EDPB - Urgent Binding Decision 1/2021 - 'WhatsApp'
EDPB - Urgent Binding Decision 01/2021 | |
---|---|
Authority: | EDPB |
Jurisdiction: | European Union |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 7 GDPR Article 12(1) GDPR Article 13(1)(e) GDPR Article 13(1)(c) GDPR Article 61(5) GDPR Article 61(8) GDPR Article 61(9) GDPR Article 62 GDPR Article 66(1) GDPR Article 66(2) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 12.07.2021 |
Published: | |
Fine: | None |
Parties: | Hamburg DPA WhatsApp Ireland Ltd Facebook Ireland Ltd |
National Case Number/Name: | Urgent Binding Decision 01/2021 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | SR |
The EDPB adopts an important urgent binding decision under Article 66 GDPR. Following the interim measure taken by the Hamburg authority against WhatsApp, the EDPB analysed the data sharing practices between the messaging app and Facebook. The Board did not confirm the provisional measure but, given the high likelihood of sharing taking place, requested the Irish authority to shed light on some key blind spots in WhatsApp's data processing. In particular, it requested to verify whether data is actually shared with Facebook, whether Facebook acts as processor or joint controller, and whether the legal basis announced in the privacy policy is adequate in relation to the actual processing.
English Summary
Facts
This summary provides an account of the Urgent Binding Decision No 1/2021 adopted by the EDPB (hereafter, the 'Decision'). We note that most of the facts of the case are not available other than through the account provided by the EDPB in the text of the Decision.
In late 2019 Whatsapp IE informed European users about an upcoming change in its policies. In particular, it announced the beginning of a data sharing with FB IE. On 8.12.20, the Irish Authority (hereinafter, 'IE SA' or, where relevant, 'LSA') used the EDPB's internal communication system ('IMI') to inform the other supervisory authorities of Whatsapp IE intended changes. In doing so, the IE SA attached copies of the relevant documentation. Importantly, for the purposes of this summary, the notice is made through a specific section of the IMI system called Voluntary Mutual Assistance ("VMA").
From 14.1.21 until 4.3.21, a rather heated debate took place via the IMI/VMA system between the Hamburg authority ("HH SA") and IE SA. According to the information available in the Decision, the core of the debate consisted of a fundamental difference of views. The HH SA considered that such data sharing had already took place, even before WhatsApp/FB's announcement of the policy change. Such a situation would lead to a violation of Articles 5(1), 6(1) and 12(1) of the GDPR. For these reasons, the German authority repeatedly requested specific, fact-based investigations into FB IE's processing operations.
Since there had been no concrete response from the IE SA, on the 12.2.21, the HH SA "give[s] notice of the possibility of an urgency procedure according to Art. 66 GDPR". Having had no reply (at least on the basis of the account provided in the Decision), on 12.4.21, the HH SA "contacts Facebook IE to hear it before issuing provisional measures pursuant to Article 66 (1) GDPR". On 25.4.21, FB IE submitted its observations in response to Hamburg's direct requests. On 10.5.21, the HH SA, not being satisfied with the clarifications, adopts a temporary order against FB IE ("Provisional measure") the purpose of which was essentially to block the alleged data sharing (more details in § 3 of the Decision).
On 11.5.21, HH SA communicates the measure to the EDPB. On 3.6.2021, the HH SA sent the EDPB a request for an urgent binding decision under Article 66(2) GDPR, which was subsequently formalised through the IMI system on the 7.6.2021. Following the request, the EDPB started a series of consultations by sharing the relevant communications and documents between all the parties involved (FB companies, WhatsApp and SAs). During these consultations, FB IE submitted several defences.
Holding
Competence to decide The EDPB first verifies its competence to decide under Article 66 GDPR. In the present case, there is (i) an interim measure adopted by an SA (Article 66(1) GDPR) as well as (ii) a request for a collegial decision. The two conditions are therefore met.
Right to good administration While not obliged to do so, the EDPB recognises the possibility that FB IE and WhatsApp IE may be subject to the negative effects of a binding decision. Accordingly, pursuant to Article 41(2)(a) of the EU Charter, "The EDPB [...] decided to hear Facebook IE and WhatsApp IE directly by inviting them to provide written submissions to the EDPB" (Decision, § 21). The two companies submitted two separate statements.
Overall position of the Hamburg Authority The Provisional measure concerns five processing purposes which, according to the HH SA, were already being carried out or could have been carried out imminently by Facebook IE as a controller, following the data sharing. These processing operations are: 1) Security and integrity of Facebook; 2) Improvement of the product experience; 3) Marketing communication and direct marketing; 4) WhatsApp Business API; and 5) Cooperation with other Facebook Companies.
In relation to these processing operations, the HH SA raises several critical points. First of all, the consent requested by FB for the modification of the Terms of Service would be flawed because not informed (§ 28) and in any case not freely given due to the dominant position of WhatsApp in the messaging apps sector (§ 29). Equally inapplicable would be the legal basis of the contract under Article 6(1)(b) GDPR for the simple but essential reason that the sharing of one's WhatsApp data with FB cannot be seen as "necessary for the performance of the [WhatsApp] contract" (§ 30). Also inapplicable would be the legal basis of legitimate interest in Article 6(1)(f) GDPR (§ 31).
The EDPB therefore analyses the individual points.
1) Security and integrity of Facebook The data sharing seems to be used for the security and integrity of Facebook. In particular, according to WhatsApp's user-facing information, the data sharing is carried out in order to keep "WhatsApp and other Facebook Companies' services safe and secure [as] we need to understand which accounts across the Facebook Companies relate to the same user". At the same time, as reported by WhatsApp IE and Facebook IE during the proceeding, such operations are currently not taking place (final part of § 63 of the Decision).
On this point, after analysing the privacy policies and the controller's statements during the proceeding (§§ 41-48), the EDPB 'shares the DE-HH SA's position that there are contradictions between the information included in WhatsApp's user-facing information on the one hand, and the Commitments and Facebook IE's written submissions on the other hand' (§ 54). The Board further considers that “there is a high likelihood that Facebook IE already processes WhatsApp user data as a controller or joint controller for the common purpose of the safety, security and integrity of WhatsApp and the Facebook Companies" (§ 66).
Accordingly, the EDPB requests the LSA to carry out a statutory investigation to unveil whether Facebook IE has already started to process WhatsApp's user data for the common purpose of safety, security and integrity, and if so, whether it is acting as a processor on behalf of WhatsApp IE or as a (joint) controller with WhatsApp IE (§ 69).
2) Improvement of the product experience WhatsApp users’ data are also shared with Facebook companies for the improvement of the FB serviceand therefore for Facebook own purposes. According Facebook IE and WhatsApp IE submissions, “Facebook [and the other Facebook companies] processes WhatsApp User Data as processor on behalf of WhatsApp Ireland” acting under WhatsApp IE instructions solely (§ 87).
On this point, the EDPB recalls that a processor is someone who processes personal data on the controller's behalf, which requires that the separate entity processes personal data for the benefit of the controller. This implies that “the legal status of an actor as either a "controller" or a "processor" must in principle be determined by its actual activities in a specific situation, rather than upon the formal designation of an actor as being either a "controller" or "processor" (e.g. in a contract)” (§§ 88-89).
That said, the EDPB expresses "serious doubts" about the role of processor allegedly performed by the Facebook Companies, including Facebook IE. In particular, the EDPB considers that when a data sharing is meant to “understand how WhatsApp Services are being used, and how it compares to usage across the Facebook Companies”, it is likely done not merely for the purpose of improving the products of WhatsApp IE, but also benefits other Facebook Companies, including Facebook IE, for improvement of their product (§ 97).
"If such circumstances were to be confirmed" the EDPB states, (i) "the Facebook Companies, including Facebook IE, potentially (jointly) define the purpose and means for this processing and in such a case they should be considered as (joint) controllers in this respect" and (ii) expresses “serious doubts” as to the validity of the consent or the possible use of the contract or legitimate interest (§§ 102-105).
Taking into account the above, the EDPB concludes that there is a high likelihood that Facebook IE processes WhatsApp users' data as a (joint) controller for its own purpose of improvement of product experience. Accordingly, the EDPB requests the LSA competent for Facebook IE and WhatsApp IE to carry out a statutory investigation to verify this aspect. The EDPB further requests the LSA to carry out a statutory investigation to assess whether Facebook IE has a legal basis to conduct such processing lawfully as a (joint) controller pursuant to Articles 5(1)(a) and 6(1) GDPR (§§ 107-110).
3) Marketing communication and direct marketing The WhatsApp's Privacy Policy ("How We Use Information") informs the user that "We may provide you with marketing for our Services and those of the Facebook Companies [...] We work with third-party service providers and the Facebook companies to help us operate, provide, improve, understand, customize, support, and market our Services” (§ 120). However, once again, Facebook denies this data sharing is taking place during the proceeding (§ 122).
Whilst the EDPB understands the concerns raised by the DE-HH SA, the EDPB does not have sufficient information in the present procedure to conclude whether Facebook IE is acting as a controller of WhatsApp user data for the purpose of marketing communication and direct marketing. Taking into consideration the lack of clarity in the information, the EDPB calls upon the IE SA to further investigate the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to the processing of WhatsApp user personal data for marketing purposes (§ 126).
4) WhatsApp Business API The DE-HH SA notes that WhatsApp's user data are also processed, or may be processed, for the general purpose of providing the so-called "WhatsApp Business API". The "WhatsApp Business API" enables companies to use WhatsApp in their corporate communication systems and to communicate with their contacts and customers.
The EDPB understands the concerns raised by the DE-HH SA. The Board expresses concerns that a potential merging of the WhatsApp IE and Facebook IE processing operations and infrastructures for the provision of WhatsApp Business API would in practice lead to Facebook IE processing of WhatsApp's user data for its own purposes, such as for personalising advertisements.
Bearing in mind that Facebook's business model is to a large extent based on advertising, the Board “takes the view that the LSA should further closely investigate the roles that WhatsApp IE, Facebook IE and the businesses concerned would play in the context of the WhatsApp Business API in order to verify their compliance with the GDPR” (§ 146).
5) Cooperation with other Facebook Companies "WhatsApp works and shares information with the other Facebook Companies to receive services like infrastructure, technology, and systems that help us provide and improve WhatsApp and to keep WhatsApp and the other Facebook Companies safe and secure [...] In order to receive services from the Facebook Companies, WhatsApp shares the information we have about you as described in the "Information We Collect" section of the Privacy Policy. For example, to provide WhatsApp with analytics services, Facebook processes the phone number you verified when you signed up for WhatsApp, some of your device information”.
Again, during the proceeding, Facebook denied this data sharing is taking place bringing the EDPB to conclude that “there are not enough elements allowing to conclude that Facebook IE is processing or is going to process WhatsApp’s user data for its own purposes”. However, due to the lack of sufficient clarity and transparency in WhatsApp’s public-facing information, the EDPB considers “it to be extremely difficult, if not impossible, to have a complete overview of the purposes of processing made under the framework for cooperation with the other Facebook Companies and to verify whether Facebook IE only acts as a processor on behalf of WhatsApp IE for those purposes” (§158-160).
Therefore, the Board calls upon the LSA to carry out an investigation to clarify the processing for the purpose of cooperation with the other Facebook Companies and to analyse the processing roles of different parties involved, in particular to verify whether Facebook IE acts a processor or as a (joint controller) with respect to such processing of WhatsApp user personal data (§§ 160).
On the existence of urgency to adopt final measures by way of derogation from the cooperation and consistency mechanisms Under Article 66 GDPR, the adoption of a final measures is subject to the existence of an urgent situation involving the rights and freedoms of data subjects. The Board clarifies that the urgency requirement allows for a derogation to the standard consistency and cooperation mechanisms, and therefore must be interpreted restrictively.
Now, the HH SA considers that, in the present case, the urgency requirement is not at stake, as specifically excluded by Article 61(8) GDPR. In summary, the framework in question allows an SA to request another SA to carry out specific investigations at a controller located outside its jurisdiction (in this case, a German authority asks the Irish one to perform an investigation on Irish soil). According to Article 61(8), if the receiving SA (Ireland) does not act within one month, the requesting SA (Hamburg), may take a temporary measure, the urgency of which is presumed by law (“shall be presumed”). This measure must then be confirmed by the EDPB in a binding urgency decision.
In the present case, as reported above, the HH SA had made some specific requests through the IMI system by using, in particular, the VMA channel (Voluntary Mutual Assistance). Now, according to the interpretation provided by the EDPB, "Unlike formal Article 61 GDPR requests, the SA receiving a VMA request does not have a legal obligation to answer to that request" (§ 177). Therefore, the HH SA "did not formally launch an Article 61 GDPR request in the IMI system to the LSA, but merely sent a letter replying to the VMA request flow initiated by the IE SA".
In light of the above, the EDPB considers that the DE-HH SA has not demonstrated that the LSA failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR. The EDPB therefore considers that the urgency cannot be presumed (per Article 61(8) GDPR) and needs to be demonstrated under Article 66(2) GDPR (§ 180 -181).
On the existence of urgency outside any GDPR legal presumption In the view of the EDPB, notwithstanding the problematic elements observed during the proceeding, there are no sufficient elements to justify the urgency requirement Article 66(2) GDPR (§ 196).
EDPB decision
The EDPB concludes that it sees no reason to request the adoption of a final measures against Facebook IE. In light of the above and in accordance with the tasks of the EDPB under Article 70(1)(t) GDPR to issue urgent binding decisions pursuant to Article 66 GDPR, the Board:
(1) decides that no final measures need to be adopted against Facebook IE;
(2) request the IE SA to carry out a statutory investigation, in particular for verifying, in practice, if (i) the allege d processing are currently taking place and what are the roles of the Facebook Companies involved, (ii) Facebook IE has already started to process WhatsApp's user data as a (joint) controller for its own purposes of marketing communications and direct marketing, (iii) Facebook IE has already started or will soon start to process WhatsApp's user data as a (joint) controller for its own purpose in relation to WhatsApp Business API, (iv) Facebook IE, when using the content of messages sent via WhatsApp to businesses, would be acting as (joint) controller
(3) decides that the IE SA shall carry out, as a priority matter, an investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Adopted 1 Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from theHamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited Adopted on 12 July 2021 Adopted 2 Table of contents 1 Summary of the facts ...................................................................................................................... 4 2 Competence of the EDPB to adopt an urgent binding decision under Article 66(2) GDPR ............ 7 2.1 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the EEA............ 7 2.2 The SA has taken provisional measures under Article 66(1) GDPR......................................... 7 2.3 Conclusion ............................................................................................................................... 7 3 The Right to good administration.................................................................................................... 7 4 On the need to request final measures........................................................................................... 8 4.1 On the existence of infringements.......................................................................................... 8 4.1.1 Summary of the overall position of the DE-HH SA.......................................................... 8 4.1.2 Security and integrity of Facebook................................................................................ 10 4.1.3 Improvement of product experience ............................................................................ 18 4.1.4 Marketing communications and direct marketing........................................................ 29 4.1.5 WhatsApp Business API................................................................................................. 32 4.1.6 Cooperation with other Facebook Companies.............................................................. 38 4.1.7 Conclusion ..................................................................................................................... 41 4.2 On the existence of urgency to adopt final measures by way of derogation from the cooperation and consistency mechanisms....................................................................................... 41 4.2.1 Possible application of a legal presumption of urgency justifying the need to derogate from the cooperation and consistency mechanisms.................................................................... 42 4.2.2 Existence of urgency outside any GDPR legal presumption and the need to derogate from the cooperation and consistency mechanisms.................................................................... 43 4.2.3 Conclusion ..................................................................................................................... 47 5 On the appropriate final measures............................................................................................... 47 6 Urgent Binding Decision................................................................................................................ 48 7 Final remarks................................................................................................................................. 49 Adopted 3 The European Data Protection Board Having regard to Article 66 of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR”)1 , Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 20182 , Having regard to Articles 11, 13, 23 and 39 of the EDPB Rules of Procedure3 , hereinafter the “EDPB RoP”. Whereas: (1) The main role of the European Data Protection Board (hereinafter the “EDPB” or the “Board”) is to ensure the consistent application of the GDPR throughout the EEA. To this effect, it can adopt binding opinion and decisions under different circumstances described under the Articles 63 to 66 GDPR. The GDPR also established a cooperation mechanism between the supervisory authorities. It follows from Article 60 GDPR that the lead supervisory authority shall cooperate with the other supervisory authorities concerned (hereinafter “CSAs”) in an endeavour to reach consensus. (2) Pursuant to Article 66(1) GDPR, in exceptional circumstances, where a supervisory authority considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 GDPR or the procedure referred to in Article 60 GDPR, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. (3) In accordance with Article 66(2) GDPR, where a supervisory authority has taken a measure pursuant to Article 66(1) GDPR and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision. The request for an urgent opinion or urgent binding decision in the context of Article 66(2) and (3) GDPR is optional. (4) In accordance with Article 11(2) EDPB RoP, the request of a binding decision shall be submitted to the EDPB via the information and communication system mentioned in Article 17 EDPB RoP. (5) In accordance with Article 13(2) EDPB RoP, the supervisory authority requesting an urgent binding decision shall submit any relevant documents. When necessary, the documents submitted by the competent supervisory authority shall be translated into English by the EDPB Secretariat. Once the Chair and the competent supervisory authority have decided that the file is complete, it is communicated via the EDPB Secretariat to the members of the Board without undue delay. (6) Pursuant to Article 66(4) GDPR and Article 13(1) EDPB RoP, the urgent binding decision of the EDPB shall be adopted by simple majority of the members of the EDPB within two weeks following the decision by the Chair and the competent supervisory authority that the file is complete. 1 OJ L 119, 4.5.2016, p. 1. 2 References to “Member States” made throughout this decision should be understood as references to “EEA Member States”. References to “EU” should be understood, where relevant, as references to “EEA”. 3 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020. Adopted 4 (7) Pursuant to Article 39(1) EDPB RoP, all the final documents adopted by the Board shall be made public on the Board’s website, unless the Board decides otherwise. 1 SUMMARY OF THE FACTS 1. This document contains an urgent binding decision adopted by the EDPB pursuant to Article 66(2) GDPR, following a request made by the Hamburg Commissioner for Data protection and freedom of information (hereinafter the “DE-HH SA” ) within the framework of the urgency procedure under Article 66 GDPR. 2. Following the notification by WhatsApp Ireland Ltd (hereinafter “WhatsApp IE”) to German users of its new Terms of Service and Privacy Policy, and the extension of the deadline for users to provide consent to 15 May 2021, the DE-HH SA came to the conclusion that Facebook Ireland Ltd (hereinafter “Facebook IE”) is already processing data of WhatsApp users residing in Germany for its own purposes in some cases, and that processing for its own purposes is imminent in other cases. The DE-HH SA considers that the processing of personal data of WhatsApp IE users residing in Germany by Facebook IE for the purposes of Facebook IE violates Article 5(1), Article 6(1) and Article 12(1) GDPR. Therefore the DE-HH SA adopted, on 10 May 2021, provisional measures under Article 66(1) GDPR, based on its consideration that the circumstances were exceptional and there was an urgent need to act to protect the rights and freedoms of data subjects. 3. Through its provisional measures, the DE-HH SA prohibited, for a duration of 3 months, Facebook IE from processing personal data of WhatsApp users residing in Germany, which is transmitted from WhatsApp IE to Facebook IE for the purposes of 1. Cooperation with other Facebook Companies4 ; 2. Security and integrity of Facebook; 3. Improvement of the product experience; 4. Marketing communication and direct marketing; 5. WhatsApp Business API; to the extent that the processing is being carried out for Facebook IE's own purposes. 4. On 7 June 2021, the DE-HH SA requested the EDPB to adopt an urgent binding decision pursuant to Article 66(2) GDPR, with the effect of ordering the implementation of final measures, by extending its provisional measures both in time and territorial scope. 5. The following table presents a summarised timeline of the events leading to the submission of the matter by the DE-HH SA via the urgency procedure: 08.12.2020 The Irish supervisory authority (“Data Protection Commission”, hereinafter the “IE SA” or, as being the lead supervisory authority in this case, the “LSA”) uses the EDPB internal information and communication system (the “IMI system”) flow “Voluntary Mutual Assistance” (hereinafter “VMA”) to inform the CSAs that WhatsApp IE intends to change its Privacy Policy and Terms of Service applicable to users residing in the European Union (hereinafter “Updated Terms”). The LSA shares copies of the revised Privacy Policy, including a redline version highlighting the changes (hereinafter the “Privacy Policy”), the Legal Basis Notice (which will be incorporated in the Privacy Policy), the relevant extract from the Terms of Service, the contact upload feature and the updated 4 A link inserted in WhatsApp public-facing information sends to a page on WhatsApp explaining that the term ‘Facebook Companies’ refers to Facebook Inc., Facebook IE, Facebook Payments Inc., Facebook Payments International Limited, Facebook Technologies LLC, Facebook Technologies Ireland Limited, WhatsApp LLC, and WhatsApp IE. In this urgent binding decision, the term ‘other Facebook Companies’ refers to all the Facebook Companies except WhatsApp IE. Adopted 5 version of the FAQ “How we work with the Facebook Companies” (hereinafter together referred to as “WhatsApp public-facing information”). 14.01.2021 The DE-HH SA sends a letter to the LSA using the IMI system flow opened by the LSA. It raises the fact that the LSA did not provide its view on the Updated Terms, and shares questions on the Updated Terms, including questions directly addressed to the LSA. 15.01.2021 The IE SA sends a letter to the CSAs to inform them that it met with WhatsApp IE to discuss the new Updated Terms, that the IE SA will compile comprehensive feedback from the CSAs, and will transmit it to WhatsApp IE for follow-up. Few days after, the LSA shares with the CSAs, via VMA, a letter from WhatsApp IE dated 5 February 2021 replying to questions raised by the CSAs, including the DE-HH SA. 12.02.2021 The DE-HH SA shares a letter with the LSA using the same VMA flow on the IMI system. The DE-HH SA underlines the fact that the LSA did not share its own views on the matter. The DE-HH SA informs the LSA about its concerns regarding the data sharing of Facebook IE and WhatsApp IE for different purposes of each company. The DE-HH SA concludes that “WhatsApp and Facebook are sharing data for different purposes of each company. In the case of no deeper inspection by the IDPC as lead authority we give notice of the possibility of an urgency procedure according to Art. 66 GDPR.” 24.02.2021 Using VMA, the LSA replies to the DE-HH SA by sharing the fact that it had forwarded the additional questions on Updated Terms to WhatsApp IE on 15 February 2021. The LSA also annexes to its message to DE-HH SA WhatsApp IE’s latest reply dated 22 February 2021. 04.03.2021 Using VMA, the DE-HH SA sends a new letter to the LSA in which it underlines the substantial need for further clarifications and makes comments on the Updated Terms and the answers provided by WhatsApp IE. The DE-HH SA requests the LSA to conduct investigations into the specific processing of WhatsApp IE and Facebook. 12.04.2021 The DE-HH SA contacts Facebook IE to hear it before issuing provisional measures pursuant to Article 66 (1) GDPR. The DE-HH SA informs the EDPB Secretariat that they intend to start a formal Article 66 GDPR procedure against Facebook IE, and asks the EDPB Secretariat to inform the Chair of the EDPB and the LSA. Following a later request from the DE-HH SA, the EDPB Secretariat also shares the information with all the EDPB members. 19.04.2021 Using VMA, the LSA writes to the CSAs to inform them that the Updated Terms are “[...] largely a carryover of the text of the existing policy and no new text signifying any change in WhatsApp’s position is included regarding the sharing of WhatsApp user data with Facebook or access by Facebook for Facebook’s own purposes”. The IE SA informs the CSAs that it commenced a supervision review and assessment of WhatsApp IE’s oversight and monitoring of its data processors (chiefly Facebook), including the safeguards, mechanisms and audit processes in place to ensure that Facebook IE does not use WhatsApp IE user data for its own purposes, inadvertently or otherwise. 25.04.2021 Facebook IE sends written submissions following the hearing letter of the DE- HH SA (hereinafter “Facebook’s written submissions to the DE-HH SA”). 10.05.2021 The DE-HH SA adopts an order relating to provisional measures (the “DE-HH SA Order” or the “provisional measures”). 11.05.2021 The DE-HH SA communicates its provisional measures to the other supervisory authorities and informs the EDPB Secretariat. Adopted 6 03.06.2021 The DE-HH SA writes to the EDPB Chair to announce the request of an urgent binding decision under Article 66(2) GDPR. 04.06.2021 Via VMA, the IE SA informs the CSAs that, contrary to WhatsApp IE’s previous intention to limit functionality for its users who had not accepted the Updated Terms after several weeks following the deadline it had set to 15 May 2021, WhatsApp IE announced in an updated published FAQ that it has no plans for these reminders to become persistent and to limit the functionality of its app. 07.06.2021 The DE-HH SA introduces the request of an urgent binding decision under Article 66(2) GDPR in the IMI system (Article 17 EDPB RoP). On 25 June 2021, the DE-HH SA reintroduced the file in IMI for technical reasons. 6. On 7 June 2021, the DE-HH SA requested an urgent binding decision under Article 66(2) GDPR via IMI, the information and communication system mentioned in Article 17 EDPB RoP. 7. On 9 June 2021, the EDPB Secretariat, working on behalf of the Chair of the EDPB, requested via email an additional document to the DE-HH SA, as well as confirmation of the accuracy of the English translation of documents received in German, with the deadline of 11 June 2021. Following a request sent by the DE-HH SA on 10 June 2021 to extend the deadline to 16 June 2021, the EDPB Secretariat extended the deadline up to 14 June 2021. On 14 June 2021, the DE-HH SA sent the additional document and approved the English translation of the original German documents. 8. On 15 June 2021, the EDPB sent a letter to Facebook IE and to WhatsApp IE thereby allowing Facebook IE and WhatsApp IE to exercise their respective right to be heard with the deadline of 18 June 2021. This letter included a list of all the documents in the file and attached them all, except the ones originating from Facebook IE or WhatsApp IE. On 16 June 2021, Facebook IE asked an extension of deadline to 23 June 2021 close of business. The EDPB replied on the same day and consented to extend the deadline to 23 June 2021 12:00 (CET). 9. On 18 June 2021, the EDPB Secretariat, working on behalf of the Chair of the EDPB, urgently requested additional documents from the DE-HH SA, which were provided on the same day. On 21 June 2021, the EDPB sent a letter to Facebook IE and to WhatsApp IE with the additional documents provided by the DE-HH SA, and taking into account of these new elements, extended the deadline for both companies to provide their written contribution to 25 June 2021 12:00 (CET). 10. On 23 June 2021, the IE SA sent, on its own initiative, additional documents it considered important to be added in the file. The Chair of the EDPB agreed and decided to add two documents in the file. On 24 June 2021, the Chair informed WhatsApp IE and Facebook IE about those two additional documents, and extended the deadline for their written submission to 25 June 2021 16:00 (CET). 11. On 25 June 2021, Facebook IE and WhatsApp IE provided their written submissions to the EDPB. 12. On 28 June 2021, after the DE-HH SA and the Chair of the EDPB confirmed the completeness of the file, the EDPB Secretariat circulated the file to the EDPB members. 13. On 5 July 2021 12:00 (CET), the EDPB decided, in accordance with Article 11 EDPB RoP, to add in the file the redline version of the FAQ “How we work with the Facebook Companies” highlighting the changes made at the occasion of the Updated Terms, which was shared by the IE SA. On the same day, the EDPB sent a letter to Facebook IE and WhatsApp IE to invite them to provide additional written Adopted 7 submissions about a legal argument discussed between the EDPB members and the redline version of the FAQ “How we work with the Facebook Companies”, with a deadline of 6 July 2021 12:00 (CET). Following Facebook IE and WhatsApp IE’s request, the deadline was extended to 7 July 16:00 (CET). On 7 July 2021, Facebook IE and WhatsApp IE provided their written submissions to the EDPB. 2 COMPETENCE OF THE EDPB TO ADOPT AN URGENT BINDING DECISION UNDER ARTICLE 66(2) GDPR 2.1 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the EEA 14. Following the adoption of provisional measures under Article 66(1) GDPR on 10 May 2021, the DE-HH SA requested the EDPB to adopt an urgent binding decision pursuant to Article 66(2) GDPR, by introducing a formal request in the IMI (Article 17 EDPB RoP) on 7 June 2021. 15. The EDPB therefore considers that this condition is fulfilled. 2.2 The SA has taken provisional measures under Article 66(1) GDPR 16. On 10 May 2021, the DE-HH SA adopted provisional measures pursuant to Article 66(1) GDPR, prohibiting Facebook IE from processing the personal data of WhatsApp users residing in Germany, which are transmitted from WhatsApp IE or WhatsApp LLC to Facebook IE for the purposes of (1) cooperation with other Facebook Companies; (2) security and integrity of Facebook; (3) improvement of the product experience; (4) marketing communication and direct marketing; (5) WhatsApp Business API; to the extent that the processing is being carried out for Facebook IE's own purposes. 17. The EDPB therefore considers that this condition is fulfilled. 2.3 Conclusion 18. The EDPB is competent to adopt an urgent binding decision under Article 66(2) GDPR. 3 THE RIGHT TO GOOD ADMINISTRATION 19. The EDPB is subject to the EU Charter of fundamental rights (hereinafter the “EU Charter”), in particular its Article 41 (right to good administration). This is also reflected in Article 11(1) EDPB RoP. 20. Similarly, as provided under Article 65(2) GDPR, an Article 66(4) EDPB urgent binding decision is addressed to the national supervisory authorities and binding on them. It is not aimed to address directly any third party. However, as a precautionary measure, and in order to address the possibility that Facebook IE and WhatsApp IE might be affected by the EDPB urgent binding decision, the EDPB assessed whether all the documents it received and used in order to take its decision were already known by Facebook IE and WhatsApp IE, and whether Facebook IE and WhatsApp IE had been heard on them. 21. While Facebook IE was heard during the DE-HH SA’s national procedure, on the basis of Article 66(1), neither Facebook IE nor WhatsApp IE had been heard yet on the DE-HH SA’s Article 66(2) GDPR Adopted 8 request. The EDPB therefore decided to hear directly Facebook IE and WhatsApp IE by inviting them to provide written submissions to the EDPB. 22. During the assessment of the completeness of the file, the EDPB shared all the documents of the file (see above the para 9, 10, 11 and 14 ) to Facebook IE and WhatsApp IE directly to ensure the exercise of their right to be heard in line with Article 41(2)(a) EU Charter. 23. Facebook IE and WhatsApp IE provided written submissions to the EDPB in the context of their right to be heard on 25 June 2021, 6 July 2021, and 7 July 2021 (respectively hereinafter “Facebook’s written submissions to the EDPB” and “WhatsApp’s written submissions to the EDPB”). 4 ON THE NEED TO REQUEST FINAL MEASURES 4.1 On the existence of infringements 4.1.1 Summary of the overall position of the DE-HH SA 24. According to the DE-HH SA, Facebook IE is already processing data of WhatsApp users for its own purposes or will imminently do so. 25. The DE-HH SA’s analysis is based on WhatsApp’s public-facing information such as Terms of Service and privacy-related public-facing information, including WhatsApp’s Privacy Policy applicable to EU users and FAQ, as well as Facebook IE’s written submissions in the context of its hearing carried out by the DE-HH SA before adopting the provisional measures, including, inter alia, an affidavit signed by Facebook IE’s Head of Data Protection on 25 April 2021 (hereinafter the “Affidavit”)5 , which adheres and supports commitments WhatsApp IE took towards the Article 29 Working Party (hereinafter the “WP29”) and the LSA (hereinafter the “Commitments”)6 , respectively in February and June 2018. 26. The DE-HH SA considers that Facebook IE has no legal basis for the processing of WhatsApp user data for its own purposes, hence it is unlawful due to the lack of effective consent of WhatsApp users within the meaning of Article 6(1)(a) and Article 7 GDPR, and of a legitimate interest within the meaning of Article 6(1)(f) GDPR. 27. The DE-HH SA considers that the consent requested by WhatsApp in its Terms of Service of 4 January 2021 does not meet the requirements of informed and free consent within the meaning of Article 6(1)(a) and Article 7 GDPR7 . 28. The DE-HH SA states that the Updated Terms are not understandable by users; they do not comply with the transparency requirements under Article 5(1)(a), Article 12(1) and Article 13(1)(c) and (e)) GDPR; the explanations on data exchange are partly contradictory and inconsistent, as well as largely undefined 8 ; the statements on data exchange are scattered in various documents at different levels9 5 Facebook’s submissions to the DE-HH SA. This also includes (Letter from WhatsApp IE to the WP29 dated 4 February 2018, p.1; and Letter from WhatsApp IE to the IE SA dated 8 June 2018, p. 2). 6 Facebook’s submissions to the DE-HH SA. This also includes (Letter from WhatsApp IE to the WP29 dated 4 February 2018, p.1; and Letter from WhatsApp IE to the IE SA dated 8 June 2018, p. 2). 7 DE-HH SA Order, Section II.2)aa), p. 13. 8 DE-HH SA Order, p. 14. 9 There are in total 15 documents linked to the terms, with a total of 20.000 words (DE-HH SA Order, pp. 5-6). Adopted 9 and do not allow users to take note of them in a uniform manner10 . The DE-HH SA also explains why the transparency requirements are not fulfilled in relation to each of the specific purposes it identified (see hereinafter)11 . 