Facebook must stop collecting information about WhatsApp users in Germany, a local privacy watchdog has ordered.
Last month, Facebook began combining user data from WhatsApp, the messaging company it acquired in 2014, with the mountain of information it holds about members of its social network in order to better target advertising.
The move prompted concern among WhatsApp users, as the company had long promoted itself as a strong protector of user privacy.
Privacy regulators were also concerned, among them the Hamburg Commissioner for Data Protection and Freedom of Information, who on Tuesday issued an administrative order prohibiting Facebook from collecting and storing the data of German WhatsApp users. The company must also delete any data that WhatsApp has already handed over.
WhatsApp still operates independently from Facebook and the two companies have separate user agreements and data privacy policies. They have also, in the two years since Facebook acquired WhatsApp, assured their users that there would be no sharing of data, Commissioner Johannes Caspar said.
The sharing of data between the two companies is an infringement of German data protection law because Facebook has not obtained effective approval from WhatsApp users for the transfer, and there is no legal basis for it to receive the data, according to the Commissioner.
"It has to be their decision whether they want to connect their account with Facebook," he said. "Facebook has to ask for their permission in advance. This has not happened."
There are around 35 million WhatsApp users in Germany, but millions more are indirectly affected, he said. These are people whose contact details were uploaded to WhatsApp from users' address books, even though they may have no connection with WhatsApp or Facebook themselves.
Facebook told the Commissioner it had not yet collected all this information from WhatsApp. This, he said, is cause for concern because it can only make the impact of the data protection breach more severe when the transfer does happen.
A recent ruling from the Court of Justice of the European Union confirmed that national data protection laws apply if a company processes data in connection with a national subsidiary. Facebook does so through a subsidiary in Hamburg responsible for marketing in German-speaking regions, the Commissioner said.
That's a key detail in this case, as Facebook otherwise claims that its relations with all users outside North America are handled by its Irish subsidiary, and thus subject to Irish, not German, data protection law.
It was that claim by Facebook that led Austrian Max Schrems to file a complaint with the Irish Data Protection Commissioner -- a complaint that ultimately found its way to the CJEU and led to the invalidation of the Safe Harbor transatlantic data transfer agreement.
Reacting to the Hamburg Commissioner's decision on Tuesday, a Facebook spokeswoman said: "Facebook complies with EU data protection law. We will work with the Hamburg DPA in an effort to address their questions and resolve any concerns."