This raises a data governance problem. How do you separate (and keep separate) two bodies of information that are collected during at two different times under two different rules?
In this case — people noticed. The Electronic Privacy Information Center and The Center for Digital Democracy filed a complaint with the Federal Trade Commission (FTC) in which they assert:
- Facebook routinely incorporates data from companies it has acquired.
- WhatsApp’s privacy policies and official blog posts reflect a strong commitment to user privacy.
- WhatsApp’s messaging service regularly collects and stores virtually all available user data.
- The Commission has previously found that a company may not repurpose user data for a use other than the one for which the user’s data was collected without first obtaining the user’s “express affirmative consent.”
- By failing to make special provisions to protect user data in the event of an acquisition, WhatsApp “unreasonably creates or takes advantage of an obstacle to the free exercise of consumer decisionmaking.”
- Specifically, WhatsApp users could not reasonably have anticipated that by selecting a pro-privacy messaging service, they would subject their data to Facebook’s data collection practices.
- Therefore, WhatsApp’s inadequate disclosures constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(n).
We’re skipping around a bit here, but we invoke the blogger’s right to summarize and generalize for the sake of brevity.
The complaint makes these requests for FTC action:
Specifically, EPIC requests the Commission to:
a. Initiate an investigation of the proposed acquisition of WhatsApp by Facebook, specifically with regard to the ability of Facebook to access WhatsApp’s store of user mobile phone numbers and metadata;
b. Until the issues identified in this Complaint are adequately resolved, use the Commission’s authority to review mergers to halt Facebook’s proposed acquisition of WhatsApp;
c. In the event that the acquisition proceeds, order Facebook to insulate WhatsApp users’ information from access by Facebook’s data collection practices; and
d. Provide such other relief as the Commission finds necessary and appropriate.
Which brings us to the point – what might we learn from the FTC addressing the EPIC/CDD complaint? We’re hoping the FTC answers these questions:
2. Can the FTC intervene in a situation where there is only a possibility or risk of comingling information collected under two or more different rules or assumptions?
3. What remedies can the FTC impose if the FTC finds that possibility or risk?
Justice Oliver Wendell Holmes, Jr. said, “Great cases, like hard cases, make bad law.” We’re hopeful for good law to come out of this case, because the facts of the case are clear – even if the issues are not.