29. In addition, the DE-HH SA underlines that considering the market position of Facebook and WhatsApp, users do not have a choice to consent or not, as not using WhatsApp is not an acceptable alternative because of the wide use of such a closed messenger system12. According to the DE-HH SA, it is not possible to continue the use of WhatsApp’s service on the basis of WhatsApp’s previously applicable terms and conditions. 30. The DE-HH SA states that Article 6(1)(b) GDPR is not relevant as the transfer of WhatsApp user data to by Facebook IE, and further processing by the latter for its own purpose, is not necessary for the performance of a contract concluded between WhatsApp IE and the data subjects13 or between Facebook IE and the data subjects14. For those WhatsApp users who are not Facebook users, the DE- HH SA considers that there is already a lack of corresponding contractual relationship between Facebook IE and such concerned WhatsApp users. 31. The DE-HH SA notes that, should Facebook IE use Article 6(1)(f) GDPR as a ground for such processing , it would need to transparently inform users about this on the basis of Article 13(1)(c) GDPR. Moreover, according to the DE-HH SA, even for purposes for which a legitimate interest may exist, for example to prevent the sending of spam in the area of network security, Facebook’slegitimate interest does not outweigh the fundamental rights and freedoms of the users. The DE-HH SA underlines in particular the large amount of data processed, which cannot be justified by Facebook’s legitimate interests15. The DE-HH SA also raises that there is a complete lack of necessity for the data sharing with Facebook IE of WhatsApp users that are not Facebook users16 . 32. Besides, the DE-HH SA underlined a violation of the transparency requirements under Article 5(1) GDPR and Article 12(1) GDPR17. This is due to the large number of different documents that users need to read to understand what is done with their personal data; to the inadequate consideration of the fact that users usually access such information via their smartphones, which, from a technical perspective, makes it more difficult to comprehend; to the existence of two versions of Terms of Service (one for users within the EEA and one for users from the rest of the world); and to how easy it is for users in the EEA to confuse the public-facing information applicable to them and the information applicable to non-EEA users18 . 33. The DE-HH SA identified five processing purposes which it considers are already being carried out or could be carried out imminently by Facebook IE as a controller: 1) Security and integrity of Facebook; 2) Improvement of the product experience; 3) Marketing communication and direct marketing; 4) 10 DE-HH SA Order, Section II.2)aa), p. 14. 2 versions of the Terms of Service exist, one for the EEA and one for the rest of the world, and EEA users may access pages for non EEA users without even noticing it, DE-HH SA Order, p. 7. 11 DE-HH SA Order, Section II.2)aa), p. 15-28. 12 Letter of the DE-HH SA requesting an EDPB urgent binding decision, p. 4. 13 DE-HH SA Order, Section II.2)aa), p. 2. 14 DE-HH SA Order, Section II.2)aa), p. 28. 15 DE-HH SA Order, Section II.2)aa), p. 29-30. 16 DE-HH SA Order, Section II.2)aa), p. 29-30. 17DE-HH SA Order, p. 2. 18 DE-HH SA Order, p. 3. Adopted 10 WhatsApp Business API; and 5) Cooperation with other Facebook Companies. These purposes are subject to the provisional measures ordered by the DE-HH SA and are further assessed hereinafter. 4.1.2 Security and integrity of Facebook 4.1.2.1 Summary of the position of the DE-HH SA 34. According to the DE-HH SA, the other Facebook Companies process WhatsApp user data for their own security and integrity purposes. They are not acting in the context of a commissioned processing on behalf of WhatsApp IE, but rather carry out an independent processing of WhatsApp user data19 . 35. For the DE-HH SA, the processing aiming at combatting spam and abuse on other Facebook services than WhatsApp; protecting such other Facebook services; and ensuring the security of all Facebook Companies constitutes a separate purpose that is part of Facebook IE’s own purposes20 . 36. The DE-HH SA notes that there is ambiguity in WhatsApp’s FAQ21 on the meaning of the term ‘our services’, which actually refers to all services of Facebook Companies, including WhatsApp’s. It could therefore be assumed that the same meaning is used for the other parts of WhatsApp’s user-facing information, in which case Facebook IE extensively uses WhatsApp user data as a controller22 . 37. The DE-HH SA’s views on the Commitments relating to safety and security23 are the following: The statements that no sharing of WhatsApp user data is taking place with Facebook, including Facebook IE, for Facebook’s own purposes of safety and security only excludes that such sharing is currently taking place, but they do not exclude that Facebook IE is processing WhatsApp user data for its own purposes of safety and security, or that such processing is at least imminent24 . WhatsApp’s user-facing information does not reflect the Commitments since it mentions this processing as taking place already25 . Besides, such voluntary Commitments are not, by nature, legally binding26, and “the GDPR does not provide for “consent” or “authorisation” for data 19 DE-HH SA Order, Section II.2)aa), p. 17. 20 DE-HH SA Order, Section II.2)aa), p. 19. 21 DE-HH SA Order, Section II.2)aa), p. 17, in particular footnote 13, and p. 19. 22 DE-HH SA Order, Section II.2)aa), p. 19. 23 Facebook IE referred to the Commitments by which WhatsApp IE had not started to share the data of WhatsApp users residing in Germany with Facebook IE for safety and security purposes and on a controller-to- controller basis, and should it change, to do so “following further engagement and consultation with [the IE SA]”, and that it intends to only share such data on a case-by-case basis, “for example sharing of data related to individuals previously identified as a safety or security risk” (Facebook’s written submissions to the DE-HH SA, Annex 1, Letter from WhatsApp IE to the WP29 dated 4 February 2018, p. 2, and Letter from WhatsApp IE to the IE SA dated 8 June 2018, p. 2). Facebook IE assured that the Commitments were still accurate as “German WhatsApp users’ data” are not shared yet by WhatsApp IE with Facebook Companies, including Facebook IE for Facebook’s own safety and security purposes (Facebook’s written submissions to the DE-HH SA, Annex 2, the Affidavit, point B., 4th paragraph). 24 DE-HH SA Order, Section III, p. 30. 25 DE-HH SA Order, Section III, p. 31. 26 In Facebook IE’s opinion, WhatsApp IE’s “clear and unequivocal” Commitments to the WP29 and the IE SA fall within the controller’s obligation to cooperate with a SA - which has enforcement powers - in accordance with Article 31 GDPR. Facebook IE added that it “takes compliance with [WhatsApp IE’s] Commitments very seriously” (Facebook’s written submissions to the DE-HH SA, section 2.7, p. 9). Adopted 11 processing operations by [SAs]. The formulated restriction is therefore without legal significance.” 27 38. Overall, the DE-HH SA concluded that WhatsApp IE shares all its user data with Facebook IE “(...) for the purposes of making the systems more secure and combating spam, threats, abuse and rights violations for all products of the Facebook companies” 28 . 4.1.2.2 Analysis of the EDPB 39. The EDPB assessed the security and integrity purpose in relation to the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller, and in relation to the alleged infringement of the transparency requirements in WhatsApp’s user-facing information. The EDPB took into account the views of the DE-HH SA, as well as the position expressed by both Facebook IE and WhatsApp IE. 4.1.2.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller 40. In relation to safety, security and integrity, the EDPB notes the following extracts from WhatsApp’s user-facing information (emphasis added underlined): 41. WhatsApp’s Privacy Policy applicable to users living in the European Union: “Third-Party Information [...] Third-Party Service Providers. We work with third-party service providers and other Facebook Companies to help us operate, provide, improve, understand, customise, support, and market our Services. For example, we work with them to [...]; provide engineering support, cybersecurity support, and operational support; [...] ensure safety, security and integrity; and help with customer service. These companies may provide us with information about you in certain circumstances; [...]. The “How We Work With Other Facebook Companies” section below provides more information about how WhatsApp collects and shares information with the other Facebook Companies. You can also learn more in our Help Center on how we work with the Facebook Companies. [...] Information You And We Share [...] Third-Party Service Providers. We work with third-party service providers and other Facebook Companies to help us operate, provide, improve, understand, customise, support, and market our Services. We work with these companies to support our Services, such as to [...] protect the safety, security and integrity of users and others; [...]. When we share information with third-party service providers and other Facebook Companies in this capacity, we require them to use your information on our behalf in accordance with our instructions and terms. For further information on how the Facebook Companies help us to operate and provide our Services, see “How We Work With Other Facebook Companies” below. You can also learn more in our Help Center on how we work with the Facebook Companies. [...] How We Work With Other Facebook Companies As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the other Facebook Companies to promote safety, security and integrity across the Facebook Company Products, e.g., to fight spam, threats, abuse, or infringement activities. WhatsApp also works, and shares information with the other Facebook Companies who act on our behalf to help us operate, provide, improve, understand, customise, support, and market our Services. This includes 27 DE-HH SA Order, Section III, p. 31. 28 DE-HH SA Order, Section II.2)aa), p. 20. Adopted 12 the provision of infrastructure, technology, and systems, [...] and securing systems. When we receive services from the Facebook Companies, the information we share with them is used on WhatsApp’s behalf and in accordance with our instructions. Any information WhatsApp shares on this basis cannot be used for the Facebook Companies’ own purposes. We’ve set out further information in our Help Center about how WhatsApp works with the Facebook Companies. [...] How We Process Your Information - Provision Of The Services In Accordance With The Terms [...] Legitimate Interests We rely on our legitimate interests or the legitimate interests of a third party where they are not outweighed by your interests or fundamental rights and freedoms ("legitimate interests"): Why And How We Process Your Data: • [...] To share information with the Facebook Companies to promote safety and security and integrity. See also "How We Work with Other Facebook Companies" for more information. o Legitimate Interests Relied On: To secure systems and fight spam, threats, abuse, or infringement activities and promote safety and security across the Facebook Company Products. o Data Categories Used: We use information described in the "Information You Provide," "Automatically Collected Information," and "Third-Party Information" sections of this Privacy Policy for this purpose.” 42. WhatsApp’s FAQ ”How we work with the Facebook Companies” (emphasis added underlined): “Why does WhatsApp share information with the Facebook Companies? WhatsApp works and shares information with the other Facebook Companies to receive services like infrastructure, technology, and systems that help us provide and improve WhatsApp and to keep WhatsApp and the other Facebook Companies safe and secure. When we receive services from the Facebook Companies, the information we share with them is used to help WhatsApp in accordance with our instructions. Working together allows us for example to: • [...] Ensure safety, security, and integrity across WhatsApp and the Facebook Company Products by removing spam accounts and combating abusive activity. [...]. What information does WhatsApp share with the Facebook Companies? [...] WhatsApp also shares information with other Facebook Companies when this is necessary for the purpose of promoting safety, security, and integrity across the Facebook Companies. This includes the sharing of information that enables Facebook and the other Facebook Companies to determine whether a certain WhatsApp user is also using other Facebook Company Products, and to assess whether the other Facebook Companies need to take action, either against such user or to protect them. For example, WhatsApp could share the information that is necessary to enable Facebook to also take action against an identified spammer on Facebook, such as information on the incident(s) as well as the phone number they verified when they signed up for WhatsApp or device identifiers associated with the same device or account. Any such transfer is carried out in accordance with the “Our Legal Basis For Processing Data” section of the Privacy Policy. How is my WhatsApp information used by the Facebook Companies? • [...] To keep WhatsApp and other Facebook family services safe and secure. o We share information with the other Facebook Companies in accordance with the “Our Legal Basis For Processing Data” section of the Privacy Policy, and vice versa, to help fight spam and abuse on our Services, help keep them secure, and promote safety, security, and integrity on and off our Services. So if, for example, any member of the Facebook Companies discovers that someone is using its services for illegal purposes, it can disable their account and notify Adopted 13 the other Facebook Companies so that they can also consider doing the same. In this way, we only share information for this purpose in relation to users that have first been identified as having violated our having violated our Terms of Service or threatened the safety or security of our users or others, about which other members of our family of companies should be warned. o To keep WhatsApp and other Facebook Companies' services safe and secure, we need to understand which accounts across the Facebook Companies relate to the same user, so we can take appropriate action when we identify a user who violates our Terms of Services or presents a safety or security threat to others.” 43. In their written submissions to the EDPB, Facebook IE and WhatsApp IE referred to the Commitments made to the WP29 and the IE SA, i.e., “[...] following the GDPR Update [in 2018] WhatsApp intended to commence the sharing of its EU users’ data with Facebook on a controller-to-controller basis for safety and security purposes only. We made this clear to our users in the User Engagement Flow and our Privacy Policy as well as explaining to users the legal bases on which we will rely for this sharing, which includes legitimate interest, contractual necessity, vital interests and public interest”. It also includes the following: “However, it’s important to note that WhatsApp has not yet commenced the sharing of this data with Facebook on this basis. Whilst we plan to commence this sharing in the foreseeable future, we can confirm that WhatsApp will only do so following further engagement and consultation with [the IE SA]. For your information, as and when we do commence this sharing (which, as I say, will only follow further engagement and consultation with your Office) our current intention is that it would only involve sharing of data on a case by case basis, for example sharing of data related to individuals previously identified as a safety or security risk.” 44. Facebook IE also stated that: “The current status quo is that Facebook companies other than WhatsApp Ireland (collectively “Facebook”) process WhatsApp user data shared by WhatsApp Ireland as processors acting on the latter’s behalf and under its instructions. Neither Facebook Ireland nor any of the other Facebook companies are conducting any of the Alleged Processing29 – i.e. no Facebook companies, other than WhatsApp Ireland, are processing such WhatsApp user data as controllers (the “Status Quo”)” 30 . 45. This statement was further confirmed in the Affidavit31, according to which “It has also been confirmed to me by WhatsApp Ireland that German WhatsApp users’ data is not being provided to Facebook Ireland (or any other Facebook Company) by WhatsApp Ireland on a controller-to-controller basis for it to be used for Facebook’s own safety and security purposes. It has been confirmed to me by WhatsApp Ireland that this will only occur in the future following further engagement and consultation with the [IE SA] (who in turn I believe, again, would consult with other supervisory authorities concerned as appropriate under Art. 60 GDPR). Again, I can confirm my understanding from my role at Facebook Ireland that Facebook Ireland supports and adheres to the commitments WhatsApp Ireland has made in this regard.” 29 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 20. In Facebook’s written submissions to the EDPB, ‘Alleged Processing’ is defined by reference to the processing prohibited by the DE-HH SA Order, i.e., “[...] Facebook Ireland [...] processing personal data of WhatsApp users residing in Germany [...] transmitted by WhatsApp Ireland to Facebook Ireland as a controller, for a broadly described list of Facebook Ireland’s own purposes”, para. 3. 30 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 20. 31 This Affidavit was first attached to Facebook’s written submissions to the DE-HH SA, and provided again in Facebook’s written submissions to the EDPB as Annex 2. Adopted 14 46. Facebook IE repeated its support and adherence to the Commitments once more in its written submissions to the EDPB, explaining that “[...] to remove any possibility for concern in this respect, Facebook Ireland has already provided clear confirmation to the [DE-HH SA] that it supports and adheres to the Commitments and hereby expressly confirms such adherence again.” 32 47. In reference to the DE-HH SA’s claim that the Commitments were not legally binding, Facebook IE submitted “[...] that under Article 31 GDPR, WhatsApp Ireland as a controller is legally obligated to cooperate with the [IE SA] as LSA, which has extensive enforcement powers under GDPR as well as Irish law. Therefore, neither WhatsApp Ireland nor Facebook Ireland could simply cease to comply with the Commitments in the manner the [DE-HH SA] alleges. On the contrary, both companies are dedicated to upholding the Commitments [...].”33 48. Furthermore, Facebook IE submitted that the wording included in WhatsApp’s FAQ ”How we work with the Facebook Companies” (see relevant extract above) “[...] does not support in any way the allegations made by the [DE-HH SA]. It is not indicative of the Alleged Processing, other than in respect of the planned future controller-to-controller sharing of WhatsApp User Data for safety and security purposes, which (a) has been provided for in WhatsApp’s privacy policies since at least 2016, and which (b) will only be commenced by WhatsApp Ireland following further engagement with the IDPC, in line with the Commitments. This quote otherwise relates (i) to processing which Facebook conducts as a service provider and processor for WhatsApp Ireland’s purposes, on the latter’s behalf and under its instructions; or (ii) to situations where no EU WhatsApp user data is shared.”34 49. In relation to the quote at stake, the EDPB observes that it expressly sets out that WhatsApp’s user data shared with the other Facebook Companies to receive services from the latter, for example in relation to safety, security and integrity across WhatsApp and the products offered by the other Facebook Companies is done in accordance with WhatsApp IE’s instructions. On Facebook IE’s claim that the extract may concern “situations where no EU WhatsApp user data is shared”, the EDPB notes that such extract is included under the heading “Why does WhatsApp share information with the Facebook Companies?”. 50. According to Facebook IE, the extract from the FAQ “How we work with the Facebook Companies” (see para. 43 above) “is a simplified and accessible explanation of complex technical processing operations, which is designed to assist users of varying sophistication in understanding how their data is being processed by WhatsApp Ireland. It was not intended to provide a detailed explanation of complex legal concepts contained in the GDPR, nor can its wording provide sufficient basis on which to conclude a regulatory process on such matters35”. 51. Based on these statements, the EDPB notes that Facebook IE is unambiguous about the fact that it intends to start processing WhatsApp’s user data as a controller for the purpose of safety, security and integrity of the other Facebook Companies, but is less clear on whether it is currently processing WhatsApp’s user data for that same purpose, as an alleged processor. In its letter addressed to the EDPB on 7 July 2021, Facebook IE stated that this “is not taking place and will not take place premised on the WhatsApp Update”. 52. The EDPB observes that in their current drafting, the statements included in WhatsApp’s user-facing information do not mirror the Commitments by providing an indication to users that this processing 32 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 28. 33 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 27. 34 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 36. 35 Facebook’s written submissions to the EDPB dated 7 July 2021, p. 5. Adopted 15 for safety, security and integrity purpose is, for now, only a plan, whereas the Commitments relating to product improvement and advertising are mirrored in WhatsApp’s user facing information. 53. Transparency obligations stem from Article 5(1)(a) and Article 12(1) GDPR. They are an expression of the principle of fairness in relation to the processing of personal data expressed in Article 8 EU Charter36. Hence, controllers’ public-facing data protection statements aim at explaining to data subjects how and why their personal data are processed and at empowering them to exercise control over their personal data by exercising their rights enshrined in Chapter III GDPR. To that end, it is of the utmost importance that public facing statements mirror the processing undertaken or to be imminently undertaken by controllers, in order to provide a fairly accurate description of what data subjects may reasonably expect in relation to the processing of their personal data when reading privacy policies and other public-facing statements (e.g., FAQs). 54. Therefore, the EDPB shares the DE-HH SA’s position that there are contradictions between the information included in WhatsApp’s user-facing information on the one hand, and the Commitments and Facebook IE’s written submissions on the other hand. 55. According to the GDPR, a controller is “[...] the natural or legal person, [...] which, alone or jointly with others, determines the purposes and the means of the processing of personal data” 37, hence is serving its own interests38 . 56. The EDPB remarks that, in the analysis of a processing which may be divided into several smaller processing operations and which involves several actors, it is important to consider whether, at “macro-level”, these processing operations should not be considered as a “set of operations” pursuing a joint purpose using jointly defined means39 . Besides, the EDPB recalls that the underlying objective of attributing the role of controller is to ensure accountability and the effective and comprehensive protection of the personal data, therefore the concept of ‘controller’ should be interpreted in a sufficiently broad way, favouring as much as possible effective and complete protection of data subjectsso as to ensure full effect of EU data protection law, to avoid lacunae and to prevent possible circumvention of the rules, while at the same time not diminishing the role of the processor40 . 