The Hamburg Commissioner for Data Protection and Freedom of Information (Hamburg DPA) recently issued an administrative order prohibiting Facebook from collecting and storing user data of German WhatsApp users.

The Hamburg DPA also ordered Facebook to also delete all data that has already been forwarded to Facebook by WhatsApp.

After the acquisition of WhatsApp by Facebook in 2014, both parties made public assurances that personal information was not going to be shared between them. In August of 2016, however, Facebook announced that it would begin sharing data from WhatsApp users with Facebook for the purpose of targeted ads. The social network did grant its users the option of opting out of the data being used for advertising purposes, but did not allow them to opt out of the data sharing between WhatsApp and Facebook. In addition, there are millions of people whose contact details were uploaded to WhatsApp from the user’s address books, although they might not even have a connection to Facebook or WhatsApp.

According Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information “the fact that this is now happening is not only a misleading of their users and the public,” but “also constitutes an infringement of national data protection law.” The Hamburg DPA argued that (a) Facebook neither had obtained an effective consent from the WhatsApp users, nor did a legal basis for the data reception exist and (b) Facebook must respect German data protection law after the Court of Justice of the European Union (CJEU) confirmed in its ruling from July, that national data protection laws are applicable if a company processes data in connection with a national subsidiary. The Hamburg DPA indicated that Facebook is processing the data through its subsidiary in Hamburg, and accordingly the Hamburg DPA interpreted the Ruling by the CJEU that the German subsidiary is responsible for the operation of the marketing business in German speaking regions. Facebook disagreed with that conclusion, and has maintained that it operates in Europe from its headquarters in Ireland and that its actions are therefore governed by Irish law.

Caspar ordered Facebook to delete any data already received from WhatsApp in Germany, saying that he was acting to protect the privacy of Germany’s 35 million WhatsApp users and that of people saved in each user’s address books, whose details might also be forwarded under the data-sharing arrangement.

Facebook and WhatsApp do also face the possibility of court proceedings by consumer protection agencies in Germany due to allegedly impermissible terms and conditions and privacy policies used by the companies. Also, the European Commission recently recommended tighter privacy and security requirements for services including WhatsApp and Skype, saying they should be regulated more like traditional telecoms.