EDPB Issues Binding Decision on DPC’s €225 Million WhatsApp Fine

The European Data Protection Board (EDPB) and Ireland’s Data Protection Commission issued decisions that resulted in WhatsApp (a Facebook subsidiary) being fined €225 million (a bit more than $266 million) for its data processing activities. This decision was reached only after the EDPB has to step in to decide a dispute between the DPC and other data protection authorities (DPA) about the scope and extent of WhatsApp’s punishment. As has been its wont, the DPC recommended a lighter punishment than the other, more aggressive DPAs would have liked. However, because the DPC is the lead supervisory authority (LSA) for Facebook and WhatsApp, those European Union (EU) regulators seeking stronger regulation of the American multinationals, among others, under the General Data Protection Regulation (GDPR) will continue to face an agency that likely favors a lighter touch.  Incidentally, the two times the EDPB has had to use Article 65 of the GDPR to resolve disputes was over the DPC’s punishments of big United States (U.S.) companies. Finally, this fine is the second largest ever issued under the GDPR with only Luxembourg’s National Commission for Data Protection (CNPD) recent fine of Amazon of €769 million for undisclosed GDPR violations being higher. Today, I will look at the DPC’s decision, and in the next issue, I’ll look at the EDPB’s decision.

The DPC started investigating WhatsApp in December 2018 after complaints from people using WhastApp and people not using the messaging app. The DPC received 88 complaints from other DPAs, some of which ultimately objected to the DPC’s draft decision. Per the GDPR , the DPC circulated its draft decision in December 2020, and after assessing the objections it received from the other DPAs (aka supervisory authorities (SA)) and considering further WhatsApp input, the DPC issued a compromise decision. However, this compromise satisfied some of the DPAs but not others, and finally in May 2021, the DPC referred the decision to the EDPB for resolution.

In late July, the EDPB announced its adoption of an Article 65 dispute resolution decision that “seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish (IE) SA as LSA regarding WhatsApp Ireland Ltd. (WhatsApp IE) and the subsequent objections expressed by a number of concerned supervisory authorities (CSAs).” But, at the time, this press release was the only public information offered about the decision that has now been released. The EDPB has already issued one Article 65 decision in regard to the DPC that functionally overruled the agency and revised upward its proposed punishment of Twitter for data breaches. In a recent related development, the EDPB also turned down the Hamburg DPA’s request for an urgent binding order on WhatsApp and Facebook’s new privacy and policy and terms of service (see here for more detail and analysis). The EDPB did urge the DPC to investigate, which appears to overlap with this Article 65 proceeding. In the press release, the EDPB further explained:

• The LSA issued the draft decision following an own-volition inquiry into WhatsApp IE, concerning whether WhatsApp IE complied with its transparency obligations pursuant to Art. 12, 13 & 14 GDPR. On 24 December 2020, the LSA shared its draft decision with the CSAs in accordance with Art. 60 (3) GDPR.
• The CSAs issued objections pursuant to Art. 60 (4) GDPR concerning, among others, the identified infringements of the GDPR, whether specific data at stake were to be considered personal data and the consequences thereof, and the appropriateness of the envisaged corrective measures.
• The IE SA was unable to reach consensus, having considered the objections of the CSAs, and consequently indicated to the Board it would not follow the objections. Accordingly, the IE SA referred them to the EDPB for determination pursuant to Art. 65 (1) (a) GDPR, thereby initiating the dispute resolution procedure.
• Today, the EDPB adopted its binding decision. The decision addresses the merits of the objections found to be “relevant and reasoned” in line with the requirements of Art. 4 (24) GDPR. The EDPB will shortly notify its decision formally to the concerned supervisory authorities.
• The IE SA shall adopt its final decision, addressed to the controller, on the basis of the EDPB decision, without undue delay and at the latest one month after the EDPB has notified its decision. The EDPB will publish its decision on its website without undue delay after the IE SA has notified their national decision to the controller.  

