On Sept. 2, the Irish Data Protection Commission announced a decision to fine WhatsApp 225 million euros. The DPC concluded WhatsApp failed to: provide required privacy information to WhatsApp users, as required by EU General Data Protection Regulation Article 13; provide privacy information relevant to contacts of WhatsApp users — "non-users" — whose personal data was processed in order to show users which of their contacts were also WhatsApp users, as required by GDPR Article 14; make privacy information available in an "easily accessible form," as required by GDPR Article 12; and – as a result – also failed to comply with the overarching transparency principle in GDPR Article 5(1)(a). The DPC also required WhatsApp to provide the required privacy information within the three months of the date of the decision (being Aug. 20, 2020) and issued a reprimand.

As WhatsApp’s processing of personal data substantially affects data subjects in more than one Member State and their sole establishment in the EU was in Ireland, the cooperation and consistency provisions under GDPR Article 60 (the one-stop shop provision) were triggered. To comply with this, the DPC submitted a draft decision to all other supervisory authorities. Six commented on the decision; six submitted relevant and reasoned objections (France's data protection authority, the Commission nationale de l'informatique et des libertés, doing both; the federal German authority objected and the supervisory authorities for two Laender were also involved). It was not possible for the DPC to reach a consensus on a number of points, so these were submitted to the European Data Protection Board for it to reach a decision under Article 65. In a number of places, the decision incorporates the conclusions of the EDPB.

The decision establishes that privacy notices must be detailed – with far more detail being given than is currently typically the case – and must be easily accessible, without use of multiple linked documents, which may be hard to find and assimilate. The decision also incorporates findings of the EDPB on how fines should be calculated.

Lastly, the decision also comments on the meaning of personal data and anonymization – ruling out motivation as a factor in assessing risk of identifiability – and rejects arguments that Facebook was just a processor for its users when processing non-user data.

WhatsApp stated that it will appeal the decision.

Easily accessible privacy information – take care with multiple linked documents

GDPR Article 12(1) provides that information provided to a data subject has to be "easily accessible." Information contained in multiple, linked documents is not always easily accessible – especially where the documents contain overlapping, but slightly different, information. The decision notes: "The user should not have to work hard to access the prescribed information; nor should he/she be left wondering if he/she has exhausted all available sources of information and nor should he/she have to try to reconcile discrepancies between the various pieces of information set out in different locations." 

• The decision does not stop use of linked documents. In some circumstances, we think there may be good reasons for using this technique. However, controllers must ensure there is an easy way for a data subject to know they have seen all relevant information (such as also having a composite notice) and must avoid inconsistencies between documents.

The decision notes that, in the course of the investigation, WhatsApp had taken steps to address some concerns of the investigator over accessibility of information. Design features to note are:

• Avoid a continuous scroll of information, with no way for the user to see short-cut options after the home page.
• Avoid embedding a privacy notice within legal terms, which could have the effect of putting-off readers, because of the length of the overall document.

Privacy notices need to convey detailed information

GDPR Article 13(1) and (2) set out what information has to be included in a privacy notice where personal data is collected from the data subject.

WhatsApp noted the level of detail included in its privacy notice was consistent with the level of detail provided by its peers. The DPC dismissed this, noting that an industry could not be allowed to set its own level of compliance. At the same time, the DPC commented there was an abundance of text that communicated very little, warning against long but uninformative notices. WhatsApp’s point is, however, well made: The standard set out in the decision goes significantly beyond that of most privacy notices. Indeed, a glance at the privacy notice on the website of the EDPB shows it does not meet the (very similar) standard applicable to the EDPB. Nor does the Irish DPC practice what it preaches. A substantial amount of work will be required to provide the level of transparency required.

To assist readers, we have set out the comments in the decision we consider diverge most from current practice.

Notice to non-users

The decision held that WhatsApp did not comply with its obligations under GDPR Article 14 (transparency obligations in relation to data obtained other than directly from the data subject). The decision acknowledged that the processing carried out by WhatsApp about non-users was very limited. It stated the main impact of the processing would be when a non-user signs up to WhatsApp (as this then reveals to other WhatsApp users the fact that this person is now a WhatsApp user). Accordingly, most emphasis should be given to provision of information as this point.

The DPC specifically accepted that WhatsApp would not need to provide information individually to non-users and that it would be undesirable for WhatsApp to do this [165].

Approach to sanctions

WhatsApp must make required privacy notice changes within three months; large, international controllers will be held to high standards

The DPC was instructed by the EDPB to require WhatsApp to make required changes to its privacy notices within three months of the date of the order (reduced from the six months proposed by the DPC) [688]. WhatsApp argued that compliance would require considerable challenges. The EDPB opinion rejected this, noting WhatsApp was of a size and had sufficient means to be able to achieve this [687] .

Similarly, the DPC rejected arguments by WhatsApp that the DPC should show similar leniency in its approach to smaller, national controllers; the DPC noted that large, international controllers with significant resources and in-house compliance teams will be held to a higher standard [668].

Quantum of fine

In setting the level of the fine, the DPC paid particular regard to:

• The nature and gravity of the breach: Commissioner Helen Dixon noted that privacy information enables data subjects to exercise other rights and so is the "cornerstone of rights of data subjects“ – accordingly she regarded this as a serious breach [701], [800].
• The duration of the breach: considered to be ongoing since May 25, 2018.
• The very large number of data subjects potentially affected.

The commissioner noted that relevant mitigating factors were: the limited nature of data processed about non-users and the changes already made by WhatsApp to the privacy notices – however, she considered that no significant weight should be applied to these factors. 

Overall, the commissioner considered that a fine should be set at 225 million euros (being the sum of the separate fines proposed for breaches of GDPR Articles 12, 13, 14 and 5 respectively). 

GDPR Article 83(4) and (5) provide for a cap on fines, set at the higher of a specified monetary or turnover-based amount. The EDPB opinion noted the relevant turnover is that of "all the component companies of the single undertaking" [807], which would be the turnover of the group headed by Facebook Inc [846], [863 – 869; 885 - 886]. The EDPB Article 65 decision directed the DPC to consider WhatsApp’s turnover not solely when ensuring that the fine did not breach the cap, but also when setting the level of the fine initially [805].  

The EDPB opinion also instructed the DPC to impose a higher fine for the infringements identified. In considering this, the DPC benchmarked its decision against the 50 million euro fine imposed by the CNIL against Google.

The DPC calculated the proposed fine by adding together separate fines proposed for breach of GDPR Articles 12, 13, 14 and 5. GDPR Article 83(3) provides that "if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement." In the original decision notice, the DPC referred to this provision and interpreted this as meaning that the fine would be limited to the highest of the separate fines proposed for breaches of the various articles of the GDPR. The EDPB opinion considered this interpretation to be incorrect; it stated that the provision should be interpreted instead as meaning that the total fine – for all the infringements – should not exceed the relevant fine cap as set out in Articles 83(4) or (5). Accordingly, the DPC recalculated the fine on this basis.

Alejandro Luengo on Unsplash