The AEPD has concluded that there are two serious infractions of the Organic Law of Data Protection, in the case of WhatsApp for communicating data to Facebook without the user’s authorization and in Facebook for the treatment of that data for their own purposes.

The AEPD has concluded that there are two serious infractions of the Organic Law of Data Protection, in the case of WhatsApp for communicating data to Facebook without the user’s authorization and in Facebook for the for their own purposes. In 2014, Facebook bought the WhatsApp messaging service and in 2016 updated the terms of its service and privacy policy, introducing changes like sharing information from WhatsApp users with Facebook. The Agency has imposed 300,000 euros of sanctions on each entity – the maximum amount corresponding to the serious infractions declared – considering factors such as the volume of treatments carried out, the turnover of the infringers or the link of the activity of these with the treatments of personal data, among others. The Agency has imposed 300,000 euros of sanctions on each entity – the maximum amount corresponding to the serious infractions declared – considering factors such as the volume of treatments carried out, the turnover of the infringers or the link of the activity of these with the treatments of personal data, among others. The resolution of the AEPD concludes that the communication and treatment of data made by WhatsApp to Facebook don’t meet the requirements of Spanish and European data protection regulations. According to article 11 of the LOPD, the communication of personal data requires the consent of who is affected. The current regulatory framework requires that consent, in addition, must be free, specific and informed. In the case of Facebook, the AEPD considers that the social network uses the user information provided by WhatsApp for the benefit of his activity and for that, they require a free, specific and informed consent from the user, and which consent doesn’t exist, what’s more the WhatsApp actuations are deficient. In addition, the AEPD resolves that the absence of information or insufficient information also determines the lack of consent.