but even if they do this, they also do need to ensure the data is still treated in accordance with EU Data Protection regulations.
> how personal data may be used even after it's voluntarily provided
It was voluntarily provided under the requirement that said data will not be shared with third parties for commercial purposes.
Once that restriction does not apply anymore, as the data ends up being shared with third parties for commercial purposes, neither does your right to use that "voluntarily provided data".
Imho private information should be handled like a license; Sure I can allow you to use it, but if you break against the rules we agreed on I reserve the right to revoke your license to use my personal information because at the end of the day it's still MY information.
> Presumably if I bought WhatsApp, I would legally be allowed to query some database for someone's phone number if I so chose because I now own the database.
It's not your data.
It's your users' data.
So no, you may own the database, but you do not own the data.
The same way that my bank does not own the contents of my savings account... Even if it is allowed to use that money (in highly limited and regulated ways) to, say, issue loans.
You don't own your users' data. Your users do. You may be allowed to use it in highly limited and regulated ways.
The legal concept is that despite having the data in your physical possession and control, you're not allowed to do whatever you want with it, and you have to ask the user's permission for many specific use cases.
This means that for a colloquial understanding of "owning data", you don't own it (since you can't do what you want) but they do (since they can limit the uses to what they want).
Photography laws are similar. I cannot just see you on the street, shove a camera in your face and take your portrait and then proceed to do whatever I want with the image. The resulting image is property of both the photographer and the subject. (Exceptions for people in the background of landscape/architecture etc and 'people of public interest' such as politicians.)
You do have to get specific permission to use data for a specific purpose under the GDPR. For instance, there are approved forms to ask customers for permission to add them to a mailing list. In that case, whether or not the company has the data stored somewhere is immaterial if it does not have the correct permission to use it for mailing.
Per European Privacy Law, you only own the data for the specific use-cases that you asked it for in your terms of use / privacy policy. I agreed to that when signing up. If you change that in the future, you have to ask for my consent again. If I deny, then you cannot use my data for your new use-case.
Then its a joke. The EULAs already contain huge outlays of information and are frequently amended with more. In the US they like to contain restrictions on your basic rights that you don't really expect.
The EULAs will just all be amended with terrible terms as take it or leave it for all services just like they are in the US.
Is the revision opt in (express permission required, by default you do not agree)? Or is it opt out (by default you agree, unless you expressly refuse)?
In the U.S. terms of service are usually the latter. You'll get a notification of revised terms, and you can refuse. But as a consequence every company I'm aware of will then terminate service. Examples include insurance, banks, and (perhaps infamously) iTunes which had more revisions than the average number of needles on a pine tree.
Yes you can send them a note saying you do not agree to their new terms, and they'll send you a note your account is closed.
(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.
(42) Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.
Did WhatsApp charge anything? I thought for contracts you needed some kind of actual dollar amount (even $1) for it to be binding? Is that very US-law specific or am I way off here?
For a contract to be binding, you need consideration[1] from both parties. A contract where you give me something for nothing is not binding, we both need to be giving each other _something_. That something need not be money: A contract saying that you agree to give me your house if I give you my car would qualify. Google and Facebook extract enough value from targeting ads based on the personal information we agree to give them access to that access to said information is enough to qualify as consideration. I'd argue that, even if WhatsApp doesn't have a monetisation strategy that leverages said information, it's credible enough that it would qualify as consideration.
I worked as a developer in the promotion and giveaway industry.
Consideration was always in interesting discussion by our company's general counsel when going through training.
On thing that stuck out to me was the company would always review entry criteria if it may any requirement beyond what would be commonly available to the lowest ranking member of society. This was typically considered to be a computer with internet access as it was likely to be available at a public library.
While mail has become a more accepted means of non-consideration entry, I believe there was a time where it was considered consideration. Counsel argued that mail-in entries required the submitter to own or purchase a stamp, a postcard, a writing device, and potentially an envelope for the postcard.
An "app only" contest was given extra scrutiny because it required the user to own some sort of smartphone or mobile digital device.
----
While, that was contests and promotions (in which case, they needed to avoid running an illegal lottery), I imagine a similar argument could be made for WhatsApp. WhatsApp is only available if you own a smartphone capable of downloading the app.
Same in Germany: you can contract to gift something.
Of course, German contract law is very strange and alien to every other legal tradition (except Japan, I think, and that‘s only because they modeled their civil law on ours).
It changes a lot depending on your jurisdiction, but is generally:
> A valid contract needs the following elements: People entering the contract must intend the contract to be binding. An offer is made by one person and is freely accepted by another. Some price (money, right or benefit) is paid in return for a promise. [0]
So the fact WhatsApp is providing a service, means some price has been "exchanged" (for lack of a more precise term). The price does not need to be financial, any benefit can be viewed that way.
So yes, it does appear that a legal contract was formed. Even in the US. [1]
(A financial benefit is not required, but it makes it more clear that the contract was valid. Hence the habit of ridiculous $1 contracts.)