57. In relation to the determination of means, the EDPB recalls that a distinction can be made between essential and non-essential means, whereby: Essential means are to be determined by the controller, and are closely linked to the purpose and the scope of the processing (e.g., type of personal data which are processed, duration of the processing, categories of recipients, categories of data subjects). Non-essential means can be determined by the controller or the processor, and concern more practical aspects of implementation (e.g., choice for a particular type of hard- or software or the detailed security measures)41 . 36 See WP29 Guidelines on transparency under Regulation 2016/679, as last revised and adopted on 11 April 2018 (WP260 rev.01), endorsed by the EDPB on 25 May 2018, https://edpb.europa.eu/our-work-tools/our- documents/guidelines/transparency_en, para 2. 37 See Article 4(7) GDPR. 38 See by analogy, EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR (final version after public consultation adopted on 7 July 2021), para 80. 39 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 43. 40 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, para. 14. 41 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 40. Adopted 16 58. In relation to the concept of joint controllership, the EDPB considers that it “[...] can take the form of a common decision taken by two or more entities or result from converging decisions by two or more entities, where the decisions complement each other and are necessary for the processing to take place in such a manner that they have a tangible impact on the determination of the purposes and means of the processing."42 As per converging decisions, the EDPB specifies that “[a]n important criterion [...] is whether the processing would not be possible without both parties’ participation in the sense that the processing by each party is inseparable, i.e. inextricably linked.”43 Besides, the EDPB observes that “[j]oint controllership exists when entities involved in the same processing carry out the processing for jointly defined purposes. This will be the case if the entities involved process the data for the same, or common, purposes.” 44 59. According to the GDPR, a processor is ““[...] the natural or legal person, [...] which processes personal data on behalf of the controller” 45, hence is serving the interests of someone else46 and may not carry out processing for its own purpose(s)47 . 60. The EDPB takes note of Facebook IE’s claim that the other Facebook Companies only process WhatsApp IE’s user data shared by the latter as WhatsApp IE’s processors, and that the processing identified by the DE-HH SA as being allegedly performed by the other Facebook Companies are processing WhatsApp IE’s user data shared by the latter as controllers, is not taking place48 . 61. The EDPB remarks that it is unclear from WhatsApp’s user-facing information, whether the processing of WhatsApp’s user data by WhatsApp IE and the other Facebook Companies, for the common purpose of safety, security and integrity across WhatsApp and the other Facebook Companies is currently being carried out by Facebook IE as a processor acting under the instructions of WhatsApp IE (see for instance (emphasis added underlined): “When we receive services from the Facebook Companies, the information we share with them is used to help WhatsApp in accordance with our instructions. Working together allows us for example to: • [...] Ensure safety, security, and integrity across WhatsApp and the Facebook Company Products by removing spam accounts and combating abusive activity. [...]”49); or being carried by Facebook IE as a (joint) controller with WhatsApp IE (see for instance (emphasis added underlined), “As part of the Facebook Companies, WhatsApp receives information from, and shares information with, the other Facebook Companies to promote safety, security and integrity across the Facebook Company Products, e.g., to fight spam, threats, abuse, or infringement activities, e.g., to fight spam, threats, abuse, or infringement activities.”50). 62. Furthermore, whilst the EDPB acknowledges the Commitments, and the Affidavit, the EDPB notices the use of ambiguous wording by both Facebook IE and WhatsApp IE in both documents(e.g., “shared” could exclude covering other processing operations; “by WhatsApp Ireland” could exclude covering sharing by other Facebook Companies; “any of the Alleged Processing” could exclude covering the 42 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version Executive summary. 43 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version para. 55. 44 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version para. 59. 45 See Article 4(8) GDPR. 46 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version para. 80. 47 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version para. 81. 48 Facebook’s written submissions to the EDPB dated 25 June and 7 July 2021. 49 See the FAQ “How we work with the Facebook Companies”, Why does WhatsApp share information with the Facebook Companies? 50 See the FAQ “How we work with the Facebook Companies”, How We Work With Other Facebook Companies Adopted 17 processing of WhatsApp users residing outside Germany; “such WhatsApp user data” could exclude WhatsApp users residing outside Germany or WhatsApp user data shared by WhatsApp IE). 63. In addition, the EDPB observes that the fact that “for the purpose of promoting safety, security, and integrity across the Facebook Companies” 51, WhatsApp’s user-facing information refers to the current exchange of data between WhatsApp IE and the other Facebook Companies “[...] to determine whether a certain WhatsApp user is also using other Facebook Company Products, and to assess whether the other Facebook Companies need to take action, either against such user or to protect them”52 and “To keep WhatsApp and other Facebook Companies' services safe and secure, we need to understand which accounts across the Facebook Companies relate to the same user” 53 , means that, from a practical perspective, WhatsApp’s user data would need to be combined or at least compared with the data of users of products and services offered by the other Facebook Companies. In their response to the EDPB dated 7 July 2021, Facebook IE and WhatsApp IE submitted that the sharing of WhatsApp’s user data with the other Facebook Companies for Facebook IE’s own purpose of safety and security is not taking place, and did not further comment on any possible combination or comparison of WhatsApp’s user data with other data sets controlled by Facebook IE for the purpose of safety, security and integrity. 64. Should it actually take place in practice, WhatsApp and Facebook Companies’ decision to combine or at least compare at individual level the personal data of their respective users - possibly all data in the case of WhatsApp IE54 in order to understand whether a particular person uses different services of the Facebook Companies, would serve the interests of both WhatsApp IE and the other Facebook Companies; hence would go beyond a controller-to-processor relationship. 65. Indeed, the EDPB notes that since the combination or comparison would aim at assessing if a certain user identified as requiring action on one product or service (e.g., if they send spam or violate WhatsApp’s or Facebook’s terms and conditions) also uses Facebook Companies’ products or services (including WhatsApp IE’s), hence also face possible consequences of their acts on those other accounts, shows that, without such combination or at least comparison of both data sets, the processing would not be possible. In other words, the processing described in the FAQ “How we work with the Facebook Companies” involving actions by both WhatsApp IE and the other Facebook Companies, is inseparable, i.e. inextricably linked. 66. Considering the clear contradictions within WhatsApp’s user-facing information that should reflect the practice, as well as the contradictions between WhatsApp’s user-facing information and the statements made to the EDPB by Facebook IE and WhatsApp IE, including in their letters dated 7 July 2021, the Board considers that there is a high likelihood that Facebook IE already processes WhatsApp user data as a controller or joint controller for the common purpose of the safety, security and integrity of WhatsApp and the Facebook Companies. 51 See the FAQ “How we work with the Facebook Companies”, What information does WhatsApp share with the Facebook Companies? 52 See the FAQ “How we work with the Facebook Companies”, What information does WhatsApp share with the Facebook Companies? 53 See the FAQ “How we work with the Facebook Companies”, What information does WhatsApp share with the Facebook Companies? 54 See FAQ ”How we work with the Facebook Companies”, How We Process Your Information > Provision Of The Services In Accordance With The Terms > Legitimate Interests > To share information with the Facebook Companies to promote safety and security and integrity > Data Categories Used: “We use information described in the "Information You Provide," "Automatically Collected Information," and "Third-Party Information" sections of this Privacy Policy for this purpose.” Adopted 18 67. Nonetheless, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, the Commitments, and Facebook IE and WhatsApp IE’s respective written submissions, the EDPB is not in a position to determine with certainty which processing operations the other Facebook Companies, including Facebook IE, are actually carrying out in relation to WhatsApp’s user data and in which capacity. 68. Accordingly, the EDPB requests the LSA competent for Facebook IE and WhatsApp IE to carry out a statutory investigation to unveil whether Facebook IE has already started to process WhatsApp’s user data for the common purpose of safety, security and integrity of the Facebook Companies, and if so, whether it is acting as a processor on behalf of WhatsApp IE or as a (joint) controller with WhatsApp IE. In particular, to this respect the LSA should analyse the possible combination and/or comparison at individual level the personal data of WhatsApp users with the data of the Facebook Companies which enables the Facebook Companies to understand whether a particular person uses different services of the Facebook Companies, which serves their common purpose of the safety, security and integrity. The EDPB further requests the LSA to carry out a statutory investigation to assess whether Facebook IE has a legal basis to conduct such processing lawfully as a (joint) controller pursuant to Articles 5(1)(a) and 6(1) GDPR. 69. Whilst the EDPB considers that SAs enjoy a certain degree of discretion to decide how to frame the scope of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure consistency throughout the EU, and the cooperation between the LSA and CSAs is one of the means to achieve this. Therefore, the EDPB calls upon the LSA to make full use of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR) while carrying out such investigation. 4.1.2.2.2 On the alleged infringement of the transparency obligations under GDPR 70. The EDPB takes note of the concerns of the DE-HH SA regarding transparency towards data subjects, in particular in relation to the processing of WhatsApp’s user data for the purpose of security and safety of the Facebook Companies. However, the EDPB underlines that WhatsApp’s user-facing information for EU users is currently subject to a one-stop-shop procedure led by the IE SA that is due to come to an end shortly. 4.1.3 Improvement of product experience 4.1.3.1 Summary of the position of the DE-HH SA 71. According to the DE-HH SA, it can be read in the FAQ “How we work with the Facebook Companies” that in order to understand how people use WhatsApp services in comparison with other apps and improve the WhatsApp services, WhatsApp can track the use of services and compare these results across the Facebook companies. WhatsApp may be able to match whether the user of a particular WhatsApp account also uses another Facebook company's service55 . The DE-HH SA concluded that Facebook IE’s processing for its own purpose of product improvement and advertising is not presented transparently56 . 72. Moreover, according to DE-HH SA, with the new terms of use, WhatsApp is expanding the list of data to be exchanged with Facebook in the future. In particular, this relates to Facebook hosting services 55 DE-HH SA Order, Section II.2)aa), p. 17. 56 DE-HH SA Order, Section II.2)cc), p. 20. Adopted 19 and “discovering a business” features57. According to DE-HH SA, this means that, in the future, data will also be exchanged between WhatsApp and Facebook for marketing purposes, which Facebook can use for its own purposes, in particular for profiling58 . 73. The DE-HH SA notesthat the relevant section in the FAQ “How we work with the Facebook Companies” in its version before the consultation letter of the DE-HH SA of 12 April 2021 stated that Facebook does not use “account information” for purpose of improving Facebook product experience and Facebook ads59 . According to DE-HH SA, “account information” covers a very broad catalogue of information. It is not clear what is meant by “account information” and which types of data should be assigned to this data category and which should not. The DE-HH SA observes that WhatsApp collects a considerable number of other data categories. 74. The DE-HH SA further states that following the consultation letter of the DE-HH SA of 12 April 2021, the wording of “account information” in the FAQ “How we work with the Facebook Companies” has been expanded to include all personal data. The DE-HH SA notesthat while previously in the FAQ “How we work with the Facebook Companies” the use of “account information” by Facebook was described by WhatsApp as “currently” not taking place, it is now only mentioned that WhatsApp is “currently” not passing on60 (all) personal data for these purposes. Thus, the fact that Facebook IE does not actually use WhatsApp users’ data for these purposes is not (any longer) clear from the amended terms and conditions61 . 57 DE-HH SA Order, Section II.2)cc), p. 20, the relevant quote: “In the explanations it says (emphasis by the undersigned): “Facebook hosting services: […] Some large businesses need to use hosting services to manage their communication. Which is why we’re giving businesses the option to use secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts. But whether you communicate with a business by phone, email, or WhatsApp, it may use that information for its own marketing purposes, which may include advertising on Facebook. To make sure you’re informed, we clearly label conversations with businesses that are choosing to use hosting services from Facebook. Discovering a business: You may see an ad on Facebook with a button to message a business using WhatsApp. If you have WhatsApp installed on your phone, you’ll have the option to message that business. Facebook may use the way you interact with these ads to personalize the ads you see on Facebook. (emphasis added by author). Discovering a business: People can already discover businesses on Facebook or Instagram from ads that show a button you can click to message them using WhatsApp. Just like other ads on Facebook, if you choose to click on these ads, it may be used to personalize the ads you see on Facebook. Again, WhatsApp and Facebook cannot see the content of any end to end encrypted messages.“ (emphasis added by author). Here we would like to emphasise once again that WhatsApp and Facebook cannot see the content of end-to-end encrypted messages.“ (see https://faq.whatsapp.com/general/security-and-privacy/about-new-business�featuresand-whatsapps-privacy-policy-update/?lang=en).” 58 DE-HH SA Order, Section II.2)cc), p. 20. 59 DE-HH SA Order, Section II.2)cc), p. 20. 60 It should be noted that the exact wording from the WhatsApp Updated terms and the Commitments is “shared”. 61 DE-HH SA Order, Section II.2)cc), p. 21, the relevant quote: “However, it is no longer confirmed that Facebook does not use user data for these purposes, but only that data is not passed on for these purposes. Since then, it has only stated (emphasis added by the undersigned): “We do not share data to use it to improve Facebook products on Facebook or to provide more relevant advertising experiences on Facebook. Currently, WhatsApp does not share your personal data with Facebook to improve your product experience on Facebook or to show you more engaging Facebook ads. This is the result of discussions with the Irish Data Protection Authority and other data protection authorities in Europe. We are constantly working on new ways to improve your experience on WhatsApp and other Facebook company products you use. If we decide in the future Adopted 20 75. The DE-HH SA makes reference to Facebook’s statements regarding the commitment made by WhatsApp IE not to share EU WhatsApp user data with Facebook for the purpose of Facebook using this data to improve its products or advertisements without prior consultation with the IE SA. The DE- HH SA states that this represents a non-binding commitment and requires no further user’s consent62 . The DE-HH SA also stresses that this commitment only refers to the purposes for which WhatsApp IE shares data with Facebook and does not include any commitment by Facebook not to process data for its own purposes 63 . 76. Regarding the issue of legal basis, the DE-HH SA states that it is not clear whether WhatsApp would consider it necessary to obtain the consent of users for a transfer for these purposes. According to the DE-HH SA, it must be assumed that the transfer of its users’ data to Facebook IE for these purposes on the legal basis of legitimate interest, Article 6(1)(f) GDPR64 . The DE-HH SA further states that users lack proper information about such transfers: “In the view of both companies, the legal requirements for data transfer by WhatsApp and processing by Facebook Ireland Ltd for these purposes already exist. The consequence of this is that the users, since they are not requested to give their consent, do not obtain any secure knowledge of a data transfer for these purposes to Facebook Ireland Ltd. Rather, a data transfer for these purposes has been and is being decided and implemented by the companies “behind the scenes”, whereby it is completely unclear for users whether and if so, when and in what form they will become aware of this and whether they will be asked for consent to a data transfer and processing for these purposes or will have the possibility to object to it or not” 65 . 4.1.3.2 Analysis of the EDPB 77. The EDPB assessed the improvement of product experience purpose66 in relation to the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller and in relation to the alleged infringement of the transparency requirements in WhatsApp’s user-facing information. The EDPB took into account the views of the DE-HH SA, as well as the positions expressed by both Facebook IE and WhatsApp IE. 4.1.3.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller 78. In relation to improvement of product experience, the EDPB notes the following descriptions provided in relevant extracts from WhatsApp’s Privacy Policy (emphasis added underlined): “WhatsApp also works, and shares information with, the other Facebook Companies who act on our behalf to help us operate, provide, improve, understand, customise, support, and market our to share such data with the Facebook companies for this purpose, it will only be done if the head of the Irish data protection authority agrees to a mechanism that allows such use. We will keep you updated on new experiences we offer and our information practices.”” 62 Annex to Facebook’s submissions to the DE-HH SA, para 2.4, p. 7-8, Letter to the EDPB Chair requesting a binding decision of the EDPB according to Art. 66 (2) GDPR, 3 June 2021, p. 6. 63 DE-HH SA, Letter to the EDPB Chair requesting a binding decision of the EDPB according to Art. 66(2) GDPR, 3 June 2021, p. 6. 64 DE-HH SA Order, Section II.2)cc), p. 22. 65 DE-HH SA Order, Section II.2)cc), p. 22. 66 This processing purpose in different parts of the DE-HH SA order is referred as “improvement of the product experience” (see the DE-HH SA order, p. 1) and/or as “Product experiences and Facebook ads” (see the DE-HH SA order, p. 20). In this section, the EDPB assesses the purpose of improvement of product experience in a broad sense. The specific advertisement related elements are addressed by the EDPB in the section 4.1.4 of the current decision. Adopted 21 Services. This includes the provision of infrastructure, technology, and systems, e.g., for providing you with fast and reliable messaging and calls around the world; improving infrastructure and delivery systems; understanding how our Services are used; helping us provide a way for you to connect with businesses; and securing systems. When we receive services from the Facebook Companies, the information we share with them is used on WhatsApp’s behalf and in accordance with our instructions. Any information WhatsApp shares on this basis cannot be used for the Facebook Companies’ own purposes” 67 . 79. The EDPB also notesthe relevant extracts from the information included by WhatsApp in its FAQ “How we work with the Facebook Companies” (emphasis added underlined): “Why does WhatsApp share information with the Facebook Companies? WhatsApp works and shares information with the other Facebook Companies to receive services like infrastructure, technology, and systems that help us provide and improve WhatsApp and to keep WhatsApp and the other Facebook Companies safe and secure. When we receive services from the Facebook Companies, the information we share with them is used to help WhatsApp in accordance with our instructions. Working together allows us for example to: • Provide you fast and reliable messaging and calls around the world and understand how our Services and features are performing. • Ensure safety, security, and integrity across WhatsApp and the Facebook Company Products by removing spam accounts and combating abusive activity. • Connect your WhatsApp experience with Facebook Company Products. Today, WhatsApp does not share your personal information with Facebook to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook. We're always working on new ways to improve how you experience WhatsApp and the other Facebook Company Products you use. We'll keep you updated on new experiences we offer and our data practices” 68 . [...] “How is my WhatsApp information used by the Facebook Companies? To receive services that will help WhatsApp operate, improve, and develop our business. When WhatsApp shares information with the Facebook Companies in these ways, the Facebook Companies act as service providers and the information we share with them is used to help WhatsApp in accordance with our instructions (emphasis added). We share information with the other Facebook Companies as service providers. Service providers help companies like WhatsApp by providing infrastructure, technologies, systems, tools, information, and expertise to help us provide and improve the WhatsApp service for our users. This enables us, for example, to understand how our Services are being used, and how it compares to usage across the Facebook Companies. By sharing information with the other Facebook Companies, such as the phone number you verified when you signed up for WhatsApp and the last time your account was used, we may be able to work out whether or not a particular WhatsApp account belongs to someone who also uses another service in the Facebook Companies. This allows us to more accurately report information about our Services and to improve our Services. So, for example, we can then understand how people use WhatsApp services compared to their use of other apps or services in the other Facebook Companies, which in turn helps WhatsApp to explore potential features or product improvements (emphasis added). We can also count how many unique users WhatsApp has, for example, by establishing which of our users do not use any other Facebook apps and how many unique users there are 67 In the Privacy Policy (valid as of 8 February 2021), section “How we work with other Facebook Companies”. 