On 20 August 2021, the Irish data regulator – the Data Protection Commission (DPC) - fined WhatsApp a record €225M for a series of cross-border data protection infringements under the General Data Protection Regulation (GDPR). The fine followed a lengthy investigation and enforcement process which began in 2018 and involved the DPC’s proposed decision and sanctions being rejected by its counterpart European data protection regulators, resulting in a referral to and ruling from the European Data Protection Board.

We set out below the relevant background, the main elements of the DPC and EDPB decisions and our commentary on their broader implications.

The Allegations

Following the introduction of the GDPR on 25 May 2018, the DPC received a number of complaints from users and non-users of WhatsApp’s services, involving alleged breaches of transparency and data subject information obligations under articles 12, 13 and 14 of the GDPR. Those Articles include requirements to provide information to data subjects in a “a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12(1)) and to provide data subjects with specified information, including “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing” (Article 13(1)(c) and Article 14(1)(c)).

The DPC also received a mutual assistance request from the German data regulator. The request again centred on transparency obligations, specifically in the context of evidence of possible sharing of personal data between WhatsApp and a variety of affiliated Facebook companies.

Given its status as lead supervisory authority under Article 56 GDPR - owing to WhatsApp’s main EU establishment being located in Ireland - the DPC commenced an own-volition enquiry under Section 110 of the Irish Data Protection Act 2018 on 10 December 2018.

The DPC's Enquiry

Having investigated the alleged GDPR breaches, the DPC circulated a draft decision to its EU data regulation authority counterparts on 24 December 2020, proposing a fine of between €30m and €50m and the imposition of a corrective order requiring WhatsApp to take steps to remedy the breaches identified.

Eight European regulators objected to aspects of the draft decision, including the following:

  • In relation to Article 13(1)(d) GDPR, it was objected that the DPC;
    • did not adequately address whether WhatsApp had explained both why and how data subjects’ data would be processed, but conflated the two, without providing any specific information about processing.
    • did not adequately consider whether WhatsApp’s explanation of why data was being processed was “clear and transparent enough for the data subject to understand”, in circumstances where it provided different potential reasons for processing and made vague references to “legitimate interest” and/or “interests of business and other partners”.
    • Objections were raised to the DPC’s finding that a phone number of a non-user subjected to lossy hashing (a type of processing) was not personal information because the processed number could not be linked to an individual;
  • There was also criticism of:
    • The limited scope of the DPC’s investigation, including (a) failure to consider which data processing took place and (b) inadequate consideration of which data of WhatsApp users and non-users was disclosed to Facebook.
    • The leniency of the DPC’s proposed corrective order, including a six-month period to address the issues identified; and
    • The leniency of the DPC’s proposed fine. The concerns expressed in this context focused specifically on:
    • The DPC’s interpretation of Article 83(3) GDPR, which, in cases where breaches ranging in severity occurred concurrently, saw the DPC focus only on the most severe breach; and
    • The amount of the proposed fine, being such that it was “hardly noticeable” to WhatsApp and did “not meet the requirements of Article 83(1) GDPR of being effective, dissuasive and proportionate”.

The DPC and the concerned supervisory authorities were ultimately unable to reach an agreement on these issues, such that the matter was referred to the European Data Protection Board under Article 65 GDPR, which oversees the GDPR on a European level.

THE EUROPEAN DATA PROTECTION BOARD’S DECISION

The EDPB adopted an Article 65 dispute resolution decision on 28 July 2021. The decision broadly upheld the objections raised by the DPC’s European counterparts, finding that:

  • Article 13(1)(d) GDPR had been breached, with the EDPB noting a lack of clarity in WhatsApp’s Legal Basis Notice. Specifically, it had “… not specified the provided information with regard to the corresponding processing operation, such as information about what categories of personal data are being processed for which processing pursued under basis (sic) of each legitimate interest respectively. The Legal Basis Notice does not contain such specific information in relation to the processing operation(s) or set of operations involved”;
  • The phone number of a non-user subjected to lossy hashing was, in fact, personal information. A key factor was that a lossy hashed number could be linked with a small group of individuals, which, when viewed alongside gender information, could be further narrowed.
  • A six-month period for compliance with the terms of the order was unduly lenient and, if granted, would lead to regulators coming under pressure to allow smaller organisations even more generous deadlines for compliance, which was “not appropriate and proportionate in view of ensuring compliance with the GDPR”. A three-month period was instead stipulated.
  • The DPC had interpreted Article 83(3) GDPR incorrectly. The consequence of the DPC’s approach was that “… it would not matter if a controller committed one or numerous infringements of the GDPR, as only one single infringement, the gravest infringement, would be taken into account when assessing the fine”.
  • The DPC’s proposed fine was inadequate, given the combined global annual turnover of WhatsApp and Facebook, the nature of the breaches and the relevant aggravating factors. The proposed fine also failed to “adequately reflect the seriousness and severity of the infringements” or have “a dissuasive effect” on WhatsApp.

