Remember that personal e-mail that arrived in your Yahoo inbox back in 2012? 

Yes, that one you never wanted anyone else to see? 

Or the ‘fully encrypted’ WhatsApp messages you recently sent to your mates after a night out? 

Most likely, you didn’t think that your e-mails may have been under US Government surveillance. You also didn’t expect that your personal data provided to WhatsApp, including your phone number, may be shared with Facebook, even though you’re no longer a Facebook user. 

Disappointingly, this is precisely what may have happened and the EU Data Protection watchdog, WP29, is currently investigating both cases.

Yahoo has allegedly allowed a major breach of data back in 2014 when account details of 500 million users were leaked. It is also reported that Yahoo conducted a mass surveillance exercise of the incoming mail at the request of the US Government. 

The privacy breaches were not revealed until September 2016.

WhatsApp has recently made a U-turn on their privacy policy and despite previous reassurance that they would not share users’ data with Facebook, it has now chosen to do so. 

The manner in which WhatsApp presented the new policy to the users and obtained their consent raises questions about validity of such consent and is currently under investigation. 

WP29 implored WhatsApp not to share data with Facebook until the investigation is completed. They said:

“WP29 also questions the effectiveness of control mechanisms offered to [WhatsApp] users to exercise their rights and the effects that the data sharing will have on people that are not a user of any other service within the Facebook family of companies.”

However trivial this may sound, the best advice is to keep private things private in as much as possible. 

Although EU citizens are protected under the European and national data protection provisions, unfortunately, the two examples above show that the law is not always obeyed and the problem is that once personal data enters public domain, it is very difficult to track it and to erase it. 

There is also always a risk that it has been accessed by other unauthorised parties before its removal, and the possibility that it could be misused for the purposes of fraud or other criminal activity.  

The regulators will discuss the Yahoo and WhatsApp cases this month – and it is worth keeping a close eye on these decisions.