Originally WhatsApp ran completely on a subscription model, users would pay a small fee to use the service and users were okay with that because it would mean nobody would try to commercialize their information.
Then Facebook gobbled them up, they removed the small subscription fee (not even giving an option to keep on paying it) and went: "All your data are blong to us".
The consideration thing is considered an exotic common law curiosity in continental law countries :-) Generally, an offer and an acceptance creates a binding contract inmost of Europe.
Yes, it was global, it was how they financed their operation until Facebook bought them [0].
I wish they would still offer this as an option, tho I'd probably be skeptical of Facebook actually holding up their end of the deal and not tracking people who pay for WhatsApp.
But the consideration does not have to in the form of money, it just has to be "worth" something. The considerations in question here are personal information on the users' side and the Whatsapp app+service on the company's side.
Corporations are entities created by the state. They are not people, or citizens. They are made up of people who can lie on their behalf and as such corporations get the culpability whenever officers of that company lie.
It's fraud in any case, it's just a matter of whether a human or a non-human entity is culpable. By shifting the liability to the corporation, it shifts the cost of wrong doing (ostensibly) from the person who commits it on behalf of the company to the company's shareholders.
Goldman Sachs used to be a partnership, not a corporation wih publicly traded shares. They most definitely took fewer risks when the partners were personally liable for wrong doing than once they became a corporation.
https://hbr.org/2013/10/culture-not-leverage-made-wall-stree...
> If one newspaper acquired another, couldn't the parent then market to the subsidiary's subscribers even if they continued to operate separately? The parent now owns everything anyway.
Not in France, personal data is collected with a specified purpose (and bullshit/overly broad "purpose" can get you sued), using said data for other purposes is illegal.
You (as a company) never own personal data per-se, you are lent that data by the subject, if you will.
I wonder if this means EU users get less creepy specific advertising. I run uBlockOrigin so I don't see many ads, but I've heard cases of Facebook/Adobe/Google algorithms being so good that people see ads for things they've never looked up online, yet talked about out loud (leading many to believe Facebook/Instagram are capturing microphone data).
As a side not, this gets into the whole "Right to be Forgotten" which the EFF is mostly against, since in the EU it can be used by many as a form of censorship.
I do believe they are capturing microphone data because I can't think of any other explanation for the japanese ads (not about japanese stuff but actually written in japanese) I saw when rewatching my old anime DVDs.
I was watching anime in a old TV without any internet connection and at the same time browsing reddit on my laptop. Things like this make me feel no guilt for using ad-blocks.
I think it might be one of those situations where the microphone data is being captured using some other app and then shared into a data network as tar-getting data, providing a convenient and plausible deniability to Google and Facebook for shady practices.
I've already seen this happen with commercial spammers in Germany.
For a while I got a ton of really annoying spam, advertising for big name brands, but organized by some spam racket with no way to opt out and registered in some foreign country.
Some Googling led me to the trial of some German woman who was quite notorious among the anti-scammer community for running several spam rackets. People would spend a lot of time figuring out her connections between different font companies, data brokers, and whatnot.
Until one day Googling her name wouldn't give any results at all; Couldn't look up any addresses anymore, couldn't look up company registers with her name anymore, it all just came up blank with a notification on the bottom of the search results, informing me that Google removed some results due to the EU right to be forgotten.
It's very likely this woman is still running a very profitable spamming business with a side-business of selling data caches. Sure, one could argue that it's actually government agencies job to handle something like that, but these agencies also depend on search results, especially with something as obscure as the spam industry.
Not if this data is data about persons according to french law. You need consent from those persons to use the data for any purpose beyond the original purpose you mentioned when you collected the data.
There is a european directive which addresses the same problems, though i do believe the french law is more explicit, and the french government has been enforcing it.
Facebook made a commitment they wouldn't connect the data in order to get permission from competition authorities for the merger. I don't know how legally binding that is.
> Facebook made a commitment they wouldn't connect the data in order to get permission from competition authorities for the merger. I don't know how legally binding that is.
Not quite. They said it's "technically impossible" and the EU fined them for $122M after Facebook did "the impossible" and started sharing WhatsApp data with Facebook.
When The Coca Cola Company (the folks who own the secret sauce) bought Coca Cola North America (N. America's largest bottler) there was an entire floor that TCCC empoyees weren't allowed into. CCNA had bottling agreements with TCCC's competitors.
The acquisition was approved in Europe on the basis that WhatsApp would not share the data with Facebook. In this case, the European governments certainly have a legal basis to carry with penalties.
When doing business in the EU, Whatsapp and whatnot will have to abide by EU legislation, including EU data protection rules, EU consumer legislation and national rules on entering into and interpreting terms and conditions and other contracts.
Data may be used only for the purpose it was collected and transfer to other legal entities require consent. In May 2018, the data orotection regulation ebters into force and the mandatory rules will be even tougher.
Maybe one day one or more of those companies will even have to pay a bit of tax in the EU.
