Last week, a report by The New York Times revealed that Facebook was poised to merge data from its three messaging services – Messenger, Instagram and WhatsApp – into a single platform.
The move was confirmed by Facebook CEO Mark Zuckerberg himself, in an earnings call on Wednesday. During the call, Zuckerberg said that the platform merger wouldn’t happen before 2020, and that the process was aimed at making sure that users can communicate across services and benefit from end-to-end encryption, which is currently only present on WhatsApp.
The last time Facebook and WhatsApp tried to share user information dates back to 2016, and it did not go well. The UK Information Commissioner Office (ICO) immediately expressed its concerns about the procedure, and Facebook agreed to put it on hold. In March 2018, the ICO ruled that the sharing plan would be illegal; after the ruling, WhatsApp voluntarily committed to only share data with its parent company in a way compliant with the EU-wide data protection regulation GDPR.
The Information Commissioner, Elizabeth Denham, said that “WhatsApp has assured us that no UK user data has ever been shared with Facebook (other than as a ‘data processor’ [that is: it only provides WhatsApp with some assistance, such as for instance, server space]),” and that therefore she would not issue a fine under the Data Protection Act, a UK law essentially implementing GDPR.
Now, the new “platform merger” plan is likely to raise the hackles of data protection authorities across Europe. The Irish Data Protection Commission has already asked Facebook, whose European HQ is in Dublin, for “an urgent briefing on what is being proposed”.
Can Facebook’s merger scheme fly? Or is it going to inexorably smash against the wall of EU’s stringent regulation?
According to Sandra Wachter, a lawyer and Research Fellow at the Oxford Internet Institute, the merger is bound to trigger privacy concerns. “All the data will be now in one place basically,” she says. “Before this, you were still able to choose what service you were using now all your private communications will be collected centrally in one place.”
“That poses questions in terms of privacy – and of cybersecurity,” given that will be a single point of vulnerability for malicious actors to target in order to access information from all the three platforms.
Users who are particularly privacy- and security-minded might decide to ditch the Facebook-owned holy trinity, and turn to other services. Or they can just wait and hope for data protection authorities to step in.
“They have the power to ban data processing operations, temporarily or indefinitely,” says Orla Lynskey, an associate professor of law at the London School of Economics. “If European data protection authorities found that three data platforms were merged, that would be a data processing operation, and if they find it to be an illegal data processing operation they can actually ban it.”
There are several ways in which Facebook’s gambit could fall foul of GDPR. Wachter points out that, for instance, the plan could go against data minimisation – the principle according to which a company should not hold more personal data than it strictly needs to provide its service. “You [as a company] can't just collect any data that you want,” Wachter says. “You would need to state your purpose, say why you need the data for that purpose, and for how long.”
Read more: Looking for alternatives to WhatsApp? Signal is your best bet
Facebook will need to spell out why the merger is necessary for WhatsApp, Messenger and Instagram users to send messages to each other. In her response to WhatsApp’s commitment last year, the UK Information Commissioner pointed out that if the messaging service were to share data with its parent company “so that Facebook could use such data for the benefit of its own business,” that would be against data protection regulation.
According to the principle of purpose limitation, changing the purpose for data processing would require a legal basis, or renewing the users’ consent. Typically, Silicon Valley companies dealt with that by asking users to simply click “agree” at the bottom of a screed with new terms and conditions. Just as typically, the acceptance of tweaks to privacy policy has always appeared essentially compulsory for users to keep using the service – a practice denunciated as “forced consent” by privacy activist Max Schrems, whose complaint against Google’s lack of transparency on requesting consent for ad personalisation resulted in the company being fined €50 million by France’s data protection authority last month.
Besides GDPR, another EU-wide piece of regulation currently in the works, the ePrivacy regulation will also likely impact the way Facebook can use data from other platforms.
“The current draft of this law effectively prevents the analysis of messages on platforms such as Facebook Messenger without the explicit consent of the end-user,” says Michael Veale, a technology policy researcher at University College London. “While that is not the case at the moment, Facebook has a motive to keep that platform broadly unencrypted and readable in its cloud.”
A whole different set of worries concerns the effects this scheme might have on competition. By buying off Instagram and WhatsApp, Facebook has achieved a quasi-monopolistic position which many think should be challenged. In his book The Four, writer and professor Scott Galloway explicitly called for the break-up of Facebook and its subsidiaries. Following reports of the merger, Germany’s justice minister Katarina Barley said that it “raises major questions about antitrust and data protection”.
Is this going to be a matter for Margrethe Vestager, the EU’s pugnacious Commissioner for Competition, to sort out? Lynskey is not sure. “From an antitrust perspective, it is difficult to see any way this could be counteracted using competition law,” she says. “The EU Commission cleared the Facebook-WhatsApp acquisition [in 2014], and didn't impose any condition. It'd be very difficult to to turn the clock back after they have given their authorisation.”
This article was originally published by WIRED UK
