Inquiry into TikTok Technology Limited
The Data Protection Commission (DPC) adopted its final decision regarding its inquiry into TikTok Technology Limited (TTL) on 1 September 2023.
This own-volition inquiry sought to examine the extent to which, during the period between 31 July 2020 and 31 December 2020 (the Relevant Period), TTL complied with its obligations under the GDPR in relation to its processing of personal data relating to child users of the TikTok platform in the context of:
- Certain TikTok platform settings, including public-by-default settings as well as the settings associated with the ‘Family Pairing’ feature; and
- Age verification as part of the registration process.
As part of the inquiry, the DPC also examined certain of TTL’s transparency obligations, including the extent of information provided to child users in relation to default settings.
At the conclusion of its investigation, the DPC submitted a draft decision to all Supervisory Authorities Concerned (CSAs), for the purpose of Article 60(3) GDPR, on 13 September 2022. The DPC’s draft decision proposed findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1) and 13(1)(e) GDPR, in relation to the above processing. While there was broad consensus on the DPC’s proposed findings, objections to the draft decision were raised by the Supervisory Authorities (each an SA, collectively SAs) of Italy and Berlin (acting on behalf of itself and the Baden-Württemberg SA).
The objection raised by the Berlin SA sought the inclusion of an additional finding of infringement of the Article 5(1)(a) GDPR principle of fairness as regards ‘dark patterns’ while the objection raised by the Italian SA sought to reverse the DPC’s proposed finding of compliance with Article 25 GDPR, as regards TTL’s approach to age verification during the Relevant Period. The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and, in the circumstances, decided to refer the objections to the EDPB for determination pursuant to the Article 65 GDPR dispute resolution mechanism.
The European Data Protection Board adopted its binding decision on the subject matter of the objections on 2 August 2023 with a direction that the DPC must amend its draft decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness, further to the objection raised by the Berlin SA, and to extend the scope of the existing order to bring processing into compliance, to include reference to the remedial work required to address this new finding of infringement.
The DPC’s decision, which was adopted on 1 September 2023, records findings of infringement of Articles 5(1)(c), 5(1)(f), 24(1), 25(1), 25(2), 12(1), 13(1)(e) and 5(1)(a) GDPR.
The decision further exercises the following corrective powers:
- A reprimand;
- An order requiring TTL to bring its processing into compliance by taking the action specified within a period of three months from the date on which the DPC’s decision is notified to TTL; and
- Administrative fines totalling €345 million.
For more information, you can download the full decision at this link: Inquiry into TikTok Technology Limited - September 2023 (PDF, 5.9mb).
Inquiry into Galway County Council
This inquiry sought to assess whether Galway County Council was processing personal data in compliance with the GDPR and the Data Protection Act 2018. The inquiry examined a number of the Council’s processing operations including its use of CCTV cameras in public places used for the purposes of prosecuting crime or other purposes.
The findings made in the decision include:
- Findings that Galway County Council lacked a valid legal basis for processing of personal data from CCTV, ANPR and body-worn cameras.
- Findings that Galway County Council failed to erect appropriately worded and located signage in respect of the processing of personal data collected via these CCTV cameras for purposes related to law enforcement.
The other findings in the decision include infringements relating to Galway County Council’s obligations to carry out data protection impact assessments, to maintain data logs for specific accesses to CCTV recordings, and to implement appropriate technical and organisational measures.
Corrective Powers Exercised:
- A temporary ban on the processing of personal data through CCTV cameras and ANPR cameras at a number of locations until a valid legal basis can be identified.
- A temporary ban on the processing of personal data through body-worn cameras until a valid legal basis can be identified.
- An order to Galway County Council to bring its processing of personal data into compliance taking certain actions specified in the decision.
- A reprimand in respect of Galway County Council’s infringement of Article 24 GDPR.
For more information, you can download the full decision at this link: Inquiry into Galway County Council - August 2023 (PDF, 2.6mb).
