On May 18, 2017, the EU Commission sentenced Facebook to a “proportionate and deterrent” fine of €110 million for providing misleading information during the investigation of Facebook’s acquisition of WhatsApp. This decision – that still can be appealed – reveals how acts infringing EU merger rules may also infringe EU data protection regulations and lead to high fines, as it will also be possible under the General Data Protection Regulation (GDPR) for data protection infringements.

During the acquisition notification procedure in 2014, the EU Commission had some concerns about Facebook’s ability to establish reliable automated matching between users’ accounts of both applications. Such matching could be a way for Facebook to introduce advertising on WhatsApp and/or to use personal data sourced from WhatsApp to improve its targeting advertisements. According to the EU Commission, if those new potential data combinations may have strengthen Facebook’s position in the online advertising market and hamper competition in such market, they also led to data protection issues. In its letter of October 2016, the Article 29 Working Party (WP29, gathering all EU data protection authorities) called into question the validity of the existing WhatsApp users’ consent, since, at the time they signed up, users were not informed that their data were to be shared among the “Facebook family of companies” for marketing and advertising purposes.

Facebook informed the EU Commission during the 2014 acquisition notification procedure that such account’s matchings would be technically impossible to achieve; however, WhatsApp disclosed the new purposes resulting from those matchings by updating its Terms of Service and Privacy Policy in 2016. This misleading information is the reason why the Commission sentenced Facebook. On the data protection side, the WP29 announced investigations, urged WhatsApp to communicate all available information on those new data processing and required the company not to proceed with the sharing of users’ data until appropriate legal protections can be assured.

In the context of the increased sanctions under the GDPR, this decision demonstrates that companies engaged in a merger or acquisition should integrate data protection programs in addition to corporate and competition matters. Such programs should at least include the following measures:

• Map and assess the privacy risk involved in the new processing to be carried out in the context of the corporate operation (due diligence audits, international transfers, etc.), as well as the privacy risk involved in the new processing that will be carried after the operation.
• To the extent required by law, inform the data subjects (employees, clients, stakeholders, etc.) about those new processing and purposes, taking into account confidentiality issues.
• Take all steps necessary to make the new data processing, data transfers and processing purposes compliant with the various applicable data protection rules.