This is the second clash between Facebook and European legal bodies over WhatsApp and its data sharing habits after Facebook was hit by a £94m fine in May for matching user accounts across both Facebook and WhatsApp platforms.
And Susan Hall, a partner and specialist lawyer in intellectual property and information technology at national firm Clarke Willmott LLP, said this latest warning signals a willingness on the part of the regulator to take the fight to these huge corporations.
She said: "WhatsApp's 'take it or leave it' approach to data gathering clearly fails to meet the standard for valid consent, which has to be unambiguous, specific, informed, freely given and capable of being withdrawn at any time.
"This warning is a taste of things to come under the GDPR which comes into force in May 2018. All businesses will be subject to these regulations, notwithstanding Brexit, if they hold or process the personal data of EU residents, so in the light of this extra-territorial flexing of muscles by the EU, social media providers need to remember there's no place to hide. They must abide by the regulations."
In its latest letter, the WP29 makes an oblique reference to the GDPR, which will give data protection authorities the power to fine organisations for serious breaches of data protection up to 4% of global turnover. This would amount to about $1.11bn based on Facebook's 2016 figures, Hall pointed out.
She added: "While authorities such as our own Information Commissioner's Office have pointed out that the point of the GDPR is not really the fines, but putting data protection on a footing fit for the 21st century, it seems fair to assume that in the case of WhatsApp and Facebook, the European Commission's patience is running out."
A taskforce has now been launched by the WP29 to implement "a clear, comprehensive resolution" to comply with EU law. The taskforce will be led by the UK's ICO.
Hall said: "This letter comes a year after the first warning was issued and a number of months after the Commission came down like a ton of bricks on Facebook about its failure to keep its WhatsApp and Facebook businesses separate, sending a clear message to social media providers that they are watching them.
"Even when Brexit occurs, it's been clearly signalled by the ICO that in order to facilitate working sensibly within the EU after Brexit, any new regime in the UK is likely to remain very close to the GDPR, so it would be sensible to regard this decision as a having long-term implications for everyone who handles personal data in the UK or in the EU."