Inquiry into Airbnb Ireland UC
On 20 July 2023, following an inquiry the Data Protection Commission (DPC) adopted a decision to exercise corrective powers on Airbnb Ireland UC (Airbnb).
The DPC commenced this inquiry on 22 December 2022, on foot of a complaint that Airbnb failed to comply with an access request and subsequent erasure request within the statutory timeframe and, further, that when the Complainant submitted their access and erasure requests, Airbnb requested that they verify their identity by providing a photocopy of their identity document (ID), which they had not previously provided to Airbnb.
The scope of the inquiry concerned an examination and assessment of the following:
1) Whether Airbnb’s provision of the personal data and information concerning the processing of that personal data in response to the Complainant’s access request was compliant with the GDPR and the Data Protection Act 2018.
2) Whether Airbnb’s handling of the Complainant’s access request was compliant with the GDPR and the Act insofar as the information provided to the Complainant was in a concise, transparent, intelligible and easily accessible form using clear and plain language as specified by Article 12(1) of the GDPR.
3) Whether Airbnb’s handling of the Complainant’s erasure request was compliant with the GDPR and the Act.
4(a) Whether Airbnb had a lawful basis for requesting a copy of the Complainant’s ID, and upon their refusal to provide same, whether Airbnb had a lawful basis to thereafter request a telephone call in order to verify the Complainant’s identity in circumstances where he had submitted a request for access and erasure pursuant to Articles 15 and 17 GDPR; and
4(b) Whether Airbnb’s obligation to provide information on action taken in response to the access and erasure requests without undue delay pursuant to Article 12(3) GDPR was suspended until after the verification of the Complainant’s identity by phone call.
As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.
As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.
The DPC adopted its decision in respect of this Complaint in accordance with Article 60(7) of the GDPR.
The decision, which was adopted on 20 July 2023, records findings of infringement as follows:
- Article 5(1)(c) of the GDPR
The DPC finds that Airbnb’s request that the Complainant verify their identity by way of submission of a copy of their ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR. This infringement occurred in circumstances where less data-driven solutions to the question of identity verification were available to Airbnb.
- Article 6(1)(f) of the GDPR
The DPC finds that, in the specific circumstances of this Complaint, the legitimate interest pursued by Airbnb did not constitute a valid lawful basis under Article 6(1)(f) of the GDPR for seeking a copy of the Complainant’s ID in order to process the Complainant’s access and erasure requests.
- Article 15(1) of the GDPR
The DPC finds that Airbnb infringed Article 15(1) of the GDPR at the time of first processing the Complainant’s access request by not providing the Complainant with access to all of their personal data that was being processed by Airbnb on the date of receipt of their access request.
- Article 12(1) of the GDPR
The DPC finds that Airbnb infringed Article 12(1) of the GDPR at the time of first processing the Complainant’s access request by failing to provide the Complainant with an access file that was of a concise, transparent, intelligent and easily accessible form.
- Article 12(3) of the GDPR
The DPC finds that Airbnb failed to provide information to the Complainant on the actions taken on their access and erasure requests within one month of receipt of the requests and therefore failed in its obligations under Article 12(3) of the GDPR.
Corrective Powers Exercised:
- An order for Airbnb to revise its internal policies and procedures as regards the default position to provide a cover email in English when a data protection rights request is received outside the privacy portal.
- A reprimand to Airbnb Ireland UC pursuant to Article 58(2)(b) of the GDPR.
For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - July 2023 (PDF, 4.5mb).
Inquiry concerning Airbnb Ireland UC
On 21 June 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (Airbnb), the Data Protection Commission (the DPC) adopted a decision.
The DPC commenced this inquiry on 4 March 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the Complainant’s ID (ID) in order to verify their identity which had not been previously requested by Airbnb. The Complainant further contended that this went against the principles of data minimisation and that Airbnb had also failed to comply with the principles of transparency and provision of information. Initial attempts by the Complainant to verify their identity had been rejected by Airbnb as the ID provided did not meet their criteria. Ultimately the Complainant verified their identity.
