EDPB Turns Down German DPA; Asks DPC To Investigate Facebook and WhatsApp’s Data Processing

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week before it’s posted here.

The European Data Protection Board (EDPB) denied a request by The Hamburg Commissioner for Data protection and freedom of information (the Hamburg DPA or the DE-HH SA) to force Ireland’s Data Protection Commission (DPC) to take immediate steps against Facebook, WhatsApp, and Instagram because of WhatsApp’s proposed changes Privacy Policy and Terms of Service that proved controversial earlier this year. The EDPB ruled against the Hamburg DPA and will not order the DPC to act immediately against Facebook and WhatsApp on the grounds that it is not clear whether the companies’ data processing is illegal under the General Data Protection Regulation (GDPR). The EDPB instead asked the DPC to investigate Facebook and WhatsApp over their data processing and whether it comports with the GDPR. The Board took this step because it is not sure whether the DE-HH SA’s allegations about the companies’ data processing are true.

This is not the first time the DPC’s regulation of U.S. technology giants has been questioned, and this is not the only GDPR action Facebook is facing. Last year, the EDPB had to step in and settle a dispute between the DPC and other supervisory authorities over the proper punishment of Twitter for data breaches (see here for more detail and analysis.) Ultimately, the DPC was forced to revise upward its punishment of Twitter per the EDPB’s instructions.

Moreover, the DPC is already investigating Facebook regarding “multiple international media reports, which highlighted that a collated dataset of Facebook user personal data had been made available on the internet.” The DPC and Facebook have also faced off in Irish court over the ramifications of the Court of Justice for the European Union’s decision last summer that struck down the European Union-United States Privacy Shield adequacy decision. none of your business (noyb) had litigated against the DPC to force them to regulate Facebook in light of the general ban on transfers of personal data to the U.S. In exchange for settling the case, noyb claimed the DPC has agreed to move forward with enforcing the CJEU’s decision against Facebook’s data transfers. Subsequent action is expected.

Turning back to the dispute that led to the EDPB’s binding decision, in mid-December 2020, the DPC informed the other DPAs and supervisory authorities (SA) in the European Economic Area (EEA) that Facebook/WhatsApp would be changing the latter’s privacy policy and terms of service in the European Union (EU). Users of WhatsApp the world over were greeted with a screen indicating the company would be changing these policies, giving rise to fears that WhatsApp would start handing over the personal data of users to Facebook. In early January, the DE-HH SA pointed out the DPC had not provided its view on these changes, and the DPC thereafter shared information about meetings and materials Facebook/WhatsApp had provided. The DE-HH SA reiterated that the DPC still had not shared its views on the proposed changes and offered its concerns “regarding the data sharing of Facebook IE and WhatsApp IE for different purposes of each company.” The DE-HH SA also indicated it may use Article 66 of the GDPR for an urgency procedure.

After the exchange of further information between the DPC and DE-HH SA, in April., the latter asks the former “to conduct investigations into the specific processing of WhatsApp IE and Facebook.” Later that month, the DPC informed the EEA DPAs and SAs that “the Updated Terms are “[…] largely a carryover of the text of the existing policy and no new text signifying any change in WhatsApp’s position is included regarding the sharing of WhatsApp user data with Facebook or access by Facebook for Facebook’s own purposes.” The DPC also informed these agencies that “it commenced a supervision review and assessment of WhatsApp IE’s oversight and monitoring of its data processors (chiefly Facebook), including the safeguards, mechanisms and audit processes in place to ensure that Facebook IE does not use WhatsApp IE user data for its own purposes, inadvertently or otherwise.” In May the DE-HH SA proceeded its provisional measures against Facebook and WhatsApp and requested an urgent decision from the EDPB in June.

The EDPB further explained:

• Following the notification by WhatsApp Ireland Ltd (hereinafter “WhatsApp IE”) to German users of its new Terms of Service and Privacy Policy, and the extension of the deadline for users to provide consent to 15 May 2021, the DE-HH SA came to the conclusion that Facebook Ireland Ltd (hereinafter “Facebook IE”) is already processing data of WhatsApp users residing in Germany for its own purposes in some cases, and that processing for its own purposes is imminent in other cases. The DE-HH SA considers that the processing of personal data of WhatsApp IE users residing in Germany by Facebook IE for the purposes of Facebook IE violates Article 5(1), Article 6(1) and Article 12(1) GDPR. Therefore the DE-HH SA adopted, on 10 May 2021, provisional measures under Article 66(1) GDPR, based on its consideration that the circumstances were exceptional and there was an urgent need to act to protect the rights and freedoms of data subjects.
• Through its provisional measures, the DE-HH SA prohibited, for a duration of 3 months, Facebook IE from processing personal data of WhatsApp users residing in Germany, which is transmitted from WhatsApp IE to Facebook IE for the purposes of 1. Cooperation with other Facebook Companies; 2. Security and integrity of Facebook; 3. Improvement of the product experience; 4. Marketing communication and direct marketing; 5. WhatsApp Business API; to the extent that the processing is being carried out for Facebook IE’s own purposes.

The EDPB explained the procedure under the GDPR the Hamburg DPA used to request an urgent decision:

• Pursuant to Article 66(1) GDPR, in exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 GDPR or the procedure referred to in Article 60 GDPR, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months.
• In accordance with Article 66(2) GDPR, where a supervisory authority has taken a measure pursuant to Article 66(1) GDPR and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision. The request for an urgent opinion or urgent binding decision in the context of Article 66(2) and (3) GDPR is optional.