68 FAQ “How we work with the Facebook Companies”> How is my WA information used by the FB Companies. Adopted 22 across the Facebook Companies. This will help WhatsApp more completely report the activity on our service, including to investors and regulators. [...] We do not share data for improving Facebook products on Facebook and providing more relevant Facebook ad experiences. Today, WhatsApp does not share your personal information with Facebook to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook. This is a result of discussions with the Irish Data Protection Commission and other Data Protection Authorities in Europe. We're always working on new ways to improve how you experience WhatsApp and the other Facebook Company Products you use. Should we choose to share such data with the Facebook Companies for this purpose in the future, we will only do so when we reach an understanding with the Irish Data Protection Commission on a future mechanism to enable such use. We'll keep you updated on new experiences we offer and our information practices” 69 . 80. The EDPB also notes the relevant extracts from the information included by WhatsApp in the Legal Basis notice (emphasis added underlined): “Provision Of The Services In Accordance With The Terms We process the data we have about you (as described in the "Information We Collect" section) as necessary to perform our contract with you (the Terms). The categories of data we process will depend on the data you choose to provide and the manner in which you use our Services (which determines the information we collect automatically). The processing purposes necessary to provide our contractual services are: Why And How We Process Your Data: • To operate, provide, improve, customise, and support our Services as described in the "Our Services" section of our Terms which includes providing ways for you to connect and communicate with other WhatsApp users including businesses. This includes collecting information from you to create a WhatsApp account, connecting you with businesses reachable via WhatsApp, analysing your use of our Services, providing customer support in response to an issue or deleting your data if you choose to close your account. • We use Messaging Metadata for the transmission of the communication; the operation of the Services, including general traffic management and the prevention, detection, investigation and remediation of failures; and for billing, where applicable. • Data Categories Used: We use information described in the "Information You Provide," "Automatically Collected Information," and "Third-Party Information" sections of this Privacy Policy for this purpose. [...] Legitimate Interests We rely on our legitimate interests or the legitimate interests of a third party where they are not outweighed by your interests or fundamental rights and freedoms ("legitimate interests"): Why And How We Process Your Data: • For providing measurement, analytics, and other business services where we are processing data as a controller. • Legitimate Interests Relied On: 69 See FAQ “How we work with the Facebook Companies” > How is my WA information used by the FB Companies? Adopted 23 • To provide accurate and reliable aggregated reporting to businesses and other partners, to ensure accurate pricing and statistics on performance, and to demonstrate the value our partners realise using our Services; and • In the interests of businesses and other partners to help them understand their customers and improve their businesses and validate our pricing models, and evaluate the effectiveness and distribution of their services and messages, and understand how people interact with them on our Services. • Data Categories Used: We use information described in the "Information You Provide," "Automatically Collected Information," and "Third-Party Information" sections of this Privacy Policy for these purposes.” 81. According to the submissions of Facebook IE, WhatsApp IE is the sole data controller: “Facebook processes WhatsApp User Data as processor on behalf of WhatsApp Ireland” 70 and the other Facebook companies (including Facebook IE) only process the data of WhatsApp users shared by WhatsApp IE as processors acting under WhatsApp IE instructions71. Facebook IE added that no Facebook companies, including Facebook IE, process the personal data of WhatsApp users shared by WhatsApp IE for Facebook’s own purposes72 . 82. Facebook IE noted that the alleged processing is subject to the commitment that WhatsApp IE made to WP 29 and the EU supervisory authorities that it will not share personal data of WhatsApp users in the EU with other Facebook companies for the purpose of Facebook using this data to improve its products or advertisements, and that no such use will occur without prior engagement with the IE SA in its capacity as LSA and sole interlocutor under Article 56(6) GDPR73. Facebook IE provided an affidavit reaffirming the commitments and confirming that the May Update will not change the status quo74 . 83. The EDPB observes that in the Commitments WhatsApp IE, inter alia, committed to not commence sharing WhatsApp data relating to EU users with Facebook to improve Facebook products and advertisements, and should it change, to do so “with continued discussion with [the IE SA]” 75. In its submissions to the EDPB, Facebook IE claimed that this commitment is being followed by WhatsApp IE and the WhatsApp data is not being shared with Facebook for the purpose of Facebook using this data to improve Facebook products or Facebook ad experiences76 . 70 Facebook’s written submissions to DE-HH SA, section 2.11, p. 9. 71 Facebook’s written submissions to DE-HH SA, sections 2.9-2.12, p. 9-10. 72 Facebook’s written submissions to DE-HH SA, for instance section 1.1.A), p. 2. 73 Facebook’s written submissions to DE-HH SA, Annex 1, Letter from WhatsApp Ireland to the Article 29 Working Party dated 4 February 2018, p.1, and Letter from WhatsApp Ireland to the DPC dated 8 June 2018, p.2. In the commitments WhatsApp took towards the WP 29 and the LSA, respectively in February and June 2018, WhatsApp IE: Committed to not commence sharing WhatsApp data relating to EU users with Facebook to improve Facebook products and advertisements, and should it change, to do so “with continued discussion with [the IE SA]”. Confirmed that Facebook will carry on providing services to WhatsApp Ireland as a processor for “areas such as infrastructure, analytics and monetisation”. 74 Facebook’s written submissions to DE-HH SA, Annex 2. 75 Facebook’s written submissions to DE-HH SA, Annex 1, Letter from WhatsApp Ireland to the Article 29 Working Party dated 4 February 2018, p.1, and Letter from WhatsApp Ireland to the DPC dated 8 June 2018, p.2. 76 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 15, 26. Adopted 24 84. According to Facebook IE, as the alleged processing77 is not taking place, the statements by the DE-HH SA regarding the legal basis that WhatsApp IE or Facebook IE might rely on for such processing are not relevant to the scope of this urgency procedure. Even if they were, the DE-HH SA attempts to proactively prohibit future reliance on legal bases for future processing would be unlawful78 . 85. According to Facebook IE, the extract from the FAQ “How we work with the Facebook Companies” (see para. 80 above) is a simplified and accessible explanation of complex technical processing operations, which is designed to assist users of varying sophistication in understanding how their data is being processed by WhatsApp IE. It was not intended to provide a detailed explanation of complex legal concepts contained in the GDPR, nor can its wording provide sufficient basis on which to conclude a regulatory process on such matters. Facebook IE further stated that while it understood from WhatsApp IE that certain processing falling within this simplified description is taking place (e.g. WhatsApp Ireland is using its processor in order to establish how many unique users its service has), it is not relevant to the present proceedings for two reasons: (1) the entity providing these services to WhatsApp Ireland is in fact Facebook, Inc. and (2) Facebook, Inc. handles EU WhatsApp User Data solely as a processor on behalf of WhatsApp IE and not as a controller79 . WhatsApp IE stated the same: “[t]he entity providing the services [...] is in fact Facebook, Inc. and the processing of EU WhatsApp User Data involves Facebook, Inc. acting as a “service provider”, i.e. as a processor on behalf of WhatsApp Ireland, and not as a controller” 80 . 86. Regarding the role of a processor, Facebook IE stated that “there are no other requirements or conditions attached to the concept of a processor and no rules on the types of activities that can be undertaken or the data that can be processed. Contrary [...] the categories or sources of other data processed by an entity are clearly not relevant to determining whether an entity processes specific personal data received from a specific controller as a controller or a processor. As the EDPB acknowledges in its Draft Guidelines: “[t]wo basic conditions for qualifying as processor exist: that it is a separate entity in relation to the controller and that it processes personal data on the controller’s behalf” - both of which are applicable to the processing described in the third Extract”81 . 87. Facebook IE further claimed that “WhatsApp Ireland is the entity that determines the purposes and means regarding the processing of EU WhatsApp User Data [...]82. Facebook Inc. handles EU WhatsApp User Data solely in accordance with WhatsApp Ireland’s instructions pursuant to both strict contractual and technical controls. Among other things, these controls prohibit Facebook, Inc. from using EU WhatsApp User Data for its own purposes, and from disclosing any such personal data to any other Facebook companies, including in particular to Facebook Ireland. The outputs of these services received by WhatsApp Ireland from Facebook, Inc. are made available in the form of aggregated information 77 In Facebook’s written submissions to the EDPB dated 25 June 2021, ‘Alleged Processing’ is defined by reference to the processing prohibited by the DE-HH SA Order, i.e., “[...] Facebook Ireland [...] processing personal data of WhatsApp users residing in Germany [...] transmitted by WhatsApp Ireland to Facebook Ireland as a controller, for a broadly described list of Facebook Ireland’s own purposes”, para 3. 78 Facebook’s written submissions to DE-HH SA, p. 6, para. 1.1 (J). 79 Facebook’s written submissions to the EDPB dated 7 July 2021, p. 5. 80 WhatsApp’s written submissions to the EDPB dated 7 July 2021. 81 Facebook’s written submissions to the EDPB dated 7 July 2021, p. 7. 82 This particular section from the Facebook’s written submissions to the EDPB refers to the processing described FAQ “How we work with the Facebook Companies” > How is my WA information used by the FB Companies? (See above para. 80 of the current decision). Adopted 25 only. Any sharing of this information by WhatsApp Ireland with any other Facebook company could therefore not involve any sharing of EU WhatsApp User Data with that company” 83 . 88. The EDPB firstly recalls that a processor is someone who processes personal data on the controller’s behalf84. “Processing personal data on the controller’s behalf” firstly requires that the separate entity processes personal data for the benefit of the controller85. If the separate entity processes the personal data also for its own benefit, that entity goes beyond the role of the processor. Moreover, the EDPB considers that a processor cannot combine data it processes on behalf of a company with other data it processes as controller without going outside its role as the processor. 89. The EDPB further notes that the concepts of controller and processor are functional concepts: they aim to allocate responsibilities according to the actual roles of the parties. This implies that the legal status of an actor as either a “controller” or a “processor” must in principle be determined by its actual activities in a specific situation, rather than upon the formal designation of an actor as being either a “controller” or “processor” (e.g. in a contract)86 . 90. The EDPB recalls that the underlying objective of attributing the role of controller is to ensure accountability and the effective and comprehensive protection of the personal data, therefore the concept of ‘controller’ should be interpreted in a sufficiently broad way, favouring as much as possible effective and complete protection of data subjectsso as to ensure full effect of EU data protection law, to avoid lacunae and to prevent possible circumvention of the rules, while at the same time not diminishing the role of the processor87 . Further, the EDPB notes that in the analysis of processing of personal data which may be divided into several smaller processing operations and involve several actors, it is important to consider whether at “macro-level” these processing operations could be considered as a “set of operations” pursuing a joint purpose using jointly defined means88 . 91. According to the GDPR, a controller is “[...] the natural or legal person, [...] which, alone or jointly with others, determines the purposes and the means of the processing of personal data” 89 , and is consequently serving its own interests90 . The EDPB recalls that “[j]oint controllership exists when entities involved in the same processing carry out the processing for jointly defined purposes. This will be the case if the entities involved process the data for the same, or common, purposes” 91 . 92. The EDPB observes that in their current drafting, the statements included in WhatsApp’s public-facing information also include reference to the Commitments by providing an explanation to users that: “WhatsApp does not share your personal information with Facebook to improve your Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook”. The EDPB also takes note of the positions of Facebook IE and WhatsApp IE that WhatsApp IE only shares the WhatsApp 83 Facebook’s written submissions to the EDPB dated 7 July 2021, p. 7. 84 GDPR Article 4(8). 85 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 78. 86 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 12. 87 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 14. 88 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 43. 89 See Article 4(7) GDPR. 90 See by analogy, EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para 80. 91 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, para. 59. Adopted 26 user data with the other Facebook Companies for the purposes of receiving services which the other Facebook Companies provide as processors, i.e. controller to processor data sharing92 . 93. The EDPB has serious doubts about the interpretation of the processing role of the other Facebook Companies, including Facebook IE, regarding WhatsApp user data in the present situation as claimed by Facebook IE and WhatsApp IE. 94. The EDPB notes that while the Privacy Policy and the FAQ “How we work with the Facebook Companies” are explicit that WhatsApp data is not shared with Facebook for the purpose of Facebook using this data to improve Facebook products and/or providing more relevant Facebook ad experiences, the FAQ explicitly states that the WhatsApp data is shared with Facebook to understand how WhatsApp “Services are being used, and how it compares to usage across the Facebook Companies93 . The FAQ adds that “we may be able to work out whether or not a particular WhatsApp account belongs to someone who also uses another service in the Facebook Companies” and that “[w]e can also count how many unique users WhatsApp has, for example, by establishing which of our users do not use any other Facebook apps and how many unique users there are across the Facebook Companies” 94 (emphasis added underlined). 95. The EDPB therefore considers that the FAQ “How we work with the Facebook Companies” already incorporates elements that give indication that Facebook actions, insofar as they concern the processing of WhatsApp users’ data for the benefit of the Facebook Companies, including Facebook IE95, go beyond the Commitments, despite the Commitments to consult the IE SA in case of any change. 96. Based on the FAQ “How we work with the Facebook Companies”, it seems apparent that the WhatsApp user data is being compared with the data of the other Facebook Companies, including Facebook IE. Moreover, considering the information provided in the FAQ “How we work with the Facebook Companies”, it could be observed that WhatsApp IE and other Facebook Companies, including Facebook IE, share with each other and possibly combine data, such as phone numbers, in order to understand whether a particular person uses different services (also referred to as “Facebook apps”) of the Facebook Companies, which include Facebook IE96 . 97. The EDPB considers that such sharing of data “with Facebook to understand how WhatsApp Services are being used, and how it compares to usage across the Facebook Companies” is likely done not merely for the purpose of improving the products of WhatsApp IE, but also benefits other Facebook Companies, including Facebook IE, for improvement of their products. 92 Facebook’s written submissions to the EDPB of 7 July 2021, p. 3, also WhatsApp’s written submissions to the EDPB of 7 July 2021. 93 See FAQ “How we work with the Facebook Companies”> How is my WA information used by the FB Companies? 94 See FAQ “How we work with the Facebook Companies”> How is my WA information used by the FB Companies? 95 A link inserted in WhatsApp public-facing information sends to a page on WhatsApp explaining that the term ‘Facebook Companies’ refers to Facebook Inc., Facebook IE, Facebook Payments Inc., Facebook Payments International Limited, Facebook Technologies LLC, Facebook Technologies Ireland Limited, WhatsApp LLC, and WhatsApp IE. In this urgent binding decision, the term ‘other Facebook Companies’ refers to all the Facebook Companies except WhatsApp IE. 96 For example, a link inserted in WhatsApp public-facing information sends to a page on WhatsApp explaining that the term as follows: “The Facebook Company Products are, together, the Facebook Products and other products provided by the Facebook Companies that are subject to a separate, stand-alone terms of service and privacy policy, including the WhatsApp and Oculus Products (when using an Oculus account)”. Adopted 27 98. Based on the FAQ “How we work with the Facebook Companies”, the EDPB considers it to be likely that the processing of WhatsApp user data is done for the overall (i.e. “macro”) purpose of improving products of the Facebook Companies (inter alia, by assessing “which accounts across the Facebook Companies relate to the same user” and “how WhatsApp Services are being used, and how it compares to usage across the Facebook Companies”). The EDPB observes that, if confirmed, such processing would go beyond the processing of WhatsApp user data forthe purpose forimprovement of WhatsApp products by WhatsApp IE as the only data controller. 99. The EDPB takes note of the information provided by WhatsApp IE and Facebook IE that the entity providing the above-described services to compare usage across the Facebook Companies is Facebook, Inc. and the processing of EU WhatsApp user data involves Facebook, Inc. acting as a service provider for this purpose. The EDPB raises concerns that the processing of the WhatsApp user data for the purpose for improvement of products is potentially done for the benefit of all the Facebook Companies, and not solely for WhatsApp IE own purpose of improvement of WhatsApp products. 100. Therefore, if such circumstances were to be confirmed, the Facebook Companies, including Facebook IE, potentially (jointly) define the purpose and means for this processing97 and in such a case they should be considered as (joint) controllers in this respect98. Accordingly, if these circumstances were confirmed, the EDPB considers that Facebook IE could be regarded as a (joint) controller, i.e. determining the purpose and means of processing the personal data of WhatsApp users in the EU, insofar asthe processing is done for the purpose of improvement of Facebook products. However, the Board considers that based on the information available in the present procedure, it is not in a position to reach final conclusions on this matter. 101. The EDPB further considered whether, in case such processing by Facebook IE as a controller was confirmed, Facebook IE would have a legal basis under Article 6(1) GDPR to process the WhatsApp user data for the purpose for improvement of Facebook products lawfully pursuant to Article 5(1)(a) GDPR. 102. Regarding consent as a possible legal basis for such processing by Facebook IE as the controller, based on the information available to the EDPB, there is no indication that consent from users is currently collected regarding such processing99 . Therefore, the EDPB considers it unlikely that Facebook IE currently could rely on Article 6(1)(a) GDPR to lawfully conduct such processing of WhatsApp user data. The EDPB further considers that Facebook IE could not rely on performance of contract legal basis under Article 6(1)(b) GDPR as there is no contractual relations between the WhatsApp users and Facebook IE. 103. The EDPB has serious doubts whether Facebook IE as a (joint) controller could rely on legitimate interest legal basis under Article 6(1)(f) GDPR for the processing of the WhatsApp user data for the purpose of improvement of Facebook products, as in the present case the controller’s interests are likely to be overridden by the interests and fundamental rights and freedoms of the data subjects. 97 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, para. 59. 98 CJEU judgement in case C-210/16 Wirtschaftsakademie, 5 June 2018, para. 30. 99 The EDPB took note that in their submissions WhatsApp IE stated several times that the consent to the new terms is not meant to constitute the consent as a legal basis for processing of personal data under the GDPR. Currently WhatsApp IE collects consent from WhatsApp service users only through the device-based settings to allow access to device information, such as for location, camera and photo, in order to provide the services described when users enable the settings. In the WhatsApp Legal Basis notice. Adopted 28 104. The EDPB recalls that relying on Article 6 (1)(f) GDPR requires, first, the identification of a legitimate interest pursued by the controller or by a third party, second a need to process personal data for the purposes of the legitimate interest pursued and a balancing test: the legitimate interest of the controller or third party must be balanced against the interests or fundamental rights and freedoms of the data subject100 . The EDPB also recalls that in order to carry out the balancing test it is first important to consider the nature and source of the legitimate interests on the one hand and the impact on the data subjects on the other hand. The legitimate interests of the controller (or third parties) must be balanced against the interests or fundamental rights and freedoms of the data subject101 . 