The scope of the inquiry concerned an examination and assessment of the following:
- Whether Airbnb had a lawful basis for processing a copy/copies of the Complainant’s ID and/or photograph/s in order to verify their identity, in particular in circumstances where they, as a registered member/host with Airbnb, had not previously provided their ID to Airbnb.
- Whether Airbnb complied with the principle of data minimisation when requesting a copy of the Complainant’s ID and/or photograph/s in order to verify their account and when processing data relating to same.
- Whether Airbnb complied with the Conditions for Consent by making the Complainant’s continued use of/access to their account and the service conditional on the Complainant submitting their ID and/or photograph/s in order to verify their identity and the processing of this personal data.
- Whether Airbnb complied with principles of transparency and provision of information where the Complainant’s personal data was collected.
As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.
The decision, which was adopted on Wednesday, 21 June 2023, records findings of infringement as follows:
- Article 5(1)(c) and Article 5(1)(e) of the GDPR
The DPC found that Airbnb’s retention of a copy of the Complainant’s identity documentation following the successful completion of the identity verification process infringed the principles of data minimisation in Article 5 (1)(c) and the principle of storage limitation in Article 5(1)(e).Furthermore the DPC found that the continued processing and retention of partially redacted and out-of-date identity documents that had been deemed inadequate or insufficient to verify the identity of the Complainant infringed the principle of data minimisation that is set out in Article 5(1)(c) and the principle of storage limitation that is set out in Article 5(1)(e).
Following consultation with the supervisory authorities concerned, the DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. In light of the infringements of Article 5(1)(c) and Article 5(1)(e) the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances:
- Delete from all of its systems and records the redacted and out-of-date copies of the Complainant’s identity documents that the Complainant attempted to upload.
- Delete from all of its systems and records the identity documents that the Complainant uploaded (keeping only a record that such documentation was submitted as well as the date of submission).
- Subject to compliance with EU and Member State law, revise its internal policies and procedures concerning user identity verification to ensure that (i) once the identity of data subjects has been verified to Airbnb’s satisfaction, Airbnb discontinues the practice of retaining improperly redacted and/or out-of-date identity documents that may be submitted by data subjects as part of the identity verification process, and (ii) the period for which valid or fraudulent/illegitimate identification documents (which includes identification documents validly redacted in accordance with laws which require certain redactions) submitted by data subjects as part of the identity verification process are stored is limited to a strict minimum (in accordance with Recital 39 of the GDPR).
For more information, you can download the full decision at this link: Inquiry concerning Airbnb Ireland UC - June 2023 (PDF, 6.24mb).
Inquiry concerning the Department of Health
The Data Protection Commission (DPC) has completed an inquiry into certain aspects of the Department of Health’s processing of personal data in 29 litigation files. The inquiry was commenced following public allegations in 2021 that the Department had unlawfully collected and processed personal data about plaintiffs and their families in special educational needs litigation.
On the files examined, the DPC found evidence that the Department sought information from the HSE about services that were provided to plaintiffs and their families. The Department also included broadly worded questions asking the HSE to share “any other issues HSE feels worth mentioning.” This broad question resulted in the provision of private information about the lives of plaintiffs and their families.
The Department told the DPC that they processed this personal data for the purposes of determining whether an approach should be made to the plaintiff to seek to settle the case. The DPC considered whether it complied with data protection law for the Department to process the personal data for this reason. Under sections 41 and 47 of the Data Protection Act 2018, controllers can process personal data where it is necessary to provide or obtain legal advice or in the context of legal proceedings. In order to determine whether personal data had been lawfully processed by the Department under this provision, the DPC applied the EU law principles of necessity and proportionality.
