By Luca Bertuzzi
(EurActiv) — The Irish Data Protection Commissioner announced a €5.5 million sanction against WhatsApp on Thursday (19 January), following similar decisions against Facebook and Instagram.
The legal basis WhatsApp uses for processing personal data was found in breach of EU law. The company now has six months to implement corrective measures, namely to find a new legal basis.
The decision followed on a series of similar complaints filed by the NGO NOYB, led by notorious Austrian activist Max Schrems, who challenged the way Meta’s platforms complied with the EU’s General Data Protection Regulation (GDPR).
The day before the GDPR entered into application, all Meta-owned platforms changed their terms and conditions to state that, by using the service, users agreed to the processing of their personal data for service improvement and security.
“We strongly believe that the way the service operates is both technically and legally compliant. We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service,” a WhatsApp spokesperson told EURACTIV.
Meta designed this so-called contract model as a legal basis to process personal data in dialogue with Ireland’s Data Protection Commission (DPC), which has the lead on cases concerning most Big Tech companies as that is where they have set up their European headquarter.
For Schrems, this approach is nothing short of a ‘GDPR bypass’ as it does not allow users to opt out.
In its initial decision, the Data Protection Commissioner found Meta’s platforms in breach of transparency requirements but left the contract model intact.
However, the GDPR provides for other data protection authorities to chip in on cases where they are concerned. Where no consensus can be reached, as was the case here, the decision goes through the dispute resolution mechanism of the European Data Protection Board.
The Board issued a binding decision in December, overruling the Irish authority by declaring the contractual model in breach of the EU data protection framework. The decisions against Facebook and Instagram followed earlier this month.
The Board’s decision on WhatsApp was transmitted to Dublin with some days of delay, leading to a later closure of the inquiry. However, the penalty is much lower than those imposed on Facebook and Instagram, which accounted for €210 million and €180 million, respectively.
The huge discrepancy in the fines is because social media – as opposed to messaging services – process personal data for providing lucrative behavioural advertising. However, the extent to which WhatsApp shares data with other Meta-owned services has been controversial since Facebook acquired it.
In its decision, the Board requested the Irish authority to conduct a fresh investigation on the matter and determine whether WhatsApp processes data, particularly sensitive categories, for behavioural advertising and other purposes.
However, for the DPC with this request, the Board overstepped its jurisdiction as it does not have the power to mandate new inquiries to an independent authority. Therefore, the Irish watchdog announced it would seek the annulment of that part of the Board’s decision before the EU Court of Justice.
By contrast, NOYB considers that by refusing to investigate the data sharing within Meta, the DPC has unduly limited the scope of the case against WhatsApp. While the app offers an encrypted messaging service, it collects insightful metadata on the communication behaviour of its users.
“We are astonished how the DPC simply ignores the core of the case after a 4.5 year procedure. The DPC also clearly ignores the binding decision of the EDPB. It seems the DPC finally cuts loose all ties with EU partner authorities and with the requirements of EU and Irish law,” Schrems said in a statement.
As per the other two decisions against Meta’s platforms, WhatsApp said it will appeal.