105. While such type of interest, i.e. improvement of products, could be considered to be legitimate102, the EDPB stresses that this commercial interest could be less compelling when weighed against the rights of data subjects103. Therefore, in the present case, when carrying out the balancing test, more prominent weight should be given to the consideration of interests of data subjects and the impact on their rights. 106. Taking into account the high number of WhatsApp users and the large amount of personal data104 that are processed and possibly combined with other data by Facebook IE for the purpose of improvement of products of the Facebook Companies, the EDPB has serious doubts that the controller’s interest would override the interests of data subjects. 107. The EDPB recalls that the reasonable expectations of the data subject, especially with regard to the use and disclosure of the data in the relevant context, is another important element to consider in the balancing test105 . 108. Taking into account the above, the EDPB concludes that there is a high likelihood that Facebook IE processes WhatsApp users’ data as a (joint) controller for its own purpose of improvement of product experience. However, considering the Commitments and the submissions of Facebook IE, as well as the limited information available in this procedure, the Board concludes that it does not have sufficient information to verify whether and to what extent such processing takes places in practice and whether such processing by Facebook IE is lawful pursuant to Articles 5(1)(a) and 6(1) GDPR. 109. Accordingly, the EDPB requests the LSA competent for Facebook IE and WhatsApp IE to carry out a statutory investigation to unveil whether Facebook IE is processing WhatsApp user data for the common purpose of improvement of products of the Facebook Companies as a (joint) controller. In particular, in this respect the LSA should investigate the processing of personal data by the Facebook Companies which enables them to identify whether a particular person uses different services of the Facebook Companies possibly facilitated by the use of unique identifiers and analyse the possible 100 EDPB Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose of facilitating further online transactions, adopted 19 May 2021, , para. 7-9. 101Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 23. 102 Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 25. 103 Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 26. 104 Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 39. 105 Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, adopted on 9 April 2014, p. 50. Adopted 29 combination or at least comparison of the WhatsApp users’ data with data of the Facebook Companies based on the elements outlined by the EDPB in this section of the current decision. 110. The EDPB further requests the LSA to carry out a statutory investigation to assess whether Facebook IE has a legal basis to conduct such processing lawfully as a (joint) controller pursuant to Articles 5(1)(a) and 6(1) GDPR. 111. Whilst the EDPB considers that SAs enjoy a certain degree of discretion to decide how to frame the scope of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure consistency throughout the EU, and the cooperation between the LSA and CSAs is one of the means to achieve this. Therefore, the EDPB calls upon the LSA to make full use of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR) while carrying out such investigation. 4.1.3.2.2 On the alleged infringement of the transparency obligations under GDPR 112. The EDPB takes note of the concerns of the DE-HH SA regarding transparency, in particular in relation to processing of WhatsApp user data for improvement of products of Facebook, possible contradictions in the privacy policy, and lack of sufficiently detailed, easily accessible and clear information. However, the EDPB underlines that the WhatsApp IE privacy policy is currently subject to a one stop shop procedure led by the IE SA. 4.1.4 Marketing communications and direct marketing 4.1.4.1 Summary of the position of the DE-HH SA 113. Another issue investigated by the DE-HH SA were changes in the Privacy Policy introduced with respect to processing of personal data for marketing purposes. According to the DE-HH SA, with the Updated Terms, WhatsApp IE is expanding the circle of data to be exchanged with Facebook in the future. In its explanations, the DE-HH SA referred to the WhatsApp FAQ page relating to its Privacy Policy (emphasis by the DE-HH SA): Facebook hosting services: […] Some large businesses need to use hosting services to manage their communication. Which is why we’re giving businesses the option to use secure hosting services from Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase receipts. But whether you communicate with a business by phone, email, or WhatsApp, it may use that information for its own marketing purposes, which may include advertising on Facebook. To make sure you’re informed, we clearly label conversations with businesses that are choosing to use hosting services from Facebook. Discovering a business: You may see an ad on Facebook with a button to message a business using WhatsApp. If you have WhatsApp installed on your phone, you’ll have the option to message that business. Facebook may use the way you interact with these ads to personalize the ads you see on Facebook. (emphasis added by author). Discovering a business: People can already discover businesses on Facebook or Instagram from ads that show a button you can click to message them using WhatsApp. Just like other ads on Facebook, if you choose to click on these ads, it may be used to personalize the ads you see on Facebook. Again, WhatsApp and Facebook cannot see the content of any end to end encrypted messages.“(emphasis added by author). Here we would like to emphasise once again that WhatsApp and Facebook cannot see the content of end-to-end encrypted messages.“ (see https://faq.whatsapp.com/general/security-and-privacy/about-new-business-featuresand- whatsapps-privacy-policy-update/?lang=en) Adopted 30 114. According to the DE-HH SA, this Privacy Policy entails that in the future, data will also be exchanged between WhatsApp IE and Facebook IE for marketing purposes, which Facebook IE can use for its own purposes, in particular for profiling106 . 115. As regards the legal basis for the processing of personal data for marketing communications and direct marketing, the DE-HH SA makes reference to the fact that WhatsApp IE claims to rely on the legitimate interests of WhatsApp IE, as well as the legitimate interests of a third party, including Facebook IE. The DE-HH SA points out that “legitimate interests” are not further differentiated despite the update on 15 May 2021107 . Therefore, the DE-HH SA finds it not clear whose legitimate interests would be assumed in case of marketing communications and which categories of data are used in connection with the processing for direct marketing purposes. Moreover, the DE-HH SA underlines that under "Third Party Providers", purposes are again listed that do not have to be exclusively those pursued by WhatsApp IE alone, but could also fall under the common purposes of WhatsApp IE and third parties such as Facebook, e.g. "to help you connect with businesses using our services” 108 . In its Privacy Policy, as an example of legitimate interest, WhatsApp IE, mentions “providing an innovative, relevant, safe, and profitable service to our users and partners” 109 . 116. As pointed out by the DE-HH SA110, in WhatsApp’s privacy policy of 24 April 2018 (https://www.whatsapp.com/legal/privacy-policyeea), WhatsApp explained the following regarding the legal basis for marketing communications under "How we process your information" (emphasis added by the DE-HH SA): "Our legitimate interests or the legitimate interests of a third party, unless your interests or fundamental rights and freedoms prevail ("legitimate interests"): […] o To provide you with marketing communications. o These are the legitimate interests on which we rely for this processing: To promote Facebook companies' products and publish direct marketing." 117. The DE-HH SA underlined that while WhatsApp IE referred in the past to the "publication" of direct advertising, in the Updated Terms WhatsApp IE refers to “sending” direct advertising111 . According to the DE-HH SA, this update seems to change the way and the form in which direct marketing is sent to users: “The mailing suggests an even more targeted approach to the person concerned, especially by third parties” 112 . 4.1.4.2 Analysis of the EDPB 118. The EDPB assessed the marketing purpose in relation to the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller, and in relation to the alleged infringement of the transparency requirements in WhatsApp’s user-facing information. The EDPB took into account the views of the DE- HH SA, as well as the position expressed by both Facebook IE and WhatsApp IE. 106 DE-HH SA Order, p. 20. 107 DE-HH SA Order, p. 23. 108 DE-HH SA Order, p. 24. 109 WhatsApp’s Privacy Policy, section “Our Legal Basis For Processing Data”. 110 DE-HH SA Order, p.22. 111 DE-HH SA Order, p.23. 112 DE-HH SA Order, p.24. Adopted 31 4.1.4.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller 119. After comparing the old and updated version of WhatsApp’s user-facing information, the EDPB concludes that, the changes made by WhatsApp in relation to the processing of personal data for marketing communications and direct marketing are quite limited in their scope. 120. In relation to marketing, the EDPB notes the following descriptions provided in the relevant extracts from WhatsApp’s Privacy Policy, in particular in the section “How We Use Information”113 (emphasis added underlined): How We Use Information “We use information we have (subject to choices you make and applicable law) to operate, provide, improve, understand, customize, support, and market our Services”. “Communications About Our Services And The Facebook Companies. We use information we have to communicate with you about our Services and let you know about our terms, policies, and other important updates. We may provide you marketing for our Services and those of the Facebook Companies.” How We Work With Other Facebook Companies WhatsApp also works, and shares information with the other Facebook Companies who act on our behalf to help us operate, provide, improve, understand, customise, support, and market our Services. Third Party Information Third-Party Service Providers. We work with third-party service providers and the Facebook companies to help us operate, provide, improve, understand, customize, support, and market our Services WhatsApp Provision Of The Services In Accordance With The Terms We rely on our legitimate interests or the legitimate interests of a third party where they are not outweighed by your interests or fundamental rights and freedoms ("legitimate interests"): Why And How We Process Your Data: For providing measurement, analytics, and other business services where we are processing data as a controller. • Legitimate Interests Relied On: •For providing marketing communications to you. • Legitimate Interests Relied On: The legitimate interests we rely on for this processing are: To promote Facebook Company Products and send direct marketing. 121. WhatsApp’s Privacy Policy clearly indicates WhatsApp IE uses data to provide marketing for its services and those of Facebook Companies. This element does not per se imply its sharing of data to Facebook IE, with Facebook IE acting as data controller. 113 https://www.whatsapp.com/legal/updates/privacy-policy/?lang=en . Adopted 32 122. The EDPB takes into account also Facebook IE’s position, which informed the DE-HH SA that, although WhatsApp’s Privacy Policy enables it to engage in sending direct marketing to WhatsApp’s EU users, to promote WhatsApp IE’s or Facebook IE’s products and services, it currently does not do it in practice and that “It is included in the Privacy Policy should WhatsApp IE decide to commence this processing (which is a standard form of processing for most companies) in the future” 114 . 123.On the basis of the above excerpts from WhatsApp’s user-facing information, it can also be concluded that WhatsApp IE works with third parties and the other Facebook Companies for marketing purposes. However, there is not enough evidence to prove that the exchange of data is taking place and that in the context of such alleged processing, Facebook IE acts as a controller or a joint controller. At the same time, it should be underlined that WhatsApp’s user-facing information refers to the legitimate interest of third parties as the legal basis and does not explicitly exclude the possibility of sharing of data with Facebook IE for the latter’s direct marketing purposes. 124. Based on the information provided by the DE-HH SA, as well as WhatsApp IE and Facebook IE’s written submissions, it can be concluded that in relation to the processing of personal data for marketing communications and direct marketing, Facebook IE is planning to act, at least as a processor, on behalf of WhatsApp IE. At the same time, the information analysed by the EDPB does not reveal that a data exchange is currently taking place and that Facebook IE processes data of WhatsApp’s users for its own marketing purposes. However, the description of the services and of the roles provided in WhatsApp’s user-facing information is not clear. This matter thus requires further investigation. 125. In conclusion, the EDPB understands the concerns raised by the DE-HH SA on the need to closely analyse the roles and legal qualification of the parties involved in the processing of WhatsApp’s user data for marketing purposes. However, the EDPB does not have sufficient information in the present procedure to conclude whether Facebook IE is acting as a controller of WhatsApp user data for the purpose of marketing communication and direct marketing. 126. Taking into consideration the lack of clarity in the information part of the file as regards how data are processed, the EDPB calls upon the IE SA to further investigate the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to the processing of WhatsApp user personal data for marketing purposes, taking into due account the matters indicated above by the EDPB. 4.1.4.2.2 On the alleged infringement of the transparency obligations under GDPR 127. The EDPB takes note of the concerns of the DE-HH SA regarding the transparency requirements, in particular in relation to the processing of data for marketing purposes and the fact that WhatsApp’s user-facing information is not transparent on which categories of data are used for the marketing communications115 . However, the EDPB underlines that WhatsApp IE’s user-facing information is currently subject to a one stop shop procedure led by the IE SA that is due to come to an end shortly. 4.1.5 WhatsApp Business API 4.1.5.1 Summary of the position of the DE-HH SA 128. The DE-HH SA notes that WhatsApp’s user data are also processed, or may be processed, for the general purpose of providing the so-called “WhatsApp Business API”. “WhatsApp Business API” 114 Facebook IE response to the DE-HH SA hearing before issuing the DE-HH SA Order of 10 May 2021, dated 25 April 2021, p.12-13. 115 DE-HH SA Order, p. 24. Adopted 33 enables companies to use WhatsApp in their corporate communication systems and to communicate with their contacts and customers. Those companies may rely on third party hosting services to manage their messaging function on their behalf. Facebook IE plans to start offering the WhatsApp Business API service later this year116, i.e. it would host and operate a WhatsApp business client, something that, according to Facebook IE, other service providers already do117 . 129. Facebook IE assured the DE-HH SA that these services would not be offered under the Updated Terms coming into effect, and committed to not launch them in Germany (or the EU) without an additional briefing of the IE SA, in its capacity as LSA.118 130. According to Facebook IE, the Updated Terms aim to clarify inter alia that Facebook IE will, in the future, be one of the service providers that businesses can choose from when implementing the WhatsApp Business API119 . Facebook IE underlined that the hosting and operation of a WhatsApp business client by Facebook IE will be completely optional for businesses and will be offered by Facebook IE to businesses in a manner whereby Facebook IE will act as a processor on behalf of and under the instructions ofsuch business customers120 . Furthermore, according to Facebook IE, it is clear from WhatsApp’s encryption FAQ121 that the business becomes a controller of any messagesit receives from its customers on WhatsApp and that “it is the business’ responsibility to comply with any applicable legal requirements and terms” 122 . 131. According to the DE-HH SA, the data protection regulations concerning Facebook Business Tools, i.e. the Facebook Controller Addendum123 , regulate the joint responsibility between the companies and Facebook IE124. The DE-HH SA notes that WhatsApp, in its Business Data Processing Terms125, considers the use of the WhatsApp Business API as a contract processing126. However, since WhatsApp offers businesses their presence on WhatsApp, which is comparable to a Facebook page, the DE-HH SA considered that a joint controllership should be applied, in light of the CJEU rulings Wirtschaftsakademie and Fashion ID127 . 132. The DE-HH SA notes that Facebook IE receives, via Facebook Business Tools, business tool data in the form of impression data sent from Facebook social plugins (such as the "Like" and "Share" buttons) and from Facebook Login, as well as from certain APIs such as Messenger Customer Match via the Send API128 . 133. According to the DE-HH SA, once Facebook IE starts helping businesses to set up, host, and operate a WhatsApp business client (WhatsApp Business API), “WhatsApp users' communications with 116 Facebook’s written submissions to the DE-HH SA, p. 14, para. 2.31. 117 Facebook’s written submissions to the DE-HH SA, p. 14, para. 2.31; Facebook’s written submissions to the EDPB dated 25 June 2021, p. 26, para. 37. 118 Facebook’s written submissions to the DE-HH SA, section 1.1, G, p. 5; Facebook’s written submissions to the EDPB dated 25 June 2021, footnote 31. 119 Facebook’s written submissions to the DE-HH SA, p. 14, para. 2.32. 120 Facebook’s written submissions to the DE-HH SA, p. 14, para. 2.31. 121 https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption. 122 Facebook’s written submissions to the DE-HH SA, p. 15, para. 2.32. 123 https://www.facebook.com/legal/controller_addendum. 124 DE-HH SA Order, Section II.2) ee), p. 24. 125 https://www.whatsapp.com/legal/business-data-processing-terms 126 https://www.whatsapp.com/legal/business-data-processing-terms 127 The DE-HH SA refers to CJEU, C-210/16, Wirtschaftsakademie, ECLI:EU:C:2018:388 and C-40/17, Fashion ID, ECLI:EU:C:2019:629. 128 https://www.facebook.com/legal/terms/businesstools/ Adopted 34 companies that can be reached on WhatsApp will become available to Facebook in plain text without end-to-end encryption”.129 The DE-HH SA is of the opinion that the way in which WhatsApp IE refers to these circumstances in its Updated Terms is “non-transparent” and “partly contradictory”130 . 134. The DE-HH SA considers that it is unclear from the wording of WhatsApp’s FAQ page131 summarising information about the Updated Terms that "personal conversations" protected by end-to-end encryption include only those that are not conducted with companies via a vendor and not all conversations of private users132 . 135. According to the DE-HH SA, from the terms of the WhatsApp Privacy Policy133, “it is hardly discernible that with regard to a communication with companies using the WhatsApp business client, there is no end-to-end encryption of the messages and Facebook Ireland Ltd. can be granted access to information on messages and their content”. The DE-HH SA quotes in particular parts of WhatsApp’s Privacy Policy (‘Information You Provide’) where it is stated that WhatsApp IE does not retain users’ messages in the ordinary course of providing its services, but there is a description of two situations where WhatsApp IE may store its users’ messages in the course of delivering them, i.e. for undelivered messages and media forwarding134. The DE-HH SA then compared this information with the information provided by WhatsApp on its Encryption FAQ webpage under the title “About end-to-end encryption”, and more specifically, to the sections entitled “Personal Messaging” and “Business Messaging” 135 . The DE-HH SA considered that “for WhatsApp users, it remains unclear in which situations their personal data and message content are processed by Facebook Ireland Ltd” because “different, sometimes contradictory information is communicated to them at different levels” 136 . 136. Furthermore, according to the DE-HH SA, it is not apparent to WhatsApp IE’s users when they communicate with Facebook IE as a vendor, and whether their data found in the specific communication can be used for advertisements on Facebook137 . The DE-HH SA was of the opinion that WhatsApp IE “ultimately intends, on the basis of its amended terms of service, to transmit message content to Facebook Ireland Ltd. with the purpose of enabling Facebook Ireland Ltd. to personalise advertisements” and referred to Facebook IE and WhatsApp IE as to “both data controllers”.138 137. The DE-HH SA reached the conclusion that it was not made transparent to WhatsApp’s users that the processing operations of WhatsApp IE and Facebook IE will “merge even more with each other through the new business model” 139 and that the legal basis for such data processing by Facebook IE was not sufficiently clear from the Updated Terms. 138. According to Facebook IE, the allegation that WhatsApp IE plans to share message content with Facebook IE to enable the personalisation of advertising on Facebook cannot be derived from the wording of the FAQ on encryption and ensures that every message sent on WhatsApp uses the same industry leading signal protocol that protects messages from before they are sent until they are 129 DE-HH SA Order, Section II.2) ee), p. 25 130 DE-HH SA Order, Section II.2)ee), p. 25, para. 2. 131 https://faq.whatsapp.com/general/security-and-privacy/were-updating-our-terms-and-privacy-policy/ 132 DE-HH SA Order, Section II.2)ee), p. 25, para. 3. 133 https://www.whatsapp.com/legal/updates/privacy-policy-eea (footnote 25 of the De-HH SA Order) 134 DE-HH SA Order, Section II.2)ee), pp. 25-26. 135 https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/ 136 DE-HH SA Order, Section II.2)ee), p. 26. 137 DE-HH SA Order, Section II.2)ee), p. 27. 138 DE-HH SA Order, Section II.2)ee), p. 26. 139 DE-HH SA Order, Section II.2)ee), p. 26, last para. Adopted 35 delivered to the intended recipient, meaning that WhatsApp IE cannot grant access to Facebook IE or any other third party to such content140 . 4.1.5.2 Analysis of the EDPB 139. The EDPB assessed the WhatsApp Business API purpose in relation to the alleged unlawful processing of WhatsApp IE’s user data by Facebook IE as a controller, as well as in relation to the alleged infringement of the transparency requirements in WhatsApp’s user-facing information. The EDPB took into account the views of the DE-HH SA, as well as the position expressed by both Facebook IE and WhatsApp IE. 4.1.5.