Facebook has been accused of multiple breaches of European Union consumer protection law as a result of its attempts to force WhatsApp users to accept controversial changes to the messaging platforms' terms of use — such as threatening users that the app would stop working if they did not accept the updated policies by May 15.

The consumer protection association umbrella group, the BEUC, said today that together with eight of its member organizations it has filed a complaint with the European Commission and the European network of consumer authorities.
"The complaint is first due to the persistent, recurrent and intrusive notifications pushing users to accept WhatsApp's policy updates," it wrote in a press release.

The content of these notices, their character, their chronology and frequency impose an unnecessary strain on users and infringe the latter's freedom of option. Therefore, they are contrary to the EU Directive on Unfair Commercial Practices".

While earlier, it had alerted its users that notifications relating to the acceptance of new terms would be persistent and would inhibit user ability to use the service, WhatsApp later backtracked from the ultimatum it issued of its own.

However, the app continues to bug users to accept the update — with no option not to do so (users can close the policy prompt but are unable to decline the new terms or stop the app continuing to pop-up a screen asking them to accept the update).

"Besides, the complaint states that the new terms lack transparency and that WhatsApp did not make clear in intelligible language the nature of the changes," said the BEUC. It is basically impossible for consumers to get a clear understanding of what consequences WhatsApp's changes entail for their privacy, particularly in relation to the transfer of their personal data to Facebook and other third parties. Such ambiguity amounts to a breach of EU consumer law that compels companies to use contract terms and commercial communications that are transparent and clear.

The organization pointed out that WhatsApp's policy updates remain under scrutiny by the privacy regulations in Europe, which it argues is another factor that makes Facebook's aggressive attempts to push the policy on users highly inappropriate.

And while that consumer-law oriented complaint is independent of the privacy issues raised by the BEUC also under investigation by the EU data protection authorities, or DPAs it's urging those regulators to pick up the pace with their probes, adding, "We urge the European network of consumer authorities and the network of data protection authorities to work in close cooperation on these issues.

The BEUC has published a report articulating its concerns over the change in WhatsApp's Terms of Service in greater detail, where it attacks the "opacity" of the new policies, further insisting:

WhatsApp is extremely vague as to which parts it's deleted and which parts it's added. It leaves it up to users to find out for themselves. Ultimately, it is almost impossible for users to clearly understand what is new and what has been amended. The opacity of the new policies is in breach of Article 5 of the UCTD and is also a misleading and unfair practice prohibited under Article 5 and 6 of the UCPD.

A WhatsApp spokesperson reached out to comment on the consumer complaint:

BEUC's action is based on a misunderstanding of the purpose and effect of the update to our terms of service. Our recent update explains the options people have to message a business on WhatsApp and provides further transparency about how we collect and use data. The update does not expand our ability to share data with Facebook, and does not impact the privacy of your messages with friends or family, wherever they are in the world. We would welcome an opportunity to explain the update to BEUC and to clarify what it means for people.

We reached out to the Commission for comment on BEUC's complaint — and we'll update this story if we hear back from them.

Update: Here's what a Commission spokesperson told us:

We received the alert from the European Consumer Organisation (BEUC), who today lodged a complaint with the Commission against WhatsApp on multiple infringements of the EU consumer rights.

The European Commission will take into account all the arguments presented by BEUC with the national consumer authorities in the following weeks in order to determine whether further investigations are warranted and coordinated action as the CPC regulation provides.
Coordinated actions are constantly carried out by the CPC network, which has the task of enforcing consumer rights uniformly throughout the Internal Market.

We expect all companies offering their services within the EU to meet EU data protection rules.

Within the scope of the GDPR, national data protection authorities supervising and enforcing the law on a national level shall act accordingly, if necessary taking over tasks in cooperation with the European Data Protection Board.

This Commission follows this matter closely.

The complaint is the latest pushback in Europe over controversial terms change by Facebook-owned WhatsApp, which triggered a privacy warning from Italy back in January, followed by an urgency procedure in Germany in May when Hamburg's DPA banned the company from processing additional user data from WhatsApp.

Although, earlier this year, Facebook's lead data regulator in the EU, Ireland's Data Protection Commission, seemed to accept Facebook's reassurances that the changes to ToS do not impact users in the region.

German DPAs less pleased with this. And Hamburg invoked emergency powers allowed for in the GDPR in an effort to circumvent a mechanism in the regulation that — otherwise — funnels cross-border complaints and concerns through a lead regulator — in most cases, where the data controller has its regional base (in Facebook/WhatsApp's case, it is Ireland).

Such emergency procedures are time-limited to three months. However, the European Data Protection Board (EDPB) has confirmed today that its plenary meeting will discuss the request from the Hamburg DPA for it to make an urgent binding decision — which may set the Hamburg DPA's intervention on a more lasting footing, depending upon what the EDPB decides.

Meanwhile, there are growing calls for Europe's regulators to work more together better to tackle the challenges presented by platform power, as several regional competition authorities and privacy regulators are actively taking steps to dial up their joint working — in a bid to ensure that expertise across different areas of law doesn't get stuck siloed and, therefore, risks disjointed enforcement, with conflicting and contradictory outcomes for internet users.

There appears to be a growing recognition on both sides of the Atlantic for a joined-up approach to regulating platform power and ensuring powerful platforms don't simply get let off the hook.