Writing for the DPC in its final decision, Data Protection Commissioner Helen Dixon explained how the DPC started investigating WhatsApp:

• Following the entry into force of the GDPR on 25 May 2018, the Commission received a number of complaints from individual data subjects concerning the data processing activities of WhatsApp. These complaints were received from both users and non-users of WhatsApp’s services. In addition to this, the Commission also received a mutual assistance request, pursuant to Article 61 of the GDPR, from Der Bundesbeauftragte für Datenschutz und Informationsfreiheit (the German Federal Data Protection Authority). That request touched upon the transparency obligations that are placed on data controllers by the GDPR in the context of the possible sharing of personal data between WhatsApp and a variety of Facebook companies.
• Following a preliminary examination of the complaints, the Commission observed that, while the precise details of the complaints differed, concerns about transparency featured as a common theme throughout. Having considered the issues arising, the Commission decided to commence an own- volition inquiry pursuant to Section 110 of the 2018 Act for the purpose of assessing the extent to which WhatsApp complies with its transparency obligations pursuant to Articles 12, 13 and 14 of the GDPR.

These articles of the GDPR pertain to the disclosures controllers need to make on data obtained directly from a person and those data obtained from other sources:

• Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject
• Article 13: Information to be provided where personal data are collected from the data subject
• Article: 14: Information to be provided where personal data have not been obtained from the data subject

It bears some emphasis that the DPC responded to complaints from users and non-users (i.e. people who downloaded and used WhatsApp and those who did not), meaning the Facebook-owned platform was processing data from people not using its product. This is legal within limits under the GDPR, of course. The DPC explained as much:

The Commission notified WhatsApp of the commencement of an own-volition inquiry pursuant to Section 110 of the 2018 Act by way of letter dated 10 December 2018 (“the Notice of Commencement”). The Notice of Commencement identified the scope of the inquiry and put a series of questions to WhatsApp for the purpose of examining the matters in issue. For the avoidance of doubt, the inquiry was limited to WhatsApp’s consumer services and does not relate to the “WhatsApp for Business” service. The term “the Service” is used throughout this Decision (and was used throughout the course of the within inquiry) to refer to WhatsApp’s internet-based messaging and calling service. Similarly, the term “non-user” has been used throughout the within inquiry to denote an individual data subject who does not have an account with WhatsApp.

The DPC determined that WhatsApp is the controller, for the company is the “controller for its cross-border processing activities, has its single establishment located in Ireland, with permanent office premises located at 4 Grand Canal Square, Grand Canal Harbour, Dublin 2.” Moreover, Dixon contended that “WhatsApp, in its response of 25 January 2019, as referred to above, has confirmed that it is the data controller in respect of the personal data of EU users.

Dixon summarized the DPC’s findings (which one can find in Section G of the final report):

After finishing investigation and decision-making and getting input from WhatsApp on the draft decision, the DPC circulated the draft to other SAs per Article 60 of the GDPR and the following SAs raised objections:

Some of these SAs had already passed along complaints from people in their jurisdictions about WhatsApp data processing practices, it should be noted. The SAs made their objections known, and the DPC could not reach agreement on a number and therefore turned the matter over to the EDPB. The DPC explained:

As per Article 65(1), the Board’s decision is binding upon the Commission. Accordingly, and as required by Article 65(6) of the GDPR, the Commission has now amended its Composite Draft, by way of this Decision, in order to take account of the Board’s determination of the various objections from the CSAs which it deemed to be “relevant and reasoned” for the purpose of Article 4(24) of the GDPR. This Decision identifies, below, the amendments to the positions and/or findings proposed in the Composite Draft, that were required to take account of the Board’s Article 65 Decision.

The DPC determined that WhatsApp was processing the personal data of non-users through the process the company uses to access a user’s contacts to determine which people are and are not using the service. Here’s WhatsApp’s explanation of how this works:

However, the DPC investigators determined WhatsApp was collecting and processing the personal data of non-users through this process. The company argued that it is necessary to briefly access these phone numbers and forcing the company to find another way of figuring out which contacts of a user are on WhatsApp would be prohibitively expensive and technically very difficult.

The DPC spent the lion’s share of its decision on whether WhatsApp met its GDPR transparency requirements for users.

