The European Data Protection Board has adopted its first urgent binding decision under Article 66(2) GDPR following a request from the Hamburg supervisory authority after it had adopted provisional measures concerning Facebook Ireland under Article 66. The Hamburg authority had ordered a ban on processing WhatsApp user data by Facebook Ireland following a change in the terms of service and privacy policy applying to European users of WhatsApp Ireland.
In exceptional circumstances, when a supervisory authority considers that there is an urgent need to act to protect the rights and freedoms of data subjects within its territory, it can adopt provisional measures that have a legal effect on their own territory for a maximum of three months. These measures are adopted by way of derogation from the GDPR’s consistency mechanism (Article 63) or the One-Stop-Shop mechanism (Article 60). Article 66 enables supervisory authorities to immediately adopt provisional measures, as long as they communicate these measures and the reasons for adopting them without undue delay to the other relevant supervisory authorities, the EDPB and the European Commission.
If the supervisory authority considers that final measures need to be adopted urgently, it can request an urgent opinion or an urgent binding decision from the EDPB. In this case, the EDPB decided that the conditions to demonstrate the existence of an infringement and urgency were not met, and so no final measures needed to be adopted by the Irish DPC against Facebook Ireland.
The EDPB based its decision on the evidence provided. It concluded that there is a high likelihood that Facebook Ireland already processes WhatsApp user data as a (joint) controller for the common purposes of safety, security and integrity of WhatsApp and the other Facebook companies; and to improve the products of the Facebook companies. However, it said that because there were some inconsistencies in WhatsApp’s user-facing information, some written commitments adopted by Facebook and WhatsApp’s written submissions, the EDPB was not able to determine with certainty which processing operations were actually being carried out and in which capacity.
In addition, there was not enough information to establish with certainty whether Facebook had already started to process WhatsApp user data as a (joint) controller for its own purposes of marketing communications and direct marketing, and cooperation with the other Facebook companies. Nor could it be established whether Facebook had already started or was going to start processing WhatsApp user data as a (joint) controller for its own purpose in relation to WhatsApp Business API.
The EDPB concluded that Art. 61(8) did not apply because the Hamburg authority did not demonstrate that the DPC failed to provide information in the context of a formal request for mutual assistance under Article 61 and there was not enough evidence to justify the urgency for the EDPB to order the DPC to adopt final measures under Article 66(2).
However, the EDPB considered that this matter requires swift further investigation. This needs to verify if, in practice, Facebook companies are carrying out processing operations which imply the combination or comparison of WhatsApp user data with other datasets processed by other Facebook companies in the context of other apps or services offered by them, facilitated by the use of unique identifiers. For this reason, the EDPB requests the DPC to carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Articles 5(1)(a) and 6(1).
In addition, taking into consideration the lack of information about how personal information is processed for marketing purposes, cooperation with the other Facebook companies and in relation to WhatsApp Business API, the EDPB asks the DPC to further investigate the role of Facebook Ireland and whether it acts a processor or as a (joint) controller.