Data Protection Commission announces conclusion of inquiry into WhatsApp
19th January 2023
The Data Protection Commission (“DPC”) has today announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland Limited (“WhatsApp Ireland”) in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland €5.5 million (for breaches of the GDPR relating to its service). WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months.
The inquiry concerned a complaint made on 25 May, 2018 by a German data subject about the WhatsApp service. In advance of 25 May 2018, the date on which the GDPR came into operation, WhatsApp Ireland updated its Terms of Service, and informed users that if they wished to continue to have access to the WhatsApp service following the introduction of the GDPR, existing (and new) users were asked to click “agree and continue” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so).
WhatsApp Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between WhatsApp Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, to include the provision of service improvement and security features, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).
The complainant contended that, contrary to WhatsApp Ireland’s stated position, WhatsApp Ireland was in fact seeking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, WhatsApp Ireland was in fact “forcing” them to consent to the processing of their personal data for service improvement and security. The complainant argued that this was in breach of the GDPR.
Following a comprehensive investigation, the DPC prepared a draft decision and submitted it to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”) in accordance with Article 60 GDPR. Notably, the DPC found that:
- In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by WhatsApp Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. The DPC, having already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time, did not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry. All 47 CSAs agreed with this element of the DPC’s draft decision.
- In circumstances where the DPC found that WhatsApp Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider whether WhatsApp Ireland was obliged to rely on consent as its legal basis in connection with the delivery of the service, including for service improvement and security purposes. Here, the DPC found that WhatsApp Ireland was not required to rely on consent. No CSA raised an objection to this analysis and, accordingly, this element of the complaint has been rejected. The German Supervisory Authority with which the complaint was originally lodged is now responsible for adopting a separate decision for those parts that have been rejected and notifying it to the complainant and informing WhatsApp Ireland in accordance with Article 60(9) GDPR.
The DPC went on to consider whether, in principle, the GDPR precluded WhatsApp Ireland’s reliance on the contract legal basis it asserted and concluded it was not precluded.
Six of the 47 CSAs raised objections and took the view that WhatsApp Ireland should not be permitted to rely on the contract legal basis on the basis that the delivery of service improvement and security could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.
The DPC disagreed, reflecting its view that the WhatsApp service includes, and indeed appears to be premised on, the provision of a service that includes service improvement and security. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.
Having engaged with the CSAs, it became clear that a consensus could not be reached. Consistent with its obligations under Article 60(4) GDPR, the DPC then referred the matters in dispute to the European Data Protection Board (“the EDPB”).
The EDPB adopted its determination on 5 December 2022.
The EDPB determination rejected a number of objections raised by the CSAs. They also upheld the DPC’s position in relation to the breach by WhatsApp Ireland of its transparency obligations, subject only to the insertion of an additional breach (of the Article 5(1)(a) “fairness” principle). However, the EDPB took a different view to the DPC on the legal basis question, finding that, as a matter of principle, WhatsApp Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.
The final decision adopted by the DPC on 12 January 2023 reflects the EDPB’s binding determination, as set out above. Accordingly, the DPC’s decision includes findings that WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security (excluding what the EDPB terms as “IT security”) for the WhatsApp service, and that its processing of this data to-date, in purported reliance on the contract legal basis, amounts to a contravention of Article 6(1) of the GDPR.
In terms of sanctions, and in light of this additional infringement of the GDPR, the DPC has imposed an administrative fine of €5.5 million on WhatsApp Ireland, and ordered that WhatsApp Ireland must bring its processing operations into compliance with the GDPR within a period of 6 months.
Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of “WhatsApp IE’s processing operations in its service in order to determine if it processes special categories of personal data (Article 9 GDPR), processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR.”
The DPC’s decision naturally does not include reference to fresh investigations of all WhatsApp data processing operations that were directed by the EDPB in its binding determination. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction.