Data Governance and the Law – Facebook’s Acquisition of WhatsApp Might Bring Some Needed Clarity

Posted on March 13, 2014 by Timothy Keller

By now it should be clear to everyone that when you have a privacy policy you are expected to abide by the terms of that policy.  So, for example, if your privacy policy says you will not disclose any personal information that you collect, you should not disclose any information that you collect. 

But what if you change your privacy policy?  What if your new privacy policy says that you have the right to disclose personal information that you collect after, let’s say, December 31, 2014?  Presumably that means that you can disclose any personal information that is collected after December 31, 2014.  But that should not give you the right to disclose personal information that you collected before January 1, 2015. 

This raises a data governance problem.  How do you separate (and keep separate) two bodies of information that are collected during at two different times under two different rules?

Here at Big Data and the Law we assume this happens more frequently than we hear about.  Perhaps in some cases the changes in privacy policy aren’t significant and don’t require a change in information practices.  In other cases, the collecting parties might have data governance practices that can handle any problems that result from privacy policy changes.  It’s likely, however, that the issue is just ignored in some cases and no one noticed. 

In this case — people noticed.  The Electronic Privacy Information Center and The Center for Digital Democracy filed a complaint with the Federal Trade Commission (FTC) in which they assert:

    • Facebook routinely incorporates data from companies it has acquired.
  • WhatsApp’s privacy policies and official blog posts reflect a strong commitment to user privacy.
  • WhatsApp’s messaging service regularly collects and stores virtually all available user data.
  • The Commission has previously found that a company may not repurpose user data for a use other than the one for which the user’s data was collected without first obtaining the user’s “express affirmative consent.”
  • By failing to make special provisions to protect user data in the event of an acquisition, WhatsApp “unreasonably creates or takes advantage of an obstacle to the free exercise of consumer decisionmaking.”
  • Specifically, WhatsApp users could not reasonably have anticipated that by selecting a pro-privacy messaging service, they would subject their data to Facebook’s data collection practices.
  • Therefore, WhatsApp’s inadequate disclosures constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45(n).

We’re skipping around a bit here, but we invoke the blogger’s right to summarize and generalize for the sake of brevity.

The complaint makes these requests for FTC action:

EPIC urges the Commission to investigate WhatsApp, Inc., and enjoin its unfair and deceptive data collection practices for any future changes to its privacy policy.

Specifically, EPIC requests the Commission to:

a. Initiate an investigation of the proposed acquisition of WhatsApp by Facebook, specifically with regard to the ability of Facebook to access WhatsApp’s store of user mobile phone numbers and metadata;

b. Until the issues identified in this Complaint are adequately resolved, use the Commission’s authority to review mergers to halt Facebook’s proposed acquisition of WhatsApp;

c. In the event that the acquisition proceeds, order Facebook to insulate WhatsApp users’ information from access by Facebook’s data collection practices; and

d. Provide such other relief as the Commission finds necessary and appropriate.

Which brings us to the point – what might we learn from the FTC addressing the EPIC/CDD complaint?  We’re hoping the FTC answers these questions:

1.         Can information collected under the terms of a privacy policy be used in a manner that is inconsistent with the terms of that privacy policy?

2.         Can the FTC intervene in a situation where there is only a possibility or risk of comingling information collected under two or more different rules or assumptions?

3.         What remedies can the FTC impose if the FTC finds that possibility or risk?

Justice Oliver Wendell Holmes, Jr. said, “Great cases, like hard cases, make bad law.”  We’re hopeful for good law to come out of this case, because the facts of the case are clear – even if the issues are not. 

The complaint can be found here: http://www.centerfordigitaldemocracy.org/epic-and-cdd-file-unfair-and-deceptive-practices-complaint-ftc-facebookwhatsapp-deal-whatsapp-users

This entry was posted in Big Data, Data Blending, Data Governance, Facebook, Federal Trade Commission, Privacy and tagged , , , , , , . Bookmark the permalink.