Article 29 Working Party press release

28 October 2016

The Article 29 Working Party (WP29) addressed, on October 27, 2016 a letter to WhatsApp regarding the update of its Terms of Service and Privacy Policy announced last August and a letter to Yahoo regarding the data breach occurred in 2014 and the scanning of customer emails for intelligence purposes.

Letter to whatsapp on the updated terms of service and privacy policy

The WP29 expressed its serious concerns regarding the sharing of information within the “Facebook family of companies” for purposes that were not included in the Terms of Service and Privacy Policy when existing users signed-up to the service.  As a result, concerns were also articulated on the validity of the user’s consent, on the effectiveness of the mechanisms provided for the exercise of the user’s rights and on the rights of non-Facebook users with regards to such a Policy change. As such, the WP29 requested WhatsApp to communicate all relevant information to the Working Party as soon as possible and urged the company to pause the sharing of user’s data until the appropriate legal protections could be assured.

Letter to yahoo on the 2014 data breach and on the scanning of customer emails for intelligence purposes

The WP29 expressed its preoccupations with regards to the admitted 2014 data breach, whereby personal data related to at least 500 million Yahoo! Inc. users, including a great number of EU accounts, were stolen. Therefore, the WP29 requested the company to understand and communicate all aspects of the data breach to the WP29, to notify the concerned users of the adverse effects and to cooperate with all upcoming national data protection authority’s enquiries and/or investigations.   

The WP29 was also concerned about the alleged scanning of Yahoo’s customer incoming emails for US intelligence purposes at the request of US intelligence agencies. Therefore, Yahoo was invited to provide information on the legal basis and the compatibility with EU law of any such activity.

Both the WhatsApp new Terms of Service and Privacy Policy Update and the Yahoo data breach and scanning of user emails, will be discussed at the first meeting of the WP29 enforcement subgroup, in November.

 

WP29 enforcement subgroup

Due to the increasing number of incidences having cross-border effects and affecting European citizens, the WP29 decided, during the September plenary, to create an enforcement subgroup. The enforcement subgroup, a “talent pool” of national experts, will facilitate the exchange of views on enforcement strategies and actions on cross-border cases. The enforcement group will help the European data protection authorities to get prepared for the EU General Data Protection Regulation and therewith to a reinforced protection of European citizen’s data. The EU GDPR was adopted April 27th, 2016 and will take effect by May 2018.

Document reference