The EDPB did not uphold the objection about the scope of the DPC’s investigation, finding that there was no evidence that an expanded scope of investigation would have led to a different conclusion regarding breaches of the GDPR.

THE DPC’S FINAL DECISION

Following the EDPB’s decision, the DPC issued its final decision on 20 August 2021 which revised the terms of its proposed order and imposed a fine on WhatsApp of €225M.

By way of attempted mitigation, WhatsApp made a variety of arguments, including that:

  1. The DPC’s views represented new and subjective interpretations of GDPR transparency provisions and/or an alternative or higher standard of compliance, of which WhatsApp had not received prior notice.
  2. The DPC had adopted a “binary” approach to compliance, failing to take into account instances in which some (but not all) required information had been provided to data subjects.
  3. WhatsApp had made careful and good faith efforts to achieve compliance with the transparency provisions.
  4. WhatsApp’s approach was aligned with the approach adopted by many industry peers.
  5. WhatsApp had engaged with the Commission pre-GDPR with a view to ensuring compliance.

The DPC did not accept arguments 1,2,4 and 5, albeit in relation to 2, efforts to provide some required information could be taken into account when determining appropriate sanctions.

The DPC took a particularly robust stance in relation to points 4 and 5, finding respectively that:

  1. “… an industry-wide failure (if this is, in fact, the case) to achieve compliance with the transparency requirements is a poor reflection on that industry; it is not, however, evidence of a position whereby data controllers in this particular sector are unable to identify what is required of them, in terms of transparency [under the GDPR]”; and
  1. It “… is not appropriate for WhatsApp to seek to make the Commission (even partially) responsible for its compliance with the GDPR.”

In relation to point 3, the DPC accepted that some efforts towards compliance had been made but that they fell “significantly short” of what was required.

WhatsApp has indicated that it intends to appeal the decision.

Comment

While the scale of the fine imposed on WhatsApp by the DPC, under pressure from other concerned supervisory authorities and the EDPB, has produced much commentary, there are various points in the decisions of the EDPB and DPC which provide useful guidance for the future on the specific operation of various GDPR provisions:

  1. Article 6(1)(f) GDPR provides that the processing of personal data shall be lawful only if, amongst other things “… (f) processing is necessary for the purposes of the legitimate interests pursued by the controller …”. Article 13(1)(d) GDPR provides that where personal data relating to a data subject is collected from the data subject, the controller shall, at the time when that data is obtained, provide the data subject with “(d) … the legitimate interests pursued by the controller …”. The EDPB’s WhatsApp decision makes clear that for a data controller to comply with Article 13(1)(d), the specific legitimate interest must be identified for each relevant processing activity. Not merely is this considered to be the only way to ensure that data subjects might exercise their rights under the GDPR; it is also the case that the cumulative effect of failures in this regard could (and in the WhatsApp case did) amount to a failure to ensure transparency in breach of the transparency principle under Article 5(1)(a) GDPR. Indeed, this was a ground of GDPR infringement by WhatsApp as identified by the EDPB which had not been referenced in the draft DPC decision, and which ultimately constituted a material element of the €225m fine imposed. In practical terms, therefore, the WhatsApp decision reinforces the need for data controllers to ensure that their privacy notices contain sufficiently granular detail as to what personal data is being collected, each processing purpose and the legitimate interest pursued in relation to each such process;
  2. The EDPB also clarified that where multiple violations have occurred in the context of the same or associated processing activities, all violations are material to the fine to be imposed under Article 83(3) GDPR, albeit the total fine should not exceed the amount specified for the most serious violation;
  3. Consistent with European case law on the meaning of “undertaking”, the total turnover of an undertaking (in this case, both WhatsApp and Facebook) can be taken into account in determining whether a penalty decided upon (here, against WhatsApp) is “effective, proportionate and dissuasive”; and
  4. In the context of personal data transfers outside the EU, Article 13(1)(f) GDPR provides that “where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with all of the following information: … (f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission …”. The DPC decision noted that WhatsApp’s statement that transfers “may” rely on adequacy determinations was inadequate: Article 13(1)(f) required a clear identification by the data controller as to whether or not an adequacy decision existed to facilitate the third country data transfer in question.

As a final point, the EDPB WhatsApp decision re-emphasises the interest taken by other European regulators in the performance of the Irish DPC as EU lead supervisory authority for a number of the world’s largest technology companies, given the concentration in Ireland of such companies’ EU main establishments. The DPC’s prior draft decision in a GDPR infringement case involving Twitter was approved by the EDPB in December 2020, despite the objections of other concerned supervisory authorities. This included approval of a proposed DPC fine of €450,000 in the context of infringement of Article 33(1) and 33(5) GDPR i.e. Twitter’s failure to notify a data breach on time and failure to adequately document the breach. It is clear from the WhatsApp decision, however, that more systemic breaches of the GDPR principle of transparency will not merely command far higher fines, but also sustained EDPB and regulator-on-regulator scrutiny for GDPR enforcement purposes.