Ireland's Data Protection Commission completed its inquiry into Meta platform’s WhatsApp Ireland and fined the company 5.5 million euros related to transparency and forcing users to consent to the processing of their data in the Terms of Service.
The DPC found WhatsApp was in breach of “its obligations in relation to transparency" because "information in relation to the legal basis relied on by WhatsApp Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose, and by reference to which of the six legal bases identified in Article 6 of the" EU General Data Protection Regulation, according to the DPC press release. The DPC found the lack of transparency did not meet Articles 12 and 13(1)(c) of the GDPR.
WhatsApp now has six months to bring its data processing practices in compliance with the GDPR. The WhatsApp decision comes on the heels of the DPC fining Facebook and Instagram Jan. 4 for requiring users to accept its new privacy notice to process data for targeting advertising purposes, totaling 390 million euros.
The DPC opted to fine WhatsApp significantly less than its sister platforms because it already “imposed a very substantial fine of 225 million euros” within the same time frame and its latest decision does not impose any additional transparency obligations on the platform beyond the requirements issued to WhatsApp in the initial decision.
In the last 16 months, Meta has received fines totaling more than 1.3 billion euros.
A spokeswoman for Meta said, “We strongly believe that the way the service operates is both technically and legally compliant. We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and we intend to appeal.”
The complaints against the three Meta platforms were originally brought to the DPC by privacy rights group NOYB in 2018, which argued compelling users to agree to having their data processed as a condition service use amounted to a circumvention of the GDPR.
However, the DPC’s latest decision does not resolve the ongoing jurisdictional fight between the DPC and the European Data Protection Board.
Similar to the Facebook and Instagram DPC decisions, WhatsApp argued to the DPC it could rely on a contractual basis in its privacy notice to process personal data. Unlike, in the Facebook and Instagram decisions, however, WhatsApp contended the contract-based data processing was to allow for service and security improvements, instead of for targeted advertising, which the DPC accepted but six EU member state data protection regulators in the Concerned Supervisory Authorities objected.
The contract-based data processing for service improvements matter was referred to the EDPB after a consensus could not be reached in December 2022 among the CSA members. The EDPB ruled “WhatsApp Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement,” and the DPC said it incorporated this ruling into its WhatsApp inquiry.
Though the EDPB binding decision has not yet been released, the DPC said the EDPB directed it to open "fresh investigations of all WhatsApp data processing operations." In its release, the DPC argued that the "EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR."
As a result, the DPC characterized the EDPB's further instruction as an "overreach" and that it would consider bringing the case to the Court of Justice of the European Union.
In response to the DPC's release Jan. 19, NOYB founder Max Schrems said, “We are astonished how the DPC simply ignores the core of the case after a (four and a half) year procedure. The DPC also clearly ignores the binding decision of the EDPB.”
Though it has not yet been released to the public, the EDPB adopted its binding decision Jan. 12.
This chart provides a refresher on the six bases for lawful processing under Article 6 of the EU General Data Protection Regulation.
If you want to comment on this post, you need to login.