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller 140. The EDPB analysed the documents referred to in the DE-HH SA Order with regard to the alleged unlawful processing of WhatsApp’s user data by Facebook IE as a controller for the provision of WhatsApp Business API. 141. The EDPB notes that WhatsApp’s Privacy Policy provides the following information (emphasis added underlined): “How we use information [...] Business Interactions. We enable you and third parties, like businesses, to communicate and interact with each other using our services, such as Catalogs for businesses on WhatsApp through which you can browse products and services and place orders. Businesses may send you transaction, appointment, and shipping notifications; product and service updates; and marketing. For example, you may receive flight status information for upcoming travel, a receipt for something you purchased, or a notification when a delivery will be made. Messages you receive from a business could include an offer for something that might interest you. We do not want you to have a spammy experience; as with all of your messages, you can manage these communications, and we will honor the choices you make. Information You And We Share [...] Businesses On WhatsApp. We offer specific services to businesses such as providing them with metrics regarding their use of our services. Third-Party Information [...] Businesses On WhatsApp. Businesses you interact with using our Services may provide us with information about their interactions with you. We require each of these businesses to act in accordance with applicable law when providing any information to us. When you message with a business on WhatsApp, keep in mind that the content you share may be visible to several people in that business. In addition, some businesses might be working with third-party service providers (which may include Facebook) to help manage their communications with their customers. For example, a business may give such third-party service provider access to its communications to send, store, read, manage, or otherwise process them for the business. To understand how a business processes your information, 140 Facebook’s written submissions to the DE-HH SA, p. 14 para. 2.29 and 2.30. Adopted 36 including how it might share your information with third parties or Facebook, you should review that business’ privacy policy or contact the business directly. Information you provide [...] We offer end-to-end encryption for our Services. End-to-end encryption means that your messages are encrypted to protect against us and third parties from reading them. Learn more about end-to-end encryption and how businesses communicate with you on WhatsApp. [...] 142. The EDPB also considered the information provided on WhatsApp’sIE FAQ page which summarisesthe changes made to the Updated Terms. The following extract is quoted by the DE-HH SA in the DE-HH SA Order141 (emphasis added underlined): “[...] Our commitment to your privacy isn’t changing. Your personal conversations are still protected by end-to-end encryption, which means no one outside of your chats, not even WhatsApp or Facebook, can read or listen to them.142 [...] ” 143. In addition, the EDPB takes note of the following extract which can be read on WhatsApp FAQ Page “About end-to-end encryption” 143 (emphasis added underlined): Personal Messaging WhatsApp's end-to-end encryption is used when you chat with another person using WhatsApp Messenger. End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent, and nobody in between, not even WhatsApp. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. All of this happens automatically: no need to turn on any special settings to secure your messages. Business Messaging Every WhatsApp message is protected by the same Signal encryption protocol that secures messages before they leave your device. When you message a WhatsApp business account, your message is delivered securely to the destination chosen by the business. WhatsApp considers chats with businesses that use the WhatsApp Business app or manage and store customer messages themselves to be end-to-end encrypted. Once the message is received, it will be subject to the business’s own privacy practices. The business may designate a number of employees, or even other vendors, to process and respond to the message. Some businesses will be able to choose WhatsApp’s parent company, Facebook, to securely store messages and respond to customers. While Facebook will not automatically use your messages to inform the ads that you see, businesses will be able to use chats they receive for their own marketing purposes, which may include advertising on Facebook. You can always contact that business to learn more about its privacy practices. 141 WhatsApp’s FAQ page referred to by the DE HH-SA in the DE-HH SA Order, p. 25. 142 https://faq.whatsapp.com/general/security-and-privacy/were-updating-our-terms-and-privacy-policy/ . The DE-HH SA uses a translation of this extract which is slightly different than the original English version (DE-HH SA Order, Section II.2) ee), p. 25). 143 https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/ referred to by the DE HH-SA in the DE-HH SA Order, p. 26. Adopted 37 144. The EDPB took into account the allegations of the DE-HH SA, as well as the views expressed by both Facebook IE and WhatsApp IE. 145. The EDPB notes that despite the wording already provided in WhatsApp’s public-facing information, Facebook IE indicated that Facebook IE is not providing the WhatsApp Business API service yet and plans to start offering it later this year144 . In addition, the EDPB takes note of the fact that Facebook IE committed, both in its submissions to the DE-HH SA before the issuing of the provisional measures and in its submissions to the EDPB, that it will not launch the service in the EU without prior consultation with the LSA and that, in any event, Facebook IE would only act as a processor on behalf of the businesses using the WhatsApp Business API service145 . 146. In conclusion, the EDPB understands the concerns raised by the DE-HH SA on the need to closely analyse the roles and legal qualification of the parties. The Board is concerned that a potential merging of the WhatsApp IE and Facebook IE processing operations and infrastructures for the provision of WhatsApp Business API would in practice lead to Facebook IE processing of WhatsApp’s user data for its own purposes, such as for personalising advertisements. Bearing in mind that Facebook’s business model is to a large extent based on advertising, the Board takes the view that the LSA should further closely investigate the roles that WhatsApp IE, Facebook IE and the businesses concerned would play in the context of the WhatsApp Business API in order to verify their compliance with the GDPR. 147. However, the Board considers that, at this stage, it does not have sufficient information in the present procedure to establish with certainty that Facebook IE already started or will soon start processing WhatsApp’s user data in the context of the WhatsApp Business API service as a controller. 148. Therefore, the Board calls upon the LSA to assess the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to the processing of WhatsApp user personal data in the context of the WhatsApp business API. The LSA should further analyse the situations in which businesses decide to rely on Facebook for advertisements and determine whether Facebook IE, when using the content of messages sent via WhatsApp to businesses, would be acting as (joint) controller. 4.1.5.2.2 On the alleged infringement of the transparency obligations under GDPR 149. The EDPB would first like to stress the lack of consistency between the assurance provided by Facebook IE to not launch this process without an additional briefing of the IE SA, in its capacity as LSA146 and the content of WhatsApp’s user-facing information, which should provide reliable, up-to-date information and reflect WhatsApp IE and Facebook IE’s current roles in the provision of the WhatsApp Business API. 150. The EDPB takes note of the concerns of the DE-HH SA regarding the transparency requirements, in particular in relation to the WhatsApp Business API services. However, the EDPB underlines that WhatsApp’s public-facing information is currently subject to a one-stop-shop procedure led by the IE SA due to come to an end soon. 144 Facebook’s written submissions to the DE-HH SA, section 2.31, p. 14. 145 Facebook written submissions to the DE-HH SA, section 1.1, G, p.5; Facebook’s written submissions to the EDPB dated 25 June 2021, footnote 31. 146 Facebook’s written submissions to the DE-HH SA, section 1.1, G, p. 5; Facebook’s written submissions to the EDPB dated 25 June 2021, footnote 31. Adopted 38 4.1.6 Cooperation with other Facebook Companies 4.1.6.1 Summary of the position of the DE-HH SA 151. The DE-HH SA notes that WhatsApp IE, in its public-facing information, claims that when it receives services from the other Facebook Companies, WhatsApp IE’s user data are processed by the other Facebook Companies on behalf of WhatsApp IE and according to its instructions147 . However, the DE- HH SA considered that “The extent to which data is transferred and processed by Facebook Ireland Ltd. for the various purposes is not clear from the terms and conditions”. Besides, the DE-HH SA noted that the condition "when we receive services from other Facebook Companies" remains unclear and “obviously does not refer to cases in which the exchange of data takes place for common purposes or for the purposes of the other Facebook companies”.148 152. The DE-HH SA is of the opinion that due to the wording "some device information" and "some of your usage information" it is unclear which categories of data are concerned, and it is also unclear why the aforementioned data processed by Facebook IE are needed for the purpose of receiving services from the other Facebook Companies.149 The DE-HH SA also noted that “After all, this includes the phone number and account and device information, which are only mentioned by way of example, suggesting that further personal data is shared” 150 . 153. According to the DE-HH SA, it can be reasonably assumed, on the basis of the statements included in WhatsApp’s public-facing information, that a number - if not all - personal data collected by WhatsApp IE on its users are already shared or could be shared at any time and used across the other Facebook Companies, including by Facebook IE, for their own purposes151, including for cooperation. 4.1.6.2 Analysis of the EDPB 154. The EDPB assessed the cooperation with the other Facebook Companies purpose in relation to the alleged unlawful processing of WhatsApp’s user data by Facebook IE as a controller, as well as in relation to the alleged infringement of the transparency requirements in WhatsApp’s user-facing information. The EDPB took into account the views of the DE-HH SA, as well as the position expressed by both Facebook IE and WhatsApp IE. 4.1.6.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller 155. The EDPB notes that WhatsApp’s FAQ “How we work with the Facebook Companies” provides the following information: “Why does WhatsApp share information with the Facebook Companies? WhatsApp works and shares information with the other Facebook Companies to receive services like infrastructure, technology, and systems that help us provide and improve WhatsApp and to keep WhatsApp and the other Facebook Companies safe and secure. When we receive services from the Facebook Companies, the information we share with them is used to help WhatsApp in accordance with our instructions. Working together allows us for example to: 147 DE-HH SA Order, Section II.2)aa), p. 16. and p. 18 refers to WhatsApp Privacy Policy’s section “How We Work With Other Facebook Companies”. 148 DE-HH SA Order, Section II.2)aa), p. 18. 149 DE-HH SA Order, Section II.2)aa), p. 17. 150 DE-HH SA Order, Section II.2)aa), p. 17. 151 DE-HH SA Order, Section II.2)aa), p. 16. Adopted 39 Provide you fast and reliable messaging and calls around the world and understand how our Services and features are performing. Ensure safety, security, and integrity across WhatsApp and the Facebook Company Products by removing spam accounts and combating abusive activity. Connect your WhatsApp experience with Facebook Company Products. What information does WhatsApp share with the Facebook Companies? In order to receive services from the Facebook Companies, WhatsApp shares the information we have about you as described in the “Information We Collect” section of the Privacy Policy. For example, to provide WhatsApp with analytics services, Facebook processes the phone number you verified when you signed up for WhatsApp, some of your device information (your device identifiers associated with the same device or account, operating system version, app version, platform information, your mobile country code and network code, and flags to enable tracking of the update acceptance and control choices), and some of your usage information (when you last used WhatsApp and the date you first registered your account, and the types and frequency of your features usage) on WhatsApp’s behalf and in accordance with our instructions. [...] Whose WhatsApp information is shared with the Facebook Companies for these purposes? We share information for all WhatsApp users if they choose to use our Services. This may include those WhatsApp users who are not Facebook users because we need to have the ability to share information for all of our users, if necessary, in order to be able to receive valuable services from the Facebook Companies and fulfill the important purposes described in our Privacy Policy and this article. In all cases, we share the minimum amount of information that is needed to fulfill these purposes. We also ensure that the information we share is up to date, so if you choose to update your WhatsApp phone number, for example, that number will also be updated by the members of the Facebook family who have received it from us. Importantly, WhatsApp does not share your WhatsApp contacts with Facebook or any other members of the Facebook Companies for use for their own purposes, and there are no plans to do so.” 156. The EDPB also took into account the following extracts from WhatsApp’s Privacy Policy: “Information We Collect WhatsApp must receive or collect some information to operate, provide, improve, understand, customize, support, and market our Services, including when you install, access, or use our Services. The types of information we receive and collect depend on how you use our Services. [...] How We Work With Other Facebook Companies “When we receive services from the Facebook Companies, the information we share with them is used on WhatsApp’s behalf and in accordance with our instructions. Any information WhatsApp shares on this basis cannot be used for the Facebook Companies’ own purposes. We’ve set out further information in our Help Center about how WhatsApp works with the Facebook Companies.” Adopted 40 157. The EDPB further notes that in its Order the DE-HH SA quoted the following extracts from Facebook’s privacy statement152: "How do Facebook companies work together? "Facebook and Instagram share infrastructure, systems and technology with other Facebook companies (including WhatsApp and Oculus) to deliver an innovative, relevant, consistent and secure experience across all of the Facebook companies' products that you use. For these purposes, we also process information about you across Facebook companies as permitted by applicable law and in accordance with their terms and policies. For example, we process information from WhatsApp regarding accounts that send spam on the service so that we can take appropriate action against such accounts on Facebook, on Instagram or in Messenger. We also try to find out how people use and interact with Facebook companies' products, for example to find out about the number of individual users on different Facebook companies' products." Regarding the term "Facebook company", Facebook states153: "In addition to the services offered by Facebook Inc. and Facebook Ireland Ltd, Facebook owns and operates all of the companies listed below in accordance with their respective terms of service and privacy policies. We may share information about you within our group of companies in order to facilitate, support and integrate their activities and to improve our services. For more information about the privacy practices of Facebook companies and how they handle user information, please see the links below: Facebook Payments Inc. (https://www.facebook.com/payments_terms/privacy) and Facebook Payments International Limited (https://www.facebook.com/payments_terms/EU_privacy) Onavo (http://www.onavo.com/privacy_policy) Facebook Technologies, LLC and Facebook Technologies Ireland Limited (https://www.oculus.com/store-dp/). WhatsApp Inc. and WhatsApp Ireland Limited (http://www.whatsapp.com/legal/#Privacy). CrowdTangle (https://www.crowdtangle.com/privacy)” 158. The EDPB concludes that, for the processing described by the DE-HH SA, there are not enough elements allowing to conclude that Facebook IE is processing or is going to process WhatsApp’s user data for its own purposes. While Facebook IE, in its submissions to the EDPB, explicitly states that the alleged processing is not taking place, the DE-HH SA fails to provide concrete arguments proving the contrary and does not sufficiently identify the processing at stake. 159. However, due to the lack of sufficient clarity and transparency in WhatsApp’s public-facing information, the EDPB considers it to be extremely difficult, if not impossible, to have a complete overview of the purposes of processing made under the framework for cooperation with the other Facebook Companies (additional to the ones already identified by the EDPB under Sections 4.1.2, 4.1.3.,4.1.4. and 4.1.5) and to verify whether Facebook IE only acts as a processor on behalf of WhatsApp IE for those purposes. 160. Therefore, the Board calls upon the LSA to carry out an investigation to clarify the processing for the purpose of cooperation with the other Facebook Companies and to analyse the processing roles of 152 DE-HH SA Order, Section II.2)ee), p. 15. 153 https://www.facebook.com/help/111814505650678?ref=dp. DE-HH SA Order, footnote 10, p. 15. Adopted 41 different parties involved, in particular to verify whether Facebook IE acts a processor or as a (joint controller) with respect to such processing of WhatsApp user personal data 4.1.6.2.2 On the alleged infringement of the transparency obligations under GDPR 161. Although it cannot be established that Facebook IE acts as a controller for the purpose of cooperation with other Facebook Companies, the EDPB shares the DE-HH SA’s concerns on the lack of clarity and transparency in WhatsApp’s user-facing information. 162. However, the EDPB underlines that WhatsApp’s public-facing information is currently subject to a one- stop-shop procedure led by the IE SA due to come to an end soon. 4.1.7 Conclusion 163. The EDPB considers that it does not have sufficient information in the present procedure to conclude whether infringements are taking place. 4.2 On the existence of urgency to adopt final measures by way of derogation from the cooperation and consistency mechanisms 164. The second main element to assess on the need for the EDPB to order the adoption of final measures is the existence of an urgent situation for the protection of the rights and freedoms of data subjects, which requires the application of Article 66(2) GDPR by way of derogation from the regular consistency and cooperation mechanisms. 165. The possible urgent intervention of the EDPB under Article 66(2) GDPR is exceptional and derogates from the general rules applicable to the consistency or cooperation mechanisms, such as the one-stop- shop procedure. 166. In the present procedure, the EDPB has to urgently decide and possibly request an SA to adopt final measures to be imposed on a controller or processor. Conversely, the one-stop-shop procedure provides some time for the LSA and CSAsto cooperate before the LSA’s preparation of its draft decision and during the consultation phases provided under paragraphs 4 and 5 of Article 60 GDPR. 167. Considering the fact that the urgency procedure under Article 66(2) GDPR is a derogation to the standard consistency and cooperation mechanisms, it must be interpreted restrictively. Therefore, the EDPB will request final measures under Article 66(2) only if the regular cooperation or consistency mechanisms cannot be applied in their usual manner due to the urgency of the situation. 168. According to Recital 137 GDPR “there may be an urgent need to act in order to protect the rights and freedoms of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded”. While this recital relates to provisional measures based on Article 66(1) GDPR, the adoption of final measures pursuant to Article 66(2) GDPR also requires the existence of urgency, even if the threshold to establish the urgency in that case is higher than in Article 66(1) GDPR situations. 169. The EDPB further considers that the nature, gravity and duration of an infringement, as well as the number of data subjects affected and the level of damage suffered by them, may play an important part when deciding whether or not there is an urgent need to act in a particular case. Adopted 42 170. The GDPR provides for two situations for which the urgency is presumed and does not have to be demonstrated, namely in accordance with Article 62(7) GDPR and Article 61(8) GDPR. The EDPB will therefore first examine whether a legal presumption is applicable in this particular case, and if not, whether there is the existence of urgency in the case at hand. 4.2.1 Possible application of a legal presumption of urgency justifying the need to derogate from the cooperation and consistency mechanisms 4.2.1.1 Summary of the position of the DE-HH SA 171. The DE-HH SA considers that Article 61(8) GDPR is applicable in this case154 . Under Article 61(8) GDPR, an urgency is presumed when the SA subject to an information and mutual assistance request from another SA has not provided the information required by Article 61(5) GDPR within one month. 172. In the case at hand, the IE SA shared the Updated Terms with the CSAs on 8 December 2020 using the IMI system, which gave rise to various follow-up questions that the DE-HH SA and other CSAs asked the IE SA in the IMI system. According to the DE-HH SA, the IE SA responded to the DE-HH SA’s letter of 14 January 2021 "by forwarding all the questions asked” by the CSAs to WhatsApp IE “and playing back WhatsApp's answers. The IE SA did not communicate its own position on the [DE-HH SA’s] questions or WhatsApp IE's answers155”. 173. The DE-HH SA responded to this with a letter to the IE SA on 12 February 2021 and urged the IE SA, as the LSA, to conduct its own investigations in order to clear up various ambiguities that remained even after the letter of WhatsApp IE of 5 February 2021. The DE-HH SA underlined that WhatsApp IE and Facebook IE “are sharing data for different purposes of each company156” and that “a legal ground for this cannot be seen157”. The DE-HH SA explicitly pointed out that “in case no deeper inspection was carried out by the [IE SA] as lead authority, we give notice of the possibility of an urgency procedure pursuant to Art. 66 GDPR158”. 174. However, according to the DE-HH SA, “there was no reaction to this request in the form of a statement by the [IE SA] or the opening of an investigation. Rather, the [IE SA] was content of forwarding the letters of various supervisory authorities and with sharing the response letters. The [IE SA] forwarded WhatsApp response letter of 24 February 2021 without comments. Even after a last request from [the DE-HH SA] on 4 March 2021, the [IE SA] did not comment on whether or not it intended to initiate a corresponding investigation159”. According to the DE-HH SA’s formal request to the EDPB to adopt an urgent binding decision, the IE SA did not respond to that date to the DE-HH SA's request to investigate the actual processing operations and data exchange between WhatsApp IE and Facebook IE. 175. In sum, in view of the DE-HH SA, the urgency of the case must therefore already be presumed based on procedural reasons: the DE-HH SA considers to have sent a large number of questions regarding the Updated Terms to the LSA within the framework of the mutual assistance procedure initiated by the IE SA, without having received a response from the IE SA within the meaning of Article 61(5) of the GDPR. 154 DE-HH SA's letter of 3 June 2021 to the EDPB Chair, requesting an urgent binding decision pursuant to Article 66(2) GDPR, p. 9. 