AdobeStock 298229013

A lesson in transparency leads to a record fine under the GDPR for WhatsApp

WhatsApp has experienced significant backlash in regard to compliance with its transparency obligations under the General Data Protection Regulation (GDPR), and on 2 September 2021, the DPC imposed a fine of €225 million. In this article, we consider the nature of the inquiry, the challenges the DPC received from its European counterparts and the reasons for the fine. The fine highlights the importance of providing sufficient information to end users about how their data will be processed by an organisation.

The inquiry

While the fine came in 2021, the investigation by the Irish Data Protection Commission (DPC) dates back to 2018. WhatsApp Ireland Limited (WhatsApp IE), acting as the “data controller” for the internet-based messaging and calling service in Europe, has its main establishment in Ireland. When the GDPR came into force in May 2018, the DPC received a mutual assistance request (pursuant to Article 61 of the GDPR) from the German data protection authority (DPA) and a number of complaints (including 88 referred by other EU DPAs) about WhatsApp IE. In 2018, the DPC commenced an ”own-volition” inquiry that assessed the extent to which WhatsApp IE’s consumer service complied with transparency obligations under Articles 12-14 of the GDPR, in regard to users, non-users (i.e. individuals without WhatsApp IE accounts) and data sharing with companies owned by Facebook Inc.

Preliminary outcome

On 24 December 2020, the DPC circulated its Draft Decision to other DPAs in light of WhatsApp IE’s cross-border processing and as per the co-decision making process under Article 60 of the GDPR. On 21 and 22 January 2021, the Baden-Wurttemberg (DE), Dutch (NL), French (FR), German, Hungarian (HU), Italian (IT), PL and Portuguese (PT) DPAs, raised objections. In particular, the DPAs considered the proposed €30-50 million fine to be: “. . . ineffective, disproportionate and non-dissuasive.” Unable to reach consensus, the DPC referred the objections to the European Data Protection Board (EDPB) for determination pursuant to the “one-stop-shop” dispute resolution mechanism under Article 65(1)(a) of the GDPR.

The challenge

On 28 May 2021, the EDPB adopted a binding  Decision under Article 65(1) of the GDPR, which was binding upon the DPC. In light of the objections of other DPAs, the EDPB requested that the DPC broaden its decision to include a finding of infringements of WhatsApp IE’s transparency obligations under Articles 5(1)(a), 13(1)(d) and 13(2)(e) of the GDPR.[1]

Revised outcome

On 2 September 2021, the DPC announced its final Decision. It concluded that on the basis of the EDPB’s findings, WhatsApp IE had failed to comply with GDPR requirements on transparency in the following ways:

  • WhatsApp IE’s transparency information was so inaccessible and inadequate that users could not make “informed decisions”, that there was a: “. . . failure to provide 41% of the information required by Article 13” to users and a “. . . total failure” in respect of non-users.
  • WhatsApp IE did not adequately inform users about processing on the basis of law/s and legitimate interests, retention, deletion and whether users were obliged to provide certain personal data or adequacy decisions existed to support international transfers of data. The DPC also noted that the “How You Exercise Your Rights” section did not include reference to the right to withdraw consent.
  • WhatsApp IE’s reliance upon its Privacy Policy for processing non-users’ data was insufficient as: “It is unclear why a non-user . . . would have reason to seek out this information” and the information provided was: “insufficient” in any event.
  • WhatsApp IE’s information about how it works with Facebook companies: “is spread out across a wide range of texts and a significant amount of the information provided is so high level as to be meaningless.”

Pursuant to Articles 58(2)(i) and 83 of the GDPR, the DPC imposed a total fine of €225 million.  This fine is the second highest under the GDPR to date, following the record €746 million fine that the Luxembourg DPA issued against Amazon on 16 July 2021. The DPC also issued an order, for WhatsApp IE to bring its processing into compliance within 3 months. WhatsApp IE responded that: “We disagree with the decision . . . regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate”. On 15 September 2021, WhatsApp initiated legal proceedings in the High Court to appeal the decision.

While the processing activities of WhatsApp IE raise significant issues around enforcement for big tech, the lessons from this fine are relevant to other organisations as well. In particular, when anaylsing information provided to users, it is important that organisations ensure they inform users about:

  • the lawful basis under which data is processed
  • relevant retention periods and deletion protocols
  • their rights to access, correction, erasure and portability, and
  • any data sharing with group members and third parties.

In addition, information for users should be accessible, easy to understand and sufficiently specific to provide meaningful information.

Trilateral’s Data Governance and Cyber-Risk Team has extensive experience working with organisations to ensure that they remain up-ta-date with and comply with the latest developments in, data protection. Please feel free to contact our advisors, who would be more than happy to help.

 

[1] With regard to the objections by the DE, FR, HU, IT, NL and PT DPAs and the information available to it, the EDPB instructed the DPC to amend its decision to reflect that WhatsApp IE’s “lossy hashing” procedure did not lead to the anonymisation of non-users’ personal data collected when users decide to use the Contact Feature functionality. The DPC had originally reduced the proposed fine from €75-100 million to €30-50 million in its draft decision on the basis of a finding to the contrary. In light of the objections of the IT, NL and PT DPAs, the EDPB  required the DPC to amend its decision to  reflect that the infringement of Article 14 of the GDPR extended to the processing of non-users’ personal data in the form of non-user lists after the “lossy hashing” was applied.

Sanjay Patel

Sanjay Patel is Data Protection Advisor at Trilateral Research.

Rachel Finn

Rachel Finn is Senior Practice Manager at Trilateral Research.

Sign up for our newsletter

Join our mailing lists to receive updates about our latest research and to hear about our free public events and exhibitions.  If you would like to find out more about how we manage your personal information please see our privacy policy.