The DPC found that the Department did not infringe data protection law by seeking information about the services that were being provided to plaintiffs in relation to cases where there was open litigation. However, the DPC found that the Department did infringe data protection law by asking broad questions that resulted in the provision of sensitive information about the private lives of plaintiffs and their families. This information included details about plaintiff’s jobs and living circumstances, information about their parents’ marital difficulties and in one case, information received directly from a doctor about the services that were being provided to the plaintiff.
The DPC found that the processing of information obtained in response to broad scoping questions sent to the HSE for the purposes of seeking to settle a case was excessive and disproportionate to the aims pursued by the Department and that the processing for this reason was not necessary for the purposes of litigation. Therefore the DPC found that there was no lawful basis for this processing in the files examined, and that the Department had infringed the principle of data minimisation by processing this personal data.
Having regard to the relevant factors under the GDPR and the fining cap for public authorities under the Data Protection Act 2018, the DPC decided to impose a fine of €22,500 for these infringements. The DPC also imposed a ban on further processing the sensitive data in the files examined for the purposes of determining an appropriate time to settle a case.
During the inquiry, the DPC found that the Department retained other information that it had collected from the HSE and that it had received from other government departments on its files. The DPC did not find evidence on the 29 litigation files examined that the Department had proactively sought information from other government departments. The DPC also did not find an infringement of data protection law arising from the fact that the Department stored this information for the purposes of defending litigation. The files relate to active litigation and the DPC recognised that there are a number of obligations that require defendants to retain documents that relate to open litigation.
Additionally, the DPC found infringements of the transparency obligations under the GDPR. The inquiry found that the Department did not include details of its practices in its privacy notice. In particular, the privacy notice did not convey the extent of information sharing that took place between the Department and the HSE. The DPC found that the Department could not rely on any exemptions under the Data Protection Act 2018 to avoid providing summary information about those practices in its privacy policy.
The DPC also found that the Department had infringed the requirements to process personal data securely. The inquiry found that the Department ought to have ensured that better internal access restrictions were in place in relation to the files.
In addition to the fine and ban on processing outlined above, a reprimand was imposed for all of the infringements.
For more information, you can download the full decision at this link: Inquiry concerning the Department of Health - June 2023 (PDF, 1.35mb).
Inquiry concerning data transfers from the EU/EEA to the US by Meta Platforms Ireland Limited for its Facebook service
This inquiry examined the basis upon which Meta Platforms Ireland Limited (“Meta Ireland”) transfers personal data from the EU/EEA to the US in connection with the delivery of its Facebook service.
The decision records that Meta Ireland infringed Article 46(1) GDPR when it continued to transfer personal data from the EU/EEA to the USA following the delivery of the Court of Justice of the European Union’s (CJEU’s) judgment in Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems. While Meta Ireland effected those transfers on the basis of the updated Standard Contractual Clauses (“SCCs”) that were adopted by the European Commission in 2021 in conjunction with additional supplementary measures that were implemented by Meta Ireland, the DPC found that these arrangements did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the CJEU in its judgment.
The inquiry was initially commenced in August 2020, and was subsequently stayed by Order of the High Court of Ireland, pending the resolution of a series of legal proceedings, until 20 May 2021. Following a comprehensive investigation, the DPC prepared a draft decision dated 6 July 2022. Notably, it found that:
- The data transfers in question were being carried out in breach of Article 46(1) GDPR; and
- In these circumstances, the data transfers should be suspended.
Under a cooperation procedure mandated by the GDPR (Article 60), the draft decision prepared by the DPC was submitted to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”). The nature of the processing under examination by the inquiry was such that all other EU/EEA Supervisory Authorities were engaged as CSAs for the purpose of the cooperation procedure.
On the question of Meta Ireland’s non-compliance with the GDPR, and the DPC’s proposal to make an order to suspend the data transfers, the CSAs agreed with the DPC’s decision.