Dixon found that:

• … WhatsApp has failed to comply with its obligation to provide non-users with the information prescribed by Article 14..
• … WhatsApp has complied, in full, with its obligations pursuant to Article 13(1)(a).
• … WhatsApp has complied, in full, with its obligations pursuant to Article 13(1)(b).
• … WhatsApp has failed to comply with its obligations pursuant to Article 13(1)(e) and Article 12(1).
• …WhatsApp has failed to comply with its obligations pursuant to Article 13(1)(c) and Article 12(1).
• … WhatsApp has failed to comply with its obligations under Article 13(1)(f) and Article 12(1).
• … WhatsApp has failed to comply with its obligations under Article 13(2)(a).

And, just to make the findings more concrete, here are the relevant GDPR provisions with emphasis added. First, the provisions from Article 13(1):

1. Where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;
(b) the contact details of the data protection officer, where applicable;
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

And so, WhatsApp was not telling people the purposes of the processing as well as the legal bases, not disclosing the recipients or categories of recipients of personal data, and not informing people of its intention to transfer personal data out of the EU.

In terms of Article 13(2), here is the relevant passage:

2. In addition to the information referred to in paragraph 1, the controller shall, at the time when personal data are obtained, provide the data subject with the following further information necessary to ensure fair and transparent processing:

(a)  the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

(b)  the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

And so, WhatsApp was not informing people at the point of data collection of the rights to access, correct, and delete personal data, the right to restrict processing, the right to object to processing, and the right to port data.

Next, the relevant part of Article 12:

1. The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.

WhatsApp failed to provide the required information about rights and responsibilities under the GDPR.

Finally, Article 14, the provision that governs a controllers responsibilities and person’s rights when the former obtains the personal data of the latter from a different source other than directly. But I’m only to quote a part:

1. Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:

(a) the identity and the contact details of the controller and, where applicable, of the controller’s representative;

(b) the contact details of the data protection officer, where applicable;

(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

(d) the categories of personal data concerned;

(e) the recipients or categories of recipients of the personal data, if any;

(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or internat­ional organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

WhatsApp did not do this, and the DPC turned aside the company’s attempts to rely on exceptions listed in 14(5) by pointing out the company could have publicly made this information available and did not have a responsibility to find and inform all non-users the app was collecting and hashing their phone numbers.

Overall, the DPC found:

• Accordingly, for the reasons set out in the composite analysis, above, I find that WhatsApp has failed to comply with its transparency obligations pursuant to Articles 13(1)(c), 13(1)(e) and 12(1) in relation to how WhatsApp works with the Facebook Companies. I further direct that, unless WhatsApp has a concrete plan in place, that includes a definitive and imminent commencement date, to commence the sharing of personal data on a controller-to-controller basis with the Facebook Companies for safety and security purposes, the misleading elements of the Legal Basis Notice and Facebook FAQ should be deleted to reflect the true position.
• For the avoidance of doubt, the Composite Draft proposed a finding that WhatsApp had broadly complied with its obligations under Article 13(1)(d) for the purpose of this Part 3. Given that the rationale was premised partly upon the original assessment of the extent to which WhatsApp had achieved compliance with Article 13(1)(d), as recorded in Part 2 of the Preliminary Draft, I must now amend my proposed finding, under this heading, in order to take account of the counter view of the Board (as recorded in the Article 65 Decision226), on the extent to which WhatsApp has achieved compliance with its obligations under Article 13(1)(d). Accordingly, on the basis of paragraphs 414 to 415 above, and adopting both the binding determination and associated rationale of the Board as required by Article 65(6), this Decision finds that WhatsApp has also failed to comply with its obligations pursuant to Article 13(1)(d) in relation to how WhatsApp works with the Facebook Companies.

The DPC explained its reasoning for the fine in light of Facebook’s worldwide turnover:

The DPC therefore handed down this punishment:

The DPC laid out the timeline by which WhatsApp needs to comply with the decision:

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Balkouras Nicos on Unsplash

Photo by Aaron Burden on Unsplash