The Data Protection Commission has announced the conclusion of its inquiry into WhatsApp. The DPC has fined WhatsApp Ireland €5.5 million for breaches of the GDPR. It has also directed WhatsApp Ireland to bring its data processing operations into compliance within a period of six months.
The inquiry concerned a complaint made on 25 May 2018 by a German data subject about the WhatsApp service. WhatsApp had updated its terms of service in advance of the GDPR coming into force, and informed users that if they wished to continue to have access to the WhatsApp service after the introduction of the GDPR, they had to accept the updated terms and were not able to access the services if they did not.
WhatsApp Ireland considered that, when the user accepted the updated terms of service, a contract was entered into between WhatsApp Ireland and the user. It also said that it had to process users’ data to perform that contract, including service improvement and security, so the processing was lawful under Article 6(1)(b) of the GDPR (the contract legal basis for processing).
The complainant argued that WhatsApp Ireland was in fact seeking to rely on consent to provide a lawful basis for its processing of users’ data and that such consent was “forced” and therefore in breach of the GDPR.
The DPC investigated and prepared a draft decision for review by its peer regulators in the EU/EEA, under Article 60 GDPR. Notably, the DPC found that:
- In breach of its obligations in relation to transparency, information about the legal basis relied on by WhatsApp Ireland was not clearly outlined to users, which means that users had insufficient clarity about how their data was being processing, for what purpose(s), and by reference to which of the six legal bases in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR. The DPC, having already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period, did not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry.
- In circumstances where the DPC found that WhatsApp Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. The DPC found that WhatsApp Ireland was not required to rely on consent. The complaint was originally lodged with the German regulator and it will now adopt a decision and notify the complainant and WhatsApp Ireland under Article 60(9) GDPR.
These two parts of the decision were not contentious. The DPC went on to consider whether, in principle, the GDPR precluded WhatsApp Ireland’s reliance on the contract legal basis it asserted and concluded it was not precluded. Six regulators disagreed and said that delivery of service improvement and security was not a core element of the contract with the user, The DPC disagreed with this, so referred the case to the EDPB, which adopted its determination on 5 December 2022.
The EDPB largely upheld the DPC’s position regarding the breach by WhatsApp Ireland of its transparency obligations, subject to the insertion of an additional breach (of the Article 5(1)(a) “fairness” principle). However, the EDPB took a different view to the DPC on the legal basis question, finding that, as a matter of principle, WhatsApp Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for service improvement and security. The final decision adopted by the DPC reflects the EDPB’s binding determination.
Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation to consider other matters, but the DPC does not consider that it has the competence to instruct and direct an authority to engage in open-ended and speculative investigation.