A small number (four) of the 47 CSAs raised objections in relation to the corrective power that the DPC proposed to exercise by way of the draft decision. Within this subset of CSAs, all four CSAs took the view that Meta Ireland should be subject to an administrative fine for the infringement that was found to have occurred. Two of those CSAs also took the view that Meta Ireland should be ordered to take action to address the personal data that had already been unlawfully transferred to the US, i.e. the data transferred from July 2020 to the present.
The DPC disagreed, reflecting its view that the exercise of additional corrective powers, beyond the proposed suspension order, would exceed the extent of powers that could be described as being “appropriate, proportionate and necessary” to address the infringement of Article 46(1) GDPR.
Following an informal consultation process, it became clear that consensus could not be reached. Consistent with its obligations under the GDPR, the DPC referred the objections to the European Data Protection Board (“the EDPB”) for determination pursuant to the Article 65 dispute resolution mechanism.
The EDPB adopted its decision on 13 April 2023.
Corrective Powers Exercised:
Consistent with its obligations to adopt its final decision “on the basis of” the EDPB’s decision, the DPC’s decision of 12 May 2023 records the exercise of the following corrective powers by the DPC:
- An order, made pursuant to Article 58(2)(j) GDPR, requiring Meta Ireland to suspend any future transfer of personal data to the US within the period of five months from the date of notification of the DPC’s decision to Meta Ireland;
- An administrative fine in the amount of €1.2 billion (reflecting the EDPB’s determination that an administrative fine ought to be imposed, to sanction the infringement that was found to have occurred. The DPC determined the amount of the fine to be imposed by reference to the assessments and determinations that were included in the EDPB’s decision); and
- An order, made pursuant to Article 58(2)(d) GDPR, requiring Meta Ireland to bring its processing operations into compliance with Chapter V of the GDPR, by ceasing the unlawful processing, including storage, in the US of personal data of EU/EEA users transferred in violation of the GDPR, within six months following the date of notification of the DPC’s decision to Meta Ireland.
For more information, you can download the full decision at this link: Inquiry into Meta Platforms Ireland Limited (previously known as Facebook Ireland Limited) - May 2023 (PDF, 1.48mb).
Inquiry into processing of Church Records by the Archbishop of Dublin
The DPC commenced the Inquiry following receipt of a number of complaints from data subjects who wished to obtain erasure in relation to their personal data processed in church registers. All of the data subjects had written to either their parish or to the Archdiocese asking for the erasure of their data pursuant to Article 17 GDPR.
Key findings within the Decision include that:
- The Archbishop may lawfully rely on legitimate interests under Article 6(1)(f) GDPR as a legal basis for the processing of personal data of data subjects which are recorded in the Baptism Register, even in such instances where a data subject no longer wishes to be associated with the Catholic Church;
- Subject to safeguards, the Archbishop’s interests in retaining the personal data contained in the Baptism Registers are not overridden by the interests or fundamental rights and freedoms of the data subjects;
- The Archbishop may rely on the legal basis under Article 9(2)(d) of the GDPR for the processing of data subjects’ special category data during the course of their lifetime; The Archbishop, in processing the special category personal data in the Baptism Registers, has in place appropriate safeguards for such processing as required under Article 9(2)(d) GDPR;
- Data subjects may exercise the right to request rectification of the personal data contained in the Baptism Registers, in accordance with Article 16 GDPR;
- The Archbishop must comply with his obligations under Article 12(3) and Article 12(4) of the GDPR in order to facilitate requests in relation to data subject’s rights under Articles 15 to 22 of the GDPR;
- Data subjects who no longer consider themselves to be members of the Catholic Church do not have the right to obtain erasure of their personal data in the Baptism Registers under the grounds set out at Article 17(1)(a)-(f) of the GDPR;
- In circumstances where a data subject no longer wishes to be a member of the Catholic Church, a supplementary statement could be added by the Archbishop to the Baptism Register entry stating “No longer wishes to be identified as a Roman Catholic”.
