WhatsApp has agreed to not share user data with parent company Facebook before new data protection regulations come into force in May.
The messaging service has signed an “undertaking” with data protection watchdog the Information Commissioner’s Office (ICO), publicly committing to not share personal data with Facebook, which acquired WhatsApp in 2014.
The ICO launched an investigation into WhatsApp in 2016 over whether the app could legally share data with Facebook, after concerns were raised that the firm was not being “fully transparent” over its plans.
The ICO said its investigation has found that had the firm shared user data, it would have been illegal.
Information commissioner Elizabeth Denham said her investigation concluded that WhatsApp “has not identified a lawful basis of processing for any such sharing of personal data” and “such sharing would involve the processing of personal data for a purpose that is incompatible with the purpose for which such data was obtained”.
She added: “If they had shared the data, they would have been in contravention of the first and second data protection principles of the Data Protection Act.”
Ms Denham said that WhatsApp had also failed to provide adequate information to users that explained how their data was processed and shared.
In response, the messaging app has signed the undertaking, declaring that it will not share any EU user data until the new General Data Protection Regulation (GDPR) comes into force in May.
The regulations will replace existing data protection laws and are designed to strengthen user control over their personal data and how it is used.
Ms Denham confirmed one type of data sharing between Facebook and WhatsApp – a technical practice known as a “data processor” where sharing is done as a support service to WhatsApp – could continue, as it was not usually a data privacy issue.
“This is common practice and if done consistently with the law, under contract, does not generally raise data protection concerns,” she said.
“Data protection law does not prevent a company from sharing personal data – they just have to follow the legal requirements.
“I therefore compliment WhatsApp in signing this undertaking, which I believe will build trust amongst their many UK users.
“I would also like to stress that signing an undertaking is not the end of the story and I will closely monitor WhatsApp’s adherence to it.”
The ICO also confirmed that WhatsApp would not face a fine following the investigation.
In a statement, a WhatsApp spokesman said: “WhatsApp cares deeply about the privacy of our users. We collect very little data and every message is end-to-end encrypted.
“As we’ve repeatedly made clear for the last year, we are not sharing data in the ways that the UK information commissioner has said she is concerned about, anywhere in Europe.”