Greetings from Brussels!
BEUC — the European Consumer Organisation — is on the war path once again, filing a complaint this week against WhatsApp with the European Commission. BEUC and eight of its national EU member organizations mounted a coordinated complaint action with Brussels, as well as through the European network of consumer authorities for multiple alleged breaches of EU consumer rights. At the center of the complaint: persistent and intrusive pressure on users to accept WhatsApp’s new terms of use and privacy notice.
In a joint statement, the consumer protection groups said, “the content of user notifications, their nature, timing and recurrence put undue pressure on users and impaired their freedom of choice. As such they are a breach of the EU Directive on Unfair Commercial Practices.” In support of its complaint, BEUC has also produced a report setting out its concerns over WhatsApp’s notice changes in more detail. For context, since 2020, BEUC along with other umbrella organizations have been designated under the Consumer Protection Cooperation Regulation as bodies entitled to file complaints about cases of EU-wide legal infringements affecting consumers.
It is important to note that BEUC’s consumer law complaint is separate to the ongoing WhatsApp (and Facebook) scrutiny by the EDPB and the EU DPAs for breaches of data protection law. That said, there is a common thread around the updated WhatsApp privacy notice affair that dates to January. If you recall, Italy's DPA, the Garante, brought the issue before the EDPB, warning the notice changes were "unclear and intelligible" and requesting a detailed assessment in the function of data protection legislation provisions.
Furthermore, in May, the Hamburg DPA went a step further, issuing an order prohibiting Facebook Ireland from processing personal user data from WhatsApp for its own purposes. This was carried out under the urgency procedure of GDPR Article 66(2) — enforceable with immediate effect and valid for three months pending an urgent opinion from the EDPB. As it happens, and perhaps timely so, this particular case and request by the German watchdog for a board "binding decision" was on the agenda of the 52nd EDPB plenary held this Monday past. The EDPB decided the conditions to demonstrate the existence of an infringement and an urgency were not met. Therefore, the EDPB decided no final measures need to be adopted by the Irish Data Protection Commission against Facebook Ireland in this case. The recent news release goes further to state evidence was inconclusive as to whether or not Facebook companies are conducting data processing operations in combination or correlation with WhatsApp user data, with other data sets, in relation to services offered by Facebook companies.
The EDPB has, however, requested Ireland's DPA carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under GDPR. Interestingly in what concerns this recent consumer case, BEUC appealed to the European network of consumer authorities and DPAs to work in close cooperation on issues affecting consumer and privacy rights. This seems reasonable, perhaps even required, to regulate our ever-expanding digital economy. Although I think we can agree European regulatory cooperation has some way to go before this becomes a reality.