In late October 2016, European Union (“EU”) data protection authorities issued letters to Yahoo and WhatsApp related to alleged privacy incidents involving those companies.  The letters were issued by a collective of EU data protection authorities known as the “Article 29 Working Party” or “WP29”, which is comprised of representatives of the data protection authorities of each of the EU’s 28-member states, the European Data Protection Supervisor, and the European Commission. 

The letter issued to Yahoo related to two recent privacy incidents.  First, in September, Yahoo announced that hackers had infiltrated its systems in late 2014 and lifted account data tied to at least 500 million users.  The EU regulators noted their “deep concern” over this data breach, called on Yahoo to take certain measures to communicate with European Yahoo users about the data breach, and requested that Yahoo provide additional information about the data breach.  Second, in October, reports surfaced that Yahoo had scanned customer emails for U.S. intelligence purposes at the request of U.S. intelligence agencies.  The EU regulators expressed interest in understanding the legal basis and justification for the alleged surveillance activity, including an explanation of how this activity complied with EU law. 

With regard to WhatsApp, the regulators focused on a recent change the company made to its privacy policy.  In August, WhatsApp announced that it was updating its terms of service and privacy policy.  WhatsApp told consumers that, as part of that update, it would start sharing some user information with Facebook, its parent company.  In its letter to WhatsApp, the EU regulators noted that they had concerns about the way information related to the updated terms and privacy policy was communicated to users, the validity of users’ consent to the terms and privacy policy, and the ability of users to exercise their rights under the terms and privacy policy.  In order to assess whether the changed policy complied with European privacy laws, the regulators asked WhatsApp to provide additional information about the exact data that was implicated by the change in policy, the source of the data, a list of recipients of the data, and information on the effects of the data transfer on users and potential third parties.

In a press release announcing the issuance of the letters, the Article 29 Working Party explained that it had recently formed a WP29 enforcement subgroup due to the increasing number of cross-border data security incidents.  The enforcement subgroup is tasked with facilitating the exchange of views on enforcement strategies and actions in cross-border cases and with helping European data enforcement authorities to prepare for implementation of the recently adopted EU General Data Protection Regulation.  The enforcement subgroup will hold its first meeting in November.  During that meeting, it will addresses the topics covered in the letters issued to WhatsApp and Yahoo.