France’s data protection watchdog CNIL issued a formal notice to WhatsApp to comply with its requirements within a month or face “a sanction”, after an investigation into data sharing with parent Facebook.

The issue stems from an August 2016 update to the WhatsApp terms of service, which said data would be shared with Facebook for the purpose of targeted advertising, security, and the evaluation and improvement of services.

After an investigation, CNIL said while the security function “seems to be essential to the efficient functioning of the application”, this is not the case for “business intelligence” functions, which therefore fall foul of data protection rules.

In particular, it said consent is not correctly obtained because it is not specific to the purpose and it is not a free choice: the only way to refuse data transfer for business intelligence use is to uninstall the app.

WhatsApp also did not comply with repeated requests to provide a sample of French users’ data which had been transferred to Facebook, because “as it is located in the United States, it considers that it is only subject to the legislation of this country”.

The practice of sharing data between WhatsApp and Facebook has been the subject of criticism at a European level.