Tag Archives: Facebook

Agencia Española de Protección de Datos (AEPD)

The AEPD starts an investigation to evaluate the Yahoo´s largest data breach

On 15 December 2016, Yahoo admitted that a large cyber attack affected more than a billion personal accounts worldwide which include different personal information such as names, email addresses, phone numbers, photos and other personal files stored online and even passwords and other encrypted or unencrypted security codes. This disclosure follows September’s incident in which the company admitted the theft ascribed to an unnamed foreign government that affected more than 500 million users dating back to 2014.

Yahoo breach is now being investigated and causes are under investigation. Meanwhile, it’s notifying users who may have been affected by the breach and making them changes their passwords.

The Director of the Spanish Data Protection Agency (AEPD) has expressed her intention to open an investigation to clarify the massive theft of data. In this regard, the AEPD is considering whether to impose sanctions if it determines that Yahoo has not informed users of a security breach.

Agencia Española de Protección de Datos (AEPD)

Facebook Stops WhatsApp Data Sharing Across Europe

On 16 November 2016, WhatsApp announced it had temporarily blocked user data from being shared with its parent company Facebook along Europe. It means that Facebook would only make use of WhatsApp data to prevent spam.

As a consequence, the Spanish Data Protection Agency (AEPD) initiated in early October an investigation to examine the communications and the treatment of personal data made between WhatsApp and Facebook. More specifically, it will study what information collected from WhatsApp users is sent to Facebook, for what purpose, how long it is kept and what options users are offered if they wish to object.

Background of the case

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. Last August, the company made changes to its terms and conditions which allowed user data to be shared with its parent company as well as Facebook group of companies including Messenger and Instagram for services including advertising and product development purposes. The messaging app argued that it would allow for a better advertising experience and would help fight spam.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.

Article 29 Working Party (WP29)

Letter to WhatsApp of 27 October 2016 relating to WhatsApp’s Terms of Service and Privacy Policy

The Article 29 Working Party has asked WhatsApp to send it information on the data that will be shared and the sources of the data (“e.g. data from the users’ phones or data already stored on company servers”) and those who will receive the data. The Article 29 WP has severe concerns regarding the manner in which the information related to the Terms of Service and Privacy Policy users (updated in August 2016) and about the validity of the users’ consent.

WhatsApp had already been warned by a German DPA and the CNIL.

Office of the Information Commissioner

Update on litigation involving Facebook and Maximilian Schrems: Explanatory memo

Press release welcoming the increased budget for 2017 for the OIC, which is a 59% increase in the budget. In the press release, this increased budget is directly linked by the Commissioner to both the GDPR and the expanding role of the Irish DPA under that regime, where it becomes responsible for” protecting the fundamental privacy rights of EU citizens, a core part of which is the regulation of a large number of leading internet multi-nationals that have located European operations in Ireland.”

Office of the Information Commissioner

Update on litigation involving Facebook and Maximilian Schrems: Explanatory memo

On 31 May 2016, the Data Protection Commissioner (DPC) commenced proceedings in the Irish High Court. The purpose of the proceedings is to seek a reference to the Court of Justice of the European Union (CJEU) in relation to the “standard contractual clauses” mechanism under which, at present, personal data can be transferred from the EU to the US.

While the DPC does not seek any specific relief against Mr Schrems or Facebook Ireland Limited (FB), both of those parties were joined to the proceedings because the outcome of the case will impact on the DPC’s consideration of Mr Schrems’ complaint against Facebook (see further below). By joining Mr Schrems and FB to the proceedings, the DPC also ensured that those parties would have an opportunity (but not an obligation) to participate in the proceedings.

The purpose of this note is to explain the background to the case, the reasons why the DPC has taken the case and the current position in the High Court as of September 2016.

Agencia Española de Protección de Datos (AEPD)

Changes in Whatsapp´s Privacy Policy

In 2014, Facebook bought WhatsApp and it pledged not to share user data with its new parent. However, last August, the company announced a big change to its privacy policy as the new terms and conditions allows to share some user data (such as the phone number and the last time the client used the application) with its Facebook family of companies for undetermined range of services.

According to the WhatsApp blog´s “By coordinating more with Facebook, we’ll be able to do things like track basic metrics about how often people use our services and better fight spam on WhatsApp”. “Facebook can offer better friend suggestions and show you more relevant ads if you have an account with them. For example, you might see an ad from a company you already work with, rather than one from someone you’ve never heard of”.

Facebook has maintained that its end-to-end encryption system will remain in place for the purpose of respecting the user´s privacy and giving an improved experience without third-party banner ads and spam.


Commission de la protection de la vie privée

(Own-initiative) Recommendation no. 04/2015 of 13 May 2015 relating to 1) Facebook, 2) Internet and/or Facebook users as well as 3) users and providers of Facebook services, particularly plug-ins

The Commission for the Protection of Privacy (the Privacy Commission) released on the 13th of May 2016 on its own initiative Recommendation no 04/2015. The recommendation addresses the issue of processing of personal data of Facebook users or non-users (as conducted by Facebook) and within this context focuses on issues of competent jurisdiction and applicable law. Furthermore, it deals with those who offer Facebook services or products on web pages including plug-ins.

Commission Nationale de l’Informatique et des Libertés (CNIL)

CNIL states that Facebook is breaching data protection rules

On 8 February 2016, the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Facebook after an investigation where several actions were violating users privacy under Data Protection French Act.

In this regard, the CNIL identified that Facebook has been collecting the information of Internet individuals who did not have accounts on its platform but who visited public Facebook pages and their cookies were used to track their browsing activities. Therefore, the social network failed to get users consent and did not appropriately inform users of the techniques on which it used their cookies violating their fundamental rights and interests, including their right to respect for private life. Apart from that, Facebook has been collecting sensible data of users such as sexual orientations, political views and affiliations, and religion without the explicit consent of account holders.

Finally, the CNIL also ordered Facebook to stop transferring user data to the US under the Safe Harbor Agreement following the ruling that invalidated data transfer between EU and US and for which a replacement Act called EU-US Privacy Shield has been negotiated.