Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of January

A fresh year brought fresh data protection developments and issues for us to marvel at. In January, Whatsapp’s new privacy update resulted in backlash and loss of clientele due to misinterpretation, while Facebook’s platform vulnerability encountered in 2019 rears its head when hackers start selling old user data online. In the meantime, German Data Protection Authority hits a retailer with a hefty fine for video surveillance, and Google gets investigated for its ad industry practices.

Whatsapp delays its privacy policy updates and loses trust due to misunderstanding

The end-to-end encryption giant Whatsapp had planned to bring updates to its new privacy policy that were intended to come into force on the 8th February of 2021. However, the updates are now announced to be postponed until the 15th of May, 2021 due to heavy criticism and outcry Whatsapp received from the users. This outcry resulted from the outlined privacy policy with changed wording that led users to believe that Whatsapp will share data with Facebook, the owner of Whatsapp. The wording, in view of many, implied that the personal data of users will be shared with Facebook, as the privacy policy’s language no longer indicated the possibility to opt out of such sharing.  

The messenger company has, in fact, shared particular information, including, phone numbers, with Facebook since 2016, for the purpose of improving Facebook ads and product experiences, as well as customer reach, without selling the personal data. In 2016, however, users were given a chance to disagree with such sharing or opt out shortly after agreeing the then newly introduced terms. Regardless, Whatsapp neither did, nor does now access user chats or eavesdrop on phone calls held on its platform.

Whatsapp had previously strived to explain that this has not been changed by the outlined updates. What the changes do address is merely the business chats between users and customer services on Whatsapp. At the core of the confusion was the unsuccessful attempt to inform users on possible storage of chat logs on Facebook servers by businesses using Whatsapp for customer service. While, these businesses may use data for ad purposes, Facebook does not intend to disseminate the data on apps automatically.

Regardless, the users might have perceived the manner of communication Whatsapp used as being aggressive. Given the mistrust of Facebook privacy practices due to previous data scandals, as well as Whatsapp’s strivings to commercialise its services, the user lack of trust was not entirely unexpected. The updates were informed by means of a pop-up notifyng the user of  data sharing with Facebook and requiring deletion of the account used, if the user does not agree with the forthcoming changes. Whatsapp has assured users that those who do not agree with the updates will not lose access to the application.

Despite the efforts to cushion the blow, the damage has already been done. Due to the controversy many users have swapped Whatsapp for Signal, a non-profit end-to-end encryption messaging app pioneered by the co-founder of Whatsapp, and Telegram as an alternative for an end-to-end encryption.

The three month postponement, Whatsapp hopes, will allow them to bring clarity and clear the confusion surrounding the updates.

Facebook user phone numbers on sale on Telegram

In January it was discovered that since at least 12 January 2021, on the end-to-end encryption messenger Telegram, an automated bot enables the interested users to purchase the phone numbers of potentially over 533 million Facebook users. According to the information provided by the bot itself, it holds numbers of users in the United States, United Kingdom, Australia, Canada, as well as 15 other countries. The phone numbers that have been provided to Facebook may be used for uncovering the Facebook ID of the holder of the number, and vice versa, where the Facebook ID is known. 


The information is being offered for a fee of $20 for a single credit. The bot also, as reported, provides for an option to buy the data for less if purchased in bulk by having 10,000 credits for $5,000. When the request is placed, the automated bot shows the numbers partially, however, purchase of credits enables one to receive the full number. 

It is reported by Facebook that the leak occurred due to vulnerability on the Facebook platform that occurred in 2019, which however was fixed in August 2019. It suggests that numbers being sold are the numbers provided by users in 2019 during the time the vulnerability existed. Although the exploited data is subjectively outdated, the risk of damage to user privacy is still considerably great as it cannot be expected that all of the users would have changed their phone numbers since 2019. 

German Data Protection Authority imposes 10.4 million Euro fine for video surveillance

The highest GDPR fine in January reaching 104 million euros was imposed by the State Commissioner for Data Protection in Lower Saxony, as its record fine, to notebooksbilliger.de AG, laptop retailer. The breach in question was the company’s practice of video monitoring its employees extensively for not less than two years without legal basis. The employees were being monitored in various places, including, staff rooms, warehouses, workspaces and sales area. Additionally, the customers of the company were also monitored without justification as the surveillance took place in sales rooms, where customers could have expected a degree of privacy, in this case seating areas. It was also found that recording in many of the cases were retained for sixty days.   

While the company stated that the purpose of the video surveillance was to deter and investigate crime and track the flow of goods in warehouses, the Commissioner noted that this was a serious case of workplace surveillance, as it violated employees’ rights. It was also stated that the claimed purpose could not justify the permanent and unjustified interference with the right of the employees, otherwise such purpose would enable to extend surveillance without any limitations. The Commissioner went on that video surveillance is a particularly invasive interference as it allows one to observe and analyse the entire behaviour of a person, and, as it has been found in the German Labour case law, can put staff under pressure to avoid criticism and sanctioning for behaviour by acting inconspicuously.  

The Commissioner was of the opinion that the surveillance for the purpose of investigation of crime, as claimed, could only be carried out provided that particular persons were under reasonable suspicion. However, in such instances the surveillance should have been targeted at the specific persons and for a limited time, which was not the case with the company in question. Furthermore, it was noted that the company had to first exercise other security means of less intrusive nature.  

Google’s advertising practices to be investigated once again 

As the tech giant online advertising war continues, Google keeps on attracting the scrutiny of European authorities.  Google has already faced antitrust probes in the United Kingdom and United States as to its anticompetitive business practices in the ad industry, and in the previous three years has been hit with fines of over 8 billion euros in three antitrust proceedings in the EU for blocking online shopping competitors and advertisers. 

However, the European Commission is investigating two more cases against the tech giant in relation to its data and technology practices in the advertising industry. The investigation is said to be targeted at all of the services provided by Google, which include ad tech chain and digital advertising. 


The first of the case is linked to Google’s activity in the advertising business, namely, its anti-competitive practice in the ad tech value chain and its treatment of stakeholders, such as advertisers and publishers, as well as rivals, in matters related to ad tech services, search and display advertising. Meanwhile, the second probe covers the potential issues with its collection and processing of data as a result of Commissions concerns on Google’s collection and handling of personal data.  

In case the investigations would lead to finding Google in breach of the competition rules, the fines may reach up to 10 percent of the annual turnover of Google for each breach.  

Share this post?

Get in
Touch

+356 2166 1273