Facebook and WhatsApp have been told to immediately stop the mass collection, storage, and sharing of data scooped up from 35 million WhatsApp users in Germany, just one month after Facebook-owned WhatsApp announced its decision to start harvesting and sharing user data with its parent company.
The decision, made by the Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar, also forces Facebook to delete all data that has previously been shared with Facebook by WhatsApp since August.
The privacy watchdog knocked the two companies for "misleading" the public, and deemed the data sharing agreement illegal, as it constitutes an infringement of national data protection law in Germany.
"We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns."
"Such an exchange is only admissible if both companies, the one that provides the data (WhatsApp) as well as the receiving company (Facebook) have established a legal basis for doing so. Facebook, however, neither has obtained an effective approval from the WhatsApp users, nor does a legal basis for the data reception exist," said the watchdog in a statement on Tuesday [PDF].
But Facebook claims it's done nothing wrong. An unnamed Facebook spokesperson said in an email statement, "Facebook complies with EU data protection law. We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns."
However, the German watchdog says Facebook is technically at fault. The Court of Justice of the European Union rules that national data protection laws must be adhered to if a company deals with data from a national subsidiary. While Facebook's European headquarters are in Dublin, Facebook has a marketing subsidiary in Hamburg, too. Simply, this means Facebook must adhere to German laws in Germany.
But for the privacy-conscious Germany, a country well known for picking fights with Facebook, the change has been one step too far.
"In addition, there are many millions of people whose contact details were uploaded to WhatsApp from the user's address books, although they might not even have a connection to Facebook or WhatsApp," Caspar said. "According to Facebook, this gigantic amount of data has not yet been collected. Facebook's answer, that this has merely not been done for the time being, is cause for concern that the gravity of the data protection breach will have much a more severe impact."
In an email to Motherboard, the Commissioner's office said it expects Facebook to act accordingly to the ruling.
Update 09/27/2016: Facebook has said it will appeal the ruling. A spokesperson said in an email, "Facebook complies with EU data protection law. We will appeal this order and will work with the Hamburg DPA in an effort to address their questions and resolve any concerns."
Get six of our favorite Motherboard stories every day_ by signing up for our newsletter_.