The EDPB summed up the DE-HH SA’s case:

• According to the DE-HH SA, Facebook IE is already processing data of WhatsApp users for its own purposes or will imminently do so.
• The DE-HH SA considers that Facebook IE has no legal basis for the processing of WhatsApp user data for its own purposes, hence it is unlawful due to the lack of effective consent of WhatsApp users within the meaning of Article 6(1)(a) and Article 7 GDPR, and of a legitimate interest within the meaning of Article 6(1)(f) GDPR.
• The DE-HH SA considers that the consent requested by WhatsApp in its Terms of Service of 4 January 2021 does not meet the requirements of informed and free consent within the meaning of Article 6(1)(a) and Article 7 GDPR.
• The DE-HH SA states that the Updated Terms are not understandable by users; they do not comply with the transparency requirements under Article 5(1)(a), Article 12(1) and Article 13(1)(c) and (e)) GDPR; the explanations on data exchange are partly contradictory and inconsistent, as well as largely undefined; the statements on data exchange are scattered in various documents at different levels and do not allow users to take note of them in a uniform manner. The DE-HH SA also explains why the transparency requirements are not fulfilled in relation to each of the specific purposes it identified (see hereinafter)
• In addition, the DE-HH SA underlines that considering the market position of Facebook and WhatsApp, users do not have a choice to consent or not, as not using WhatsApp is not an acceptable alternative because of the wide use of such a closed messenger system. According to the DE-HH SA, it is not possible to continue the use of WhatsApp’s service on the basis of WhatsApp’s previously applicable terms and conditions.
• The DE-HH SA states that Article 6(1)(b) GDPR is not relevant as the transfer of WhatsApp user data to by Facebook IE, and further processing by the latter for its own purpose, is not necessary for the performance of a contract concluded between WhatsApp IE and the data subjects or between Facebook IE and the data subjects. For those WhatsApp users who are not Facebook users, the DE-HH SA considers that there is already a lack of corresponding contractual relationship between Facebook IE and such concerned WhatsApp users.
• The DE-HH SA notes that, should Facebook IE use Article 6(1)(f) GDPR as a ground for such processing, it would need to transparently inform users about this on the basis of Article 13(1)(c) GDPR. Moreover, according to the DE-HH SA, even for purposes for which a legitimate interest may exist, for example to prevent the sending of spam in the area of network security, Facebook’s legitimate interest does not outweigh the fundamental rights and freedoms of the users. The DE-HH SA underlines in particular the large amount of data processed, which cannot be justified by Facebook’s legitimate interests. The DE-HH SA also raises that there is a complete lack of necessity for the data sharing with Facebook IE of WhatsApp users that are not Facebook users.
• Besides, the DE-HH SA underlined a violation of the transparency requirements under Article 5(1) GDPR and Article 12(1) GDPR. This is due to the large number of different documents that users need to read to understand what is done with their personal data; to the inadequate consideration of the fact that users usually access such information via their smartphones, which, from a technical perspective, makes it more difficult to comprehend; to the existence of two versions of Terms of Service (one for users within the EEA and one for users from the rest of the world); and to how easy it is for users in the EEA to confuse the public-facing information applicable to them and the information applicable to non-EEA users.
• The DE-HH SA identified five processing purposes which it considers are already being carried out or could be carried out imminently by Facebook IE as a controller: 1) Security and integrity of Facebook; 2) Improvement of the product experience; 3) Marketing communication and direct marketing; 4) WhatsApp Business API; and 5) Cooperation with other Facebook Companies. These purposes are subject to the provisional measures ordered by the DE-HH SA and are further assessed hereinafter.

The Board concluded “it does not have sufficient information in the present procedure to conclude whether infringements are taking place” and thereafter denied the DE-HH SA’s request for an urgent binding decision. Nonetheless, the EDPB is asking the DPC to investigate Facebook and WhatsApp for the following:

• Nonetheless, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, the Commitments, and Facebook IE and WhatsApp IE’s respective written submissions, the EDPB is not in a position to determine with certainty which processing operations the other Facebook Companies, including Facebook IE, are actually carrying out in relation to WhatsApp’s user data and in which capacity.
• Accordingly, the EDPB requests the LSA competent for Facebook IE and WhatsApp IE to carry out a statutory investigation to unveil whether Facebook IE has already started to process WhatsApp’s user data for the common purpose of safety, security and integrity of the Facebook Companies, and if so, whether it is acting as a processor on behalf of WhatsApp IE or as a (joint) controller with WhatsApp IE. In particular, to this respect the LSA should analyse the possible combination and/or comparison at individual level the personal data of WhatsApp users with the data of the Facebook Companies which enables the Facebook Companies to understand whether a particular person uses different services of the Facebook Companies, which serves their common purpose of the safety, security and integrity. The EDPB further requests the LSA to carry out a statutory investigation to assess whether Facebook IE has a legal basis to conduct such processing lawfully as a (joint) controller pursuant to Articles 5(1)(a) and 6(1) GDPR.
• Whilst the EDPB considers that SAs enjoy a certain degree of discretion to decide how to frame the scope of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure consistency throughout the EU, and the cooperation between the LSA and CSAs is one of the means to achieve this. Therefore, the EDPB calls upon the LSA to make full use of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR) while carrying out such investigation.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Sylvia Szekely on Unsplash

Photo by Vinícius Vieira ft from Pexels