On 2 September 2021, the Data Protection Commission (DPC) announced it has imposed a €225 million administrative fine against WhatsApp Ireland Limited , as well as a reprimand and an order to bring its processing into compliance. This comes following a lengthy background including the EDPB’s first urgent binding decision in relation to the investigation earlier this year.
This is the highest GDPR fine ever issued by the DPC, and the second highest by any EU regulator to date. The fine represents a significant increase from the initial €30m-€50m proposed by the DPC, reflecting the numerous factors raised by the EDPB who called for a higher sanction. Factors for increasing the fine included additional infringements identified by Concerned Supervisory Authorities, the EDPB’s view on GDPR’s fining limit for multiple infringements as well as the method for calculating turnover. WhatsApp has announced its intention to appeal the decision.
The investigation began in December 2018, when the DPC commenced an own-volition inquiry under Section 110 of the Data Protection Act 2018. The DPC issued two draft decisions in May 2020, which were subject to challenge and scrutiny by Concerned Supervisory Authorities in the months which followed, resulting in the GDPR dispute resolution procedure being initiated.
Notably, the Hamburg supervisory authority ordered a ban on Facebook processing WhatsApp user data for its own purposes in Germany, on the basis of Article 66(1) GDPR which allows for provisional legal measures to be taken where there is an urgent need to protect data subjects in a specific territory. The EDPB decided that the existence of an infringement and an urgency were not conclusively demonstrated and issued its first urgent binding decision in July of this year, instructing the DPC to continue with its investigation.
The final decision was made pursuant to Section 111 of the Data Protection Act and in accordance with Articles 60 and 65 of the GDPR. Article 60 decisions govern the process of cooperation between lead supervisory authorities, and concerned supervisory authorities. This is the second major Article 60 draft decision which the DPC has finalised.
The Decision is based on WhatsApp’s non-compliance with transparency obligations under Articles 12, 13 and 14 of the GDPR in relation to both users and non-users of the service, as well as transparency in the context of data sharing between WhatsApp and other Facebook group companies. While obligations to “users” (those with WhatsApp accounts) are contained in Article 13, there are also obligations to “non-users” under Article 14 due to how WhatsApp processes personal data such as contact details of individuals who do not have accounts.
WhatsApp offers an optional matching feature to its users which enables WhatsApp to identify which of the user’s contacts in their address book are also WhatsApp users. In doing so, the DPC considered that WhatsApp may be able to access the contact details of non-users whose details are contained in the relevant user’s address book. Interestingly, the DPC determined that despite various hashing techniques deployed by WhatsApp in respect of this data in addition to prompt deletion of any non-user data, the phone number of a non-user was personal data in line with the definition in the GDPR, before any hashing takes place.
The DPC considered the deliberate choice of a non-user to not become a WhatsApp user, and noted that the contact feature ”completely disregards the non-user’s right to exercise control over their personal data”. In its Article 65 decision, the EDPB agreed that this non-user data constituted personal data.
In acting as a controller of this non-user personal data, the DPC found that WhatsApp had failed to comply with its obligations to those non-users pursuant to Article 14 of the GDPR. Importantly, the DPC noted that even if WhatsApp were to rely on the exception to notification contained in Article 14(5)(b) GDPR, (i.e. that that the provision of such information would involve a disproportionate effort), WhatsApp would still be required to “take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”
The DPC also considered how WhatsApp discharged its obligations under Articles 12 and 13 of the GDPR to its users. In considering obligations under Article 13, the DPC concluded that WhatsApp had failed to comply with a number of key provisions in that Article including the requirement to communicate the purposes of processing to data subjects pursuant to Article 13(1)(c), and the requirement to communicate the recipients of the personal data to data subjects pursuant to Article 13(1)(e). The DPC described the information which was provided to data subjects in this regard as being ”unnecessarily confusing and ill-defined”, and importantly noted that where links and layering are used on a website or app in order to communicate information to data subjects, this should be used in a considered way that ensures the concise and meaningful delivery of the required information.
In considering the sharing of personal data between WhatsApp and other Facebook companies, the DPC noted that the information provided was spread over a number of different texts. The DPC proposed that it would be unfair to expect a user to search the entire WhatsApp website in order to determine how their data were being shared with other Facebook companies. The DPC found that certain elements of the privacy notice which indicated that personal data were shared with other Facebook companies were misleading, and ordered WhatsApp to delete those sections in order to reflect the true position of the processing. Notably, the DPC found that the purpose noted by WhatsApp as to why data were shared with other Facebook companies (‘to promote safety and security’) “communicated nothing in terms of enabling the data subject to understand how his/her personal data will be processed”.
The DPC also found that WhatsApp had failed to comply with its general obligations pursuant to Article 5(1)(a) of the GDPR, (the transparency principle). In considering the draft decisions, the EDPB noted that WhatsApp’s cumulative breaches of Articles 12-14 resulted in it failing to provide over 41% of the information required under the GDPR to relevant users, and that there had been a ‘total failure’ to provide non-users with the required information. Therefore DPC was ordered to amend its draft decision to include a finding of an infringement of the transparency principle.
The Decision is a lengthy 266 pages, however it contains important lessons and interesting nuances as to how Articles 12-14 should be complied with. It reinforces the necessity for clear and consistent information to be communicated to all potential data subjects of an app or online service (users and non-users) as well as information on data sharing between group entities being specific enough so as to enable data subjects to exercise their rights in relation to such sharing. Granular and overarching transparency obligations to all relevant and potential data subjects have been scrutinised by the DPC and the EDPB. Organisations should consider the way in which they present the required information under the GDPR to data subjects as well as the information itself, which may involve reviewing interlinking policies, embedding links to other notices within a policy or using a layered approach to fulfil transparency obligations.
The level of the fine and the development of turnover calculation factors are also significant and could have a bearing on the size of future fines. The full reputational impact of the Decision on WhatsApp is yet to be seen.
Please get in touch with any member of the European data protection team if you have any questions about the decision and it impact on your organisation.