Corrective powers exercised
The Archbishop should now make clear that all personal data collected and recorded and otherwise processed for the purposes of the administration of sacraments is permanently retained. The Archbishop is to:
i. update the Privacy Policy of the Archdiocese to identify that the Archbishop is the data controller for the processing of personal data and special category data held in all Baptism Registers within his Archdiocese;
ii. set out in the Privacy Policy the lawful basis of such processing together with the retention periods for such personal data;
iii. set out in the Privacy Policy that the subsequent administration of certain sacraments to an individual such as confirmation, marriage/annulment and ordination/laicisation (or adoption) are marked on the record in the Baptism Register, explaining why this is so;
iv. ensure that the parishes within the Archdiocese make the relevant Privacy Policy accessible and available to those undertaking sacraments.
For more information, you can download the full decision at this link: Inquiry into processing of Church Records by the Archbishop of Dublin ('the Archbishop') - February 2023
Inquiry into Bank of Ireland 365
The inquiry was commenced after BOI notified the DPC of a series of 10 data breaches relating to the BOI365 banking app. The data breach notifications concerned individuals gaining unauthorised access to other people’s accounts via the BOI365 app.
The decision considered whether BOI had complied with Articles 5(1)(f) and 32(1) GDPR and, in particular, whether BOI had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing of data via the BOI365 app. After investigation, the decision found that BOI had infringed its obligations under Articles 5(1) and 32(1) GDPR as the technical and organisation measures in place at the time were not sufficient to ensure the security of the personal data processed on the BOI365 app.
Corrective Powers Exercised:
- The decision issued BOI with a reprimand in respect of the infringements Articles 5(1)(f) and 32(1) GDPR.
- The decision ordered BOI to bring its processing into compliance with Articles 5(1)(f) and 32(1) GDPR.
- The decision imposed an administrative fine on BOI in the amount of €750,000 in respect of the infringement of Article 5(1)(f) GDPR.
For more information, you can download the full decision at this link: Inquiry into Bank of Ireland 365 - February 2023 (PDF, 1.8mb).
Inquiry into Centric Health Ltd
The DPC commenced the Inquiry following a ransomware attack affecting patient data held on Centric’s patient administration system which was notified to the DPC on 5 December 2019. As a result of this, 70,000 data subjects were affected by of access to, unauthorised alteration of, and loss of availability of their personal and special category data. Of these, 2,500 patients were permanently affected as their data was deleted with no backup available.
The decision considered whether Centric had complied with Articles 5(1)(f), 5(2) and 32(1) GDPR and, in particular, whether Centric had implemented appropriate technical and organisational measures to ensure a level of risk appropriate to the risks associated with its processing operations.
The decision found that Centric had infringed its obligations under Articles 5(1), 5(2) and 32(1) GDPR and that the processing by Centric within its Patient Administration System failed to ensure that the personal data was processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The corrective powers exercised:
- The decision issued Centric with a reprimand in respect of the infringements.
- The decision imposed an administrative fine on Centric in the amount of €275,000 in respect of the infringement of Article 5(1)(f) GDPR.
- The decision imposed an administrative fine on Centric in the amount of €50,000 in respect of the infringement of Article 5(2) GDPR.
- The decision imposed an administrative fine on Centric in the amount of €135,000 in respect of the infringement of Article 32(1) GDPR.
For more information, you can download the full decision at this link: Inquiry into Centric Health Ltd. - February 2023 (PDF, 0.67mb).
Inquiry into WhatsApp Ireland Ltd
This inquiry relates to the processing carried out by WhatsApp Ireland Limited (“WhatsApp Ireland”) in connection with the delivery of its WhatsApp service, in which the DPC has fined WhatsApp Ireland €5.5 million (for breaches of the GDPR relating to its service). WhatsApp Ireland was also directed to bring its data processing operations into compliance within a period of six months.
