At €225million, the Irish Data Protection Commission (the “DPC”) has imposed its largest administrative fine to date on WhatsApp Ireland Limited (“WhatsApp”) for breaches of transparency obligations under the General Data Protection Regulation (the “GDPR”). The DPC’s decision and related findings by the European Data Protection Board (the “EDPB”) raise a number of points for all organisations to consider, particularly regarding their privacy notices and transparency measures.

Background

On 10 December 2018, the DPC commenced an own volition inquiry (the “Inquiry”) concerning WhatsApp’s compliance with its obligations under Articles 12, 13 and 14 of the GDPR. The Inquiry was prompted by the common theme across a number of individual complaints concerning information provided by WhatsApp regarding its data processing activities and a mutual assistance request from the Federal German Supervisory Authority. Following a lengthy investigation, the DPC submitted a draft decision (the “Draft Decision”) to other data protection authorities (referred to as ‘concerned supervisory authorities’ (“CSAs”)) under Article 60 of the GDPR in December 2020. The DPC subsequently received a number of objections from CSAs and found that there was no single proposed compromise position that was agreeable to all of the relevant CSAs. The DPC submitted these unresolved objections to the European Data Protection Board (the “EDPB”) for a binding decision under Article 65(1)(a) of the GDPR.

In its binding decision, the EDPB reached a number of conclusions in relation to the Draft Decision and WhatsApp’s infringements of the GDPR, and instructed the DPC to re-assess the administrative fine it had initially envisaged, between €30million and €50million, in accordance with these conclusions.

Key takeaways for organisations

Lack of transparency in ‘Legal Basis Notice’

One of the areas of focus of both the EDPB and the DPC which will be of particular interest to organisations was the analysis of the ‘Legal Basis Notice’ published by WhatsApp to users of the platform. WhatsApp provided users with information on the use of ‘legitimate interests’ as a legal basis for processing personal data under in Article 6(1)(f) of the GDPR, by way of a series of bullet points, under identified objectives, so that users could clearly identify which legitimate interests were being pursued by WhatsApp under each identified objective.

The EDPB relied heavily on the Transparency Guidelines1 in its consideration of objections to the DPC’s draft decision regarding WhatsApp’s transparency measures. In essence, the EDPB took the view that WhastApp’s transparency measures failed to provide sufficiently specific details regarding its processing activities. In particular, according to the EDPB these measures were insufficiently clear regarding what specific legitimate interests were being pursued for each processing activity based on ‘legitimate interests’, and in some cases what legal basis applied to certain types of processing.

The EDPB also identified certain similarities between the examples of non-transparent or “poor practice” information set out in the Transparency Guidelines and information set out in WhatsApp’s Legal Basis Notice, and the used following extracts as examples:

  • For providing measurement, analytics, and other business services where we are processing data as a controller […]”;
  • “The legitimate interests we rely on for this processing are: […] In the interests of businesses and other partners to help them understand their customers and improve their businesses, validate our pricing models, and evaluate the effectiveness and distribution of their services and messages, and understand how people interact with them on our Services”

The EDPB considered that data subjects were not in a position to exercise their data subject rights in connection with these descriptions of WhatsApp’s processing activities, since it was unclear what was meant by “other business services”, as WhatsApp did not disclose this information or provide a connection to the specific legitimate interest. It further noted that it was unclear which business or partners WhatsApp refers to.

According to the EDPB, high level descriptions of the legitimate interest being pursed as the basis for processing, such as “to create, provide, support and maintain innovative Services and features…” do not meet the level of clarity required by Article 13(1)(d) GDPR. In its final decision, which was adopted in light of the EDPB’s decision, the DPC found that, with respect to the quality and presentation of information generally provided to users, insufficient detail had been provided in relation to the processing operations that will be grounded upon other legal bases and the information provided was furnished in piecemeal fashion that required the user to link in and out of various different sections of the Privacy Policy as well as the Terms of Service.

Apart from these findings relating specifically to the application of Article 13, the EDPB and the DPC also made important findings regarding, among other things, Article 14 of the GDPR (which applies where personal data is collected otherwise than directly from the data subjects) and how administrative fines for non-compliance should be calculated.

What’s next?

Under section 142 of the Data Protection Act 2018, WhatsApp has 28 days from the date of notification of the DPC’s decision to appeal to the Irish High Court. If it does and is successful, then elements of the DPC’s decision might be overturned (subject to any further appeal and/or referral of any matters to the Court of Justice of the European Union). Pending any such further developments, organisations should review and consider their own privacy notices and transparency measures in light of conclusions drawn by the DPC and EDPB with respect to WhatsApp’s Legal Basis Notice. In particular, organisations should examine the level of detail provided regarding their processing activities.