By Gary Gonzalez
“We believe the customer should be in control of their own information. You might like these so-called free services, but we don’t think they’re worth having your email, your search history and now even your family photos data mined and sold off for god knows what advertising purpose. And we think someday, customers will see this for what it is.” –Tim Cook, CEO, Apple
In February of 2014 Facebook acquired WhatsApp for a staggering $19BN. For those unfamiliar, WhatsApp is a mobile application actively used by an estimated 450 million people, primarily in Europe, India and Latin America. WhatsApp actively advertised its security and privacy through message encryption and a policy to not store messages on servers. Lastly, WhatsApp is entirely advertisement free because users pay an annual fee of $0.99. Throughout the buyout, the founders of WhatsApp told users this model would remain unchanged.
At the end of September, the Hamburg commissioner for data protection and freedom of information, Johannes Caspar, issued an order banning Facebook from sharing information with WhatsApp across Germany. The ban in Germany has prompted action by other countries. Spain announced plans to investigate the data transfers to determine if they meet Spanish data protection legislation. And, Spain isn’t going at it alone, they plan on working with Germany, Italy, and Britain, all of which announced comparable probes.
So what should companies do to avoid these investigations and court orders? Research the data privacy laws of the countries in which your users or potential users live. Then, draft a policy acceptable in all jurisdictions.
As Facebook now realizes, United States laws regarding data privacy are insufficient when customers are citizens of foreign nations. The United States, unlike the European Union, does not have a general data privacy law. Rather, the United States takes a sectoral approach and only regulates certain types of data such as: financial information under Gramm-Leach-Bliley Act, health related information under the Health Insurance Portability and Accountability Act (HIPAA), consumer reporting agencies under the Fair Credit Reporting Act, and collection of telephone numbers under the Telephone Consumer Protection Act.
The European Union, Iceland, Norway, and Liechtenstein follow the EU Data Directive. The EU Data Directive prohibits the transfer of “personal data” to anyone, including affiliates, vendors, and customers outside the European Economic Area, unless an adequate level of data protection is provided by the destination nation. “Personal data” under the EU Data Directive is very broadly defined to “include any information relating to an identifiable individual.” This requirement and definition will continue to exist when the EU Data Directive is replaced by the General Data Protection Regulation on May 25, 2018.
In conclusion, companies should strive to meet the data privacy requirements of the countries in which its users are residents. Companies should not rely solely on the laws of their home nation, especially the United States, which arguably has some of the least protective data privacy laws amongst developed nations. Companies may argue stricter privacy policies limit the ability to sell data or offer additional products or services, but this is not so. Companies only need to draft policies in which users opt in, instead of opting out. By seeking affirmative consent to data sharing, corporations can avoid having the issues Facebook and WhatsApp are currently facing, and avoid the cost of international investigations and litigation.
* * * * *
 Parmy Olson, Facebook Closes $19 Billion WhatsApp Deal, Forbes (Oct. 6, 2014, 1:25 PM), http://www.forbes.com/sites/parmyolson/2014/10/06/facebook-closes-19-billion-whatsapp-deal/#756fd13e179e.
 Chandra Steele, What Is WhatsApp? An Explainer, PC Mag (Feb. 20, 2014, 1:51PM EST), http://www.pcmag.com/article2/0,2817,2453710,00.asp.
 David McLaughlin & Stephanie Bodoni, Facebook’s WhatsApp Privacy Changes Raise EU, U.S. Concerns, Bloomberg (Aug. 29, 2016, 6:11 PM EST), https://www.bloomberg.com/news/articles/2016-08-29/whatsapp-privacy-changes-raise-eu-concern-over-user-data-control.
 Adrew Griffin, Whatsapp Banned from Sharing Data with Facebook in Germany, Independent (Sept. 26, 2016), http://www.independent.co.uk/life-style/gadgets-and-tech/news/whatsapp-facebook-data-sharing-update-ads-germany-hamburg-banned-a7332606.html.
 The Associated Press, Spanish Agency to Probe Facebook and WhatsApp Data Swap Deal, CTV News (Oct. 6, 2016, 5:16 AM), http://www.ctvnews.ca/sci-tech/spanish-agency-to-probe-facebook-and-whatsapp-data-swap-deal-1.3103988.
 Manish Singh, Indian Court Orders WhatsApp to not Share User Data with Facebook Collected before Sept. 25, Mashable (Sep. 23, 2016), http://mashable.com/2016/09/23/india-delhi-high-court-whatsapp-facebook/#hU4AScI_fgqf.
 Ieuan Jolly, Data Protection in the United States: Overview, Practical Law, http://us.practicallaw.com/6-502-0467 (last visited Oct. 16, 2016).
 Lothar Determan et al., The EU-U.S. Privacy Shield Versus Other EU Data Transfer Compliance Options, Bloomberg BNA (Sept. 12, 2016), http://www.bna.com/euus-privacy-shield-n57982076824/.