The inquiry concerned a complaint made on 25 May, 2018 by a German data subject about the WhatsApp service. In advance of 25 May 2018, the date on which the GDPR came into operation, WhatsApp Ireland updated its Terms of Service, and informed users that if they wished to continue to have access to the WhatsApp service following the introduction of the GDPR, existing (and new) users were asked to click “agree and continue” to indicate their acceptance of the updated Terms of Service. (The services would not be accessible if users declined to do so).
WhatsApp Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between WhatsApp Ireland and the user. It also took the position that the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, to include the provision of service improvement and security features, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the “contract” legal basis for processing).
The complainant contended that, contrary to WhatsApp Ireland’s stated position, WhatsApp Ireland was in fact seeking to rely on consent to provide a lawful basis for its processing of users’ data. They argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, WhatsApp Ireland was in fact “forcing” them to consent to the processing of their personal data for service improvement and security. The complainant argued that this was in breach of the GDPR.
Following a comprehensive investigation, the DPC prepared a draft decision and submitted it to its peer regulators in the EU/EEA, also known as Concerned Supervisory Authorities (“CSAs”) in accordance with Article 60 GDPR. Notably, the DPC found that:
- In breach of its obligations in relation to transparency, information in relation to the legal basis relied on by WhatsApp Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. The DPC, having already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time, did not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry. All 47 CSAs agreed with this element of the DPC’s draft decision.
- In circumstances where the DPC found that WhatsApp Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. From there, the DPC went on to consider whether WhatsApp Ireland was obliged to rely on consent as its legal basis in connection with the delivery of the service, including for service improvement and security purposes. Here, the DPC found that WhatsApp Ireland was not required to rely on consent. No CSA raised an objection to this analysis and, accordingly, this element of the complaint has been rejected. The German Supervisory Authority with which the complaint was originally lodged is now responsible for adopting a separate decision for those parts that have been rejected and notifying it to the complainant and informing WhatsApp Ireland in accordance with Article 60(9) GDPR.
The DPC went on to consider whether, in principle, the GDPR precluded WhatsApp Ireland’s reliance on the contract legal basis it asserted and concluded it was not precluded.
Six of the 47 CSAs raised objections and took the view that WhatsApp Ireland should not be permitted to rely on the contract legal basis on the basis that the delivery of service improvement and security could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.
The DPC disagreed, reflecting its view that the WhatsApp service includes, and indeed appears to be premised on, the provision of a service that includes service improvement and security. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service.
Having engaged with the CSAs, it became clear that a consensus could not be reached. Consistent with its obligations under Article 60(4) GDPR, the DPC then referred the matters in dispute to the European Data Protection Board (“the EDPB”).
The EDPB adopted its determination on 5 December 2022.
The EDPB determination rejected a number of objections raised by the CSAs. They also upheld the DPC’s position in relation to the breach by WhatsApp Ireland of its transparency obligations, subject only to the insertion of an additional breach (of the Article 5(1)(a) “fairness” principle). However, the EDPB took a different view to the DPC on the legal basis question, finding that, as a matter of principle, WhatsApp Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.
The final decision adopted by the DPC on 12 January 2023 reflects the EDPB’s binding determination, as set out above. Accordingly, the DPC’s decision includes findings that WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security (excluding what the EDPB terms as “IT security”) for the WhatsApp service, and that its processing of this data to-date, in purported reliance on the contract legal basis, amounts to a contravention of Article 6(1) of the GDPR.
In terms of sanctions, and in light of this additional infringement of the GDPR, the DPC has imposed an administrative fine of €5.5 million on WhatsApp Ireland, and ordered that WhatsApp Ireland must bring its processing operations into compliance with the GDPR within a period of 6 months.
Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation that would span all of “WhatsApp IE’s processing operations in its service in order to determine if it processes special categories of personal data (Article 9 GDPR), processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR.”
The DPC’s decision naturally does not include reference to fresh investigations of all WhatsApp data processing operations that were directed by the EDPB in its binding determination. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction.