EDPB - Binding Decision 1/2021 - 'WhatsApp'

From GDPRhub
Revision as of 12:05, 29 September 2021 by FD (talk | contribs) (→‎Facts)
EDPB - Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR
LogoEDPB.png
Authority: EDPB
Jurisdiction: European Union
Relevant Law: Article 4(24) GDPR
Article 5(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 65(1)(a) GDPR
Article 83 GDPR
Type: Other
Outcome: n/a
Started:
Decided: 28.07.2021
Published: 01.09.2021
Fine: None
Parties: AP (The Netherlands)
BfDI (Germany)
CNIL (France)
DPC (Ireland)
GPDP (Italy)
LfDI Baden-Württemberg (Germany)
NAIH (Hungary)
UODO (Poland)
WhatsApp Ireland
CNPD (Portugal)
National Case Number/Name: Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: EDPB Decision 1/2021 (in EN)
Initial Contributor: Florence D'Ath

English Summary

The EDPB adopted a binding decision in the context of a dispute opposing the Irish DPA (the DPC) to several other DPAs. This dispute found its origin in a decision drafted by the DPC regarding a number of GDPR infringements by WhatsApp Ireland. The EDPB, after analysing the objections raised by the other concerned DPAs, instructed the DPC to amend its draft decision. In particular, the EDPB ordered the DPC to find additional infringements of the GDPR, and to increase the fine to be imposed on WhatsApp, among others.

Facts

WhatsApp Ireland Ltd. (hereafter, WhatsApp) is a EU-based company of the Facebook group. Its services to consumers include text and voice messages, voice and video calls, as well as images, documents and locations sharing via a mobile or desktop application. WhatsApp processes both the personal data of its users (i.e. individuals who have created an account with WhatsApp) as well as the personal data of non-users. Users’ personal data include, among others, a cellular mobile telephone number which is required to sign up. Non-users’ personal data include data collected by WhatsApp when accessing the address book of its users. WhatsApp processing activities are described to data subjects in a privacy policy accessible online.

On 10 December 2018, the Irish DPA (DPC) commenced an “own-volition inquiry” to determine whether WhatsApp Ireland was complying with its obligations pursuant to Articles 12, 13 and 14 GDPR (mandatory information to be provided to data subjects). Although the DPC specified that such inquiry did not concern any specific complaint or request, it admitted that it was prompted by the common theme running across a number of complaints received from data subjects (both users and non-users of WhatsApp services), as well as by a mutual assistance request from the German DPA.

After the inquiry, the DPC published a draft decision (the Draft Decision) in its capacity as lead supervisory authority under Article 56 GDPR. This Draft Decision was then circulated on 24 December 2020 to other DPAs which were also concerned by that procedure, given the cross-border processing activities carried out by WhatsApp. A number of objections were raised by the German, French, Italian, Hungarian, Dutch, Polish and Portuguese DPA (the ‘concerned DPAs’). After assessing those objections, the DPC invited WhatsApp to provide submissions on several points, including on the “anonymization/pseudonymisation” process used by WhatsApp on personal data of non-users (i.