155 DE-HH SA Order, p. 12. 156 DE-HH SA's letter of 12 February 2021 to the IE SA. 157 Ibidem. 158 Ibidem. 159 DE-HH SA Order, p. 12. Adopted 43 4.2.1.2 EDPB analysis 176. Article 61(9) GDPR provides the possibility for the European Commission (hereinafter the “EC”) to specify, by means of implementing acts, the format and procedures for mutual assistance and the arrangements for the exchange of information by electronic means between SAs. On 16 May 2018, the EC adopted an implementing act relating to the use of the EC Internal Market Information system for GDPR consistency and cooperation procedures, including for Article 61 GDPR mutual assistance requests (IMI system).160 177. The IMI system provides for a procedure relating to formal Article 61 GDPR requests, technically implementing the legal deadline of one month to reply. Following a request made by the EDPB members, the IMI system also includes a procedure relating to “Voluntary Mutual Assistance requests” (“VMA requests”). This procedure allows an SA to informally ask to or share information with the other SAs (in accordance with Article 57(1)(g) GDPR). Unlike formal Article 61 GDPR requests, the SA receiving a VMA request does not have a legal obligation to answer to that request. 178. The EDPB notes that all the communications between the LSA and the DE-HH SA were made by using the procedure for VMA requests. This VMA request was first initiated by the IE SA when it shared the Updated Terms on 8 December 2020 with the CSAs, and all the further exchanges between the LSA and the DE-HH SA were made within this framework. The DE-HH SA did not formally launch an Article 61 GDPR request in the IMI system to the LSA, but merely sent a letter replying to the VMA request flow initiated by the IE SA. 179. Furthermore, following the DE-HH SA’s hearing letter sent to Facebook IE on 12 April 2021, the LSA wrote on 19 April 2020 to the CSAs to inform them that in its view, “[...] the substance of the text of the revised WhatsApp [IE] privacy policy is largely a carryover of the text of the existing policy and no new text signifying any change in WhatsApp’s position is included regarding the sharing of WhatsApp user data with Facebook or access by Facebook for Facebook’s own purposes”. The IE SA also informed the CSAs that “in March 2021 the DPC commenced a supervision review and assessment of WhatsApp Ireland’s oversight and monitoring of its data processors (chiefly Facebook), including the safeguards, mechanisms and audit processes in place to ensure that Facebook does not use WhatsApp Ireland user data for its own purposes, inadvertently or otherwise”. 180. In light of the above, the EDPB considers that the DE-HH SA has not demonstrated that the LSA failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR. 181. The EDPB therefore considers that Article 61(8) GDPR is not applicable in this specific case. Accordingly, the urgent nature of the DE-HH SA’s Article 66(2) GDPR request cannot be presumed and needs to be demonstrated. 4.2.2 Existence of urgency outside any GDPR legal presumption and the need to derogate from the cooperation and consistency mechanisms 4.2.2.1 Summary of the position of the DE-HH SA 182. According to the DE-HH SA, the urgent need for adoption of final measures goes hand in hand with the urgency for provisional measures under Article 66(1) GDPR and the risk of serious and irreparable harm 160 See EC Implementing Decision (EU) 2018/743 of 16 May 2018 on a pilot project to implement the administrative cooperation provisions set out in Regulation (EU) 2016/679 of the European Parliament and of the Council by means of the Internal Market Information System C/2018/2814, https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv%3AOJ.L_.2018.123.01.0115.01.ENG&toc=OJ%3AL%3A2018%3A123%3ATOC. Adopted 44 for the rights and freedoms of data subjects without the adoption of final measures. The DE-HH SA considers that the Updated Terms lead to a more intensive use of WhatsApp’s user data by Facebook IE, such as location information or message content without a transparent and reasonable legal basis. The DE-HH SA considers that Facebook IE’s infringement of Articles 5(1), 6(1) and 12(1) GDPR will continue if no final measure is adopted.161 183. The DE-HH SA considers that the exceptional risks for the right to data protection of data subjects are imminent. WhatsApp’s users were requested to consent to the Updated Terms by 15 May 2021, which makes imminent the risk of new processing of WhatsApp’s user data by Facebook IE . The DE-HH SA considers that the exceptional intensity of the interference with the right to data protection of data subjects, and the exceptionally high number of data subjects using WhatsApp’s services, require a derogation from the regular cooperation and consistency procedures in order to “safeguard the status quo”.162 184. According to the DE-HH SA, ceasing to use WhatsApp is not likely to be a serious alternative for many users, as it is the most widely used messenger service in Germany, with 58 million active users in 2019, and it is also a closed system. The DE-HH SA further considers that if WhatsApp IE’s users decide to give their consent, they run the risk that their data will be used by Facebook while they cannot see the extent of this use. Once Facebook starts merging WhatsApp’s user data with its own data sets, complete disentanglement of the data sets will no longer be possible.163 185. The DE-HH SA therefore considers that it is unacceptable for data subjects to wait and see how the situation develops, since a fait accompli can be created by Facebook at any time after 15 May 2021. In the DE-HH SA’s view, the fact that similarly worded consents have already been requested from users in the past does not remove the urgency, because these consents are currently being legally renewed, precisely in order to justify a data exchange, at least for the future. The DE-HH SA expects that Facebook products will merge even more and the data transfer between the Facebook Companies will grow164, which will further increase the number of people affected.165 186. Therefore, in the view of DE-HH SA, the exceptional severity of the interference with data subjects’ rights and freedoms results from the number and composition of the persons affected by the processing, as well as from the quality of the interference.166 161 DE-HH SA’s, Letter to the EDPB Chair requesting a binding decision of the EDPB according to Article 66(2) GDPR, 3 June 2021, p. 5. 162 DE-HH SA Order, p. 2; DE-HH SA, Letter to the EDPB Chair requesting a binding decision of the EDPB according to Article 66(2) GDPR, 3 June 2021, pp. 3 and 9. 163 DE-HH SA Order, section II, 1)a), pp. 9-10; DE-HH SA, letter to Facebook IE - Hearing before issuing an order in accordance with Article 58(2)(f) GDPR in conjunction with Article 66(1) GDPR, 12 April 2021, p. 11. 164 The DE-HH SA cited the following references in this context: https://www.areamobile.de/Facebook-Firma- 215528/News/Messaging-bei-Facebook-und-Instagramverschmilzt-Zukuenftig-auch-mit-WhatsApp-1359113/; https://www.netzwelt.de/news/179506-whatsapp-facebook-messenger-erste-hinweise-verschmelzung- aufgetaucht.html; https://about.instagram.com/blog/announcements/say-hi-to-messenger-introducing-new- messaging-features-for-instagram 165 DE-HH SA Order, section II, 1)a), pp. 9-10; DE-HH SA, letter to Facebook IE - Hearing before issuing an order in accordance with Article 58(2)(f) GDPR in conjunction with Article 66(1) GDPR, 12 April 2021, p. 11. 166 DE-HH SA, letter to the EDPB Chair requesting a binding decision of the EDPB according to Article 66(2) GDPR, 3 June 2021, p. 7; as well as DE-HH SA Order of 10 May 2021, section II 1)b), p. 9; and DE-HH SA, letter to Facebook IE - Hearing before issuing an order in accordance with Article 58(2)(f) GDPR in conjunction with Article 66(1) GDPR, 12 April 2021, p. 11. Adopted 45 187. The DE-HH SA also refers to Facebook IE’s plans to process the personal data of WhatsApp’s users in the context of the WhatsApp Business API, and argues that the implementation of this processing is imminent.167 The DE-HH SA stated that Facebook IE intends to use WhatsApp's user data, which it receives as a so-called ‘vendor’168, also for its own purposes, by offering companies the publication of personalised advertisements based on the chat messages they exchange with their customers via the WhatsApp Business API. In addition to the large amount of metadata WhatsApp IE transfers to Facebook IE, Facebook IE now also has access to message content and is thus able to create a comprehensive profile of WhatsApp’s users. 188. The DE-HH SA further states that “[e]ven though WhatsApp declares on behalf of Facebook that the messages are not automatically used for advertisements that users then see on Facebook, users of both services do not learn how extensively their data is ultimately shared by both services.” 169 According to the DE-HH SA, this means that “[...] users will be able to be addressed individually and directly with messages from companies, NGOs and political parties, associations and societies on WhatsApp and Facebook” 170 . The DE-HH SA considered that “[t]he use of these newly gained possibilities has so far been unmanageable, neither for the persons concerned nor for supervisory authorities. The data pool created by the transmission enables granular profiling, the depth of which is probably unparalleled so far. The mere fact that Facebook receives information about which persons communicate with each other via the metadata and can link this with the information already available at Facebook represents a new, unique quality of intervention.” 171 189. The DE-HH SA is of the opinion that “[t]he receipt of personal data in the context of the exchange of messages between users and companies therefore leads, in the overall view, to a considerably increased quality of intervention in data processing with unforeseeable risks.” 172 190. The DE-HH SA also refers to data protection scandals in the recent past in which Facebook was involved, such as Cambridge Analytica173, and considers that this shows the extent of the danger for the rights and freedoms of data subjects. It further considers this danger to be all the more concrete in view of the upcoming federal elections in Germany in September 2021, and is of the view that “[...] these elections will arouse desires to influence opinion-forming on the part of Facebook's advertisers.” 174 167 DE-Hamburg SA, Letter to the EDPB Chair requesting a binding decision of the EDPB according to Art. 66 (2) GDPR, 3 June 2021, p. 6. 168 The appropriate GDPR terminology would be “processor”. 169 DE-HH SA Order, section II, 1)b), p. 10; DE-HH SA, letter to Facebook IE - Hearing before issuing an order in accordance with Article 58(2)(f) GDPR in conjunction with Article 66(1) GDPR, 12 April 2021, p. 11; DE-HH SA, letter to the EDPB Chair requesting an urgent binding decision of the EDPB according to Article 66(2) GDPR, 3 June 2021, p. 8. 170 DE-HH SA Order, section II, 1)b), p. 10. 171 DE-HH SA Order, section II, 1)b), pp. 10-11. 172 DE-HH SA Order, section II, 1)b), p. 11. 173 The DE-HH SA quoted the following references in this context: UK SA (ICO)'s findings on the Brexit referendum: https://ico.org.uk/about-the-ico/news-andevents/news-and-blogs/2018/07/findings-recommendations-and- actions-from-ico-investigation-into-data-analytics-in-political-campaigns/; EDPB Opinion 2/2019 on the use of personal data in political campaigns: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-03-13- statement-on-elections_en.pdf; Opinion of the Icelandic SA on the use of social media by political parties before general elections - guidance and proposals: https://www.personuvernd.is/information-in-english/greinar/nr/2880. 174 DE-HH SA Order, section II, 1)b), p. 11. In this context, the DE-HH SA quoted the following references: Former NATO Secretary General Anders Fogh Rasmussen on election interference: "Germany is more vulnerable than Adopted 46 191. The DE-HH SA states that Facebook IE and WhatsApp IE’s assertion that “[n]o Alleged Processing is taking place, or will take place, as a consequence of the WhatsApp Update, in line with the present Commitments” does not influence the necessity of the DE-HH SA Order. In DE-HH SA’s view, this assertion only indicates that such processing will not take place as a consequence of the Updated Terms, and that Facebook IE and WhatsApp IE do not deny that such processing is planned to take place in the near future.175 192. The DE-HH SA further states that, from the considerations above, it becomes clear that Facebook IE and WhatsApp IE are of the opinion that users’ consents to another (further) update of WhatsApp’s user-facing information are not necessary for processing WhatsApp’s users data of by Facebook IE for its own purposes listed in the DE-HH SA Order176. Moreover, the DE-HH SA considers that any actual data transfer is linked to the prerequisite of accepting WhatsApp’s terms of service and privacy policy.177 193. Based on its analysis of WhatsApp IE’s public-facing information, the DE-HH SA considers that data exchanges between WhatsApp and Facebook are currently taking place, or will take place imminently, and that it also implies the sharing of WhatsApp’s user data for Facebook IE’s own purposes.178 4.2.2.2 Analysis of the EDPB 194. As regards the processing relating to WhatsApp Business API data, the previous version of the Updated Terms already informed WhatsApp’s users that “businesses may use another company to assist it in storing, reading and responding to your message on behalf and in support of that business”. The new version of the Privacy Policy made it clear that the other Facebook Companies can become one of those service providers. However, as the Board concluded that, at this stage, there are not enough elements allowing to establish with certainty that Facebook IE already started or will soon start ever to disinformation", https://www.spiegel.de/politik/deutschland/bundestagswahl-deutschland-ist- gefaehrdeter-denn-je-was-desinformation-angeht-a-f9565251-773d-47d3-9986-b1808dcabf94; Germany is more targeted by Russian disinformation campaigns than any other country in the European Union, according to an EU investigation: https://www.rnd.de/politik/russland-deutschland-laut-eu-im-fokus-russischer- desinformation-LF6PGVYYVKDANH346E5WA7WQG4.html. 175 Joint letter from Facebook IE and WhatsApp IE to the EDPB Chair, dated 14 May 2021, p. 1, quoted by DE-HH SA, letter to the EDPB Chair requesting a binding decision of the EDPB according to Article 66(2) GDPR, 3 June 2021, p. 5. 176 In the view of Facebook IE, the DE-HH SA mistakenly assumes that, by asking users to accept updated Terms of Service as part of the update foreseen in May 2021, WhatsApp IE is seeking to obtain consent in order to be able to rely on Article 6(1)(a) GDPR for an alleged new form of processing. According to Facebook IE, the request to accept new Terms of Service as part of the update is merely a means for WhatsApp IE to obtain contractual acceptance to the latest version of its contractual terms. Facebook IE states that it is not an attempt to obtain consent to data processing pursuant to Article 6(1)(a) GDPR, and is not relied upon as such (Facebook IE’s written submissions to the DE-HH SA, section 1.1 (C), pp. 2-3; and joint letter from Facebook IE and WhatsApp IE to the EDPB, 14 May 2021, p. 2). Facebook IE further states that according to its understanding, WhatsApp IE intends to achieve the following two goals with the update foreseen for May 2021: (1) to improve transparency for data subjects about how WhatsApp IE currently processes their data, specifically in light of the IE SA’s comments and preliminary findings in its ongoing cross-border statutory inquiry on WhatsApp’s public-facing information; and (2) to provide additional information about how messaging a business works on the WhatsApp service (Facebook IE’s written submissions to the DE-HH SA, section 2, 2.15, p. 10; and joint letter from Facebook IE and WhatsApp IE to the EDPB, 14 May 2021, p. 2; as well as WhatsApp IE’s letter to the IE SA, 5 February 2021, pp. 1-2). 177 DE-HH SA, letter to the EDPB Chair requesting an urgent binding decision of the EDPB according to Article 66(2) GDPR, 3 June 2021, p. 6. 178 DE-HH SA, letter to the EDPB Chair requesting an urgent binding decision of the EDPB according to Article 66(2) GDPR, 3 June 2021, p. 8. Adopted 47 processing WhatsApp’ user data in the context of the WhatsApp Business API service as a controller, the EDPB cannot establish an urgency to intervene under Article 66(2) GDPR. 195. As regards the processing made for the four other purposes identified by the DE-HH SA, including safety, security and integrity, as well as product improvement, the EDPB considers that the elements contained in WhatsApp’s public-facing information, on the basis of which the EDPB considers the existence of a likelihood that Facebook IE is processing WhatsApp’s user data as controller, were already included in the previous version of WhatsApp’s public-facing information179 . 196. In the view of the EDPB, the occasion of the adoption of the Updated Terms that contain similar problematic elements as in the previous version cannot, on its own, justify the urgency for the EDPB to order the LSA to adopt final measures under Article 66(2) GDPR. The EDPB therefore considers that there is no urgency for the LSA to adopt final measures in this case. 197. However, EDPB would like to underline the high likelihood that the processing by Facebook IE as controller for both the purpose of safety, security and integrity and the purpose of product improvement is taking place. This important matter requires swift actions to carry out a statutory investigation, in particular for verifying if, in practice, the processing made by the Facebook Companies implying the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers, is currently taking place. Considering the existence of references to such processing within WhatsApp’s public-facing information, and the amount of time which has elapsed since 2018, the EDPB is of the view that the IE SA needs to swiftly take action. For this reason, the EDPB, taking note of proceedings and actions already under way by the LSA to investigate matters relating to Facebook IE and WhatsApp IE, requests the LSA to carry out, as a priority matter, an investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR. 4.2.3 Conclusion 198. The EDPB considers that there is no urgency for the LSA to adopt final measures. 5 ON THE APPROPRIATE FINAL MEASURES 199. Considering the fact that the conditions relating to the demonstration of the existence of an infringement and urgency are not met (see above points 4.1.7. and 4.2.3), the EDPB concludes that it sees no reason to request the adoption of final measures against Facebook IE. 179 The DE-HH SA already sent a letter to the IE SA on 3 January 2019 underlining the language showing supporting the view that Facebook IE is processing data as data controller and asking the IE SA to request Facebook IE and WhatsApp IE proof of compliance. The DE-HH SA offered to carry out a joint action. Adopted 48 6 URGENT BINDING DECISION 200. In light of the above and in accordance with the tasks of the EDPB under Article 70(1)(t) GDPR to issue urgent binding decisions pursuant to Article 66 GDPR, the Board issues the following binding decision in accordance with Article 66(2) GDPR: 201. As regards the existence of infringement, based on the evidence provided, there is a high likelihood that Facebook IE already processes WhatsApp’s user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. However, the EDPB is not in a position to determine whether such processing takes place in practice. 202. There is also not sufficient information in the present procedure to establish with certainty that Facebook IE already started to process WhatsApp’s user data as a (joint) controller for its own purposes of marketing communications and direct marketing, and cooperation with the other Facebook Companies, and that Facebook IE already started and that it or will soon start processing WhatsApp’s user data as a (joint) controller for its own purpose in relation to WhatsApp Business API. 203. The EDPB considers that it does not have sufficient information in the present procedure to conclude whether infringements are taking place. 204. On the existence of urgency, the EDPB considers that Article 61(8) GDPR is not applicable in this specific case, hence that the urgent nature of the DE-HH SA’s Article 66(2) GDPR request needs to be demonstrated. 205. The EDPB considers that the occasion of the adoption of the Updated Terms that contain similar problematic elements as the previous version cannot, on its own, justify the urgency for the EDPB to order the LSA to adopt final measures under Article 66(2) GDPR. The EDPB therefore considers that there is no urgency for the LSA to adopt final measures in this case. 206. Taking this into consideration, the EDPB decides that no final measures need to be adopted against Facebook IE. 207. The EDPB considers that the high likelihood of infringements and the lack of information relating to the five purposes identified above justifies the decision to request the IE SA to carry out a statutory investigation, in particular for verifying if, in practice: - the processing made by the Facebook Companies for the purposes of safety, security and integrity, as well as product improvement, implying the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated for instance by the use of unique identifiers in relation to the purpose of product improvement, are currently taking place, and what are the roles of the Facebook Companies involved; - Facebook IE has already started to process WhatsApp’s user data as a (joint) controller for its own purposes of marketing communications and direct marketing, as well as cooperation with the other Facebook Companies, and what are the roles of the Facebook Companies involved; - Facebook IE has already started or will soon start to process WhatsApp’s user data as a (joint) controller for its own purpose in relation to WhatsApp Business API, and what are the roles of the Facebook Companies involved, as well as the role of the businesses, in particular where businesses decide to rely on Facebook for advertisements. Adopted 49 - Facebook IE, when using the content of messages sent via WhatsApp to businesses, would be acting as (joint) controller. Considering the high likelihood of infringements for the purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB decides that the IE SA shall carry out, as a priority matter, an investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR 7 FINAL REMARKS 208. This urgent binding decision is addressed to the IE SA, the DE-HH SA and the other CSAs. 209. The IE SA shall notify this urgent binding decision to Facebook IE and WhatsApp IE without delay. 210.Once such communication is done by the IE SA, this urgent binding decision will be made public on the EDPB’s website without delay after the notification to Facebook IE. 211. The EDPB considers that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties. For the European Data Protection Board The Chair