Introduction
On 19 January 2023, the Irish Data Protection Commission (the “DPC”) issued a €5.5 million fine to WhatsApp Ireland (“WhatsApp”). This follows the decision of 4 January 2023 ordering Meta, WhatsApp’s parent company, to pay €390 million fine in connection with the delivery of its Facebook and Instagram services.
Background
The original complaint was brought by NOYB, the organisation co-founded by data privacy activist Max Schrems, on 25 May 2018. In 2018, WhatsApp updated its terms of service to include the provision of service improvement and security features. It rolled out these updated terms to its existing (and new) users in such a way that users would have to accept them by clicking on “agree and continue”. It is important to note however that the users would not be able to access the service should they decline to accept the updated terms.
Under Article 6 GDPR, data processing is lawful only to the extent that it complies with one of six identified legal bases for that processing. By rolling out these updated terms and with the users agreeing, WhatsApp was seeking to rely on “performance of a contract” (Article 6(1)(b) GDPR) as the lawful basis for processing of personal data.
The complainant submitted that WhatsApp was in fact relying on consent (one of the other lawful bases under Article 6 GDPR) for processing personal data rather than the contractual basis under 6(1)(b). However, in order to obtain such consent NOYB contended that WhatsApp had coerced this from the data subjects by making the entire service conditional on the users accepting the updated terms.
The DPC’s decision
After reviewing and referring the matter to the European Data Protection Board (the “EDPB”), it was held that:
- WhatsApp was in breach of its transparency obligations. WhatsApp did not adequately provide information in relation the legal basis relied upon for processing to the users. The DPC determined that a lack of transparency on such fundamental matters contravened Articles 5(1)(a), 12 and 13(1)(c) GDPR; and
- WhatsApp was not entitled to rely on the “performance of a contract” (Article 6(1)(b) GDPR) legal basis for the purposes of service improvement and security.
In light of the infringements noted above, the DPC has imposed an administrative fine of €5.5 million on WhatsApp and ordered the remediation of the breach.
In addition to the above determinations at (a) and (b), the EDPB had also directed that the DPC should conduct a fresh investigation of WhatsApp’s processing operations of special categories of personal data, as well as data for marketing purposes, behavioural advertising and the provision to third parties of information for service improvement (i.e. in WhatsApp’s case, personal data shared with Instagram and Facebook for the purposes of targeted advertising).
It is particularly noteworthy that the DPC has declined to conduct such an investigation on the grounds that it does not have the authority to do so and that the EDPB does not have the jurisdictional authority to make such a direction. The DPC will therefore seek an annulment before the Court of Justice of the European Union of this specific EDPB direction.
Impact of the decision
It is unlikely that Meta, WhatsApp’s parent, will have been surprised by the outcome as it follows the same reasoning as the decision earlier this month in relation to Facebook and Instagram. A spokesperson for Meta said “We disagree with the decision and we intend to appeal” (according to the Irish Times)
The decision however does add pressure on the strained relationship between the EDPB and the DPC. The DPC’s view that the EDPC’s jurisdiction does not extend to directing a further investigation pits the two bodies against each other in a showdown which may be heard at the Court of Justice of the European Union.
Finally, this decision, with particular reference to (b) above, is of wider importance for other businesses who process personal information. Businesses who rely on 6(1)(b) GDPR for processing personal data should take a keen look at whether the legal basis upon which they process information is in fact valid.
If you have any data protection or technology queries about this subject, please contact David Varney in our Data Protection team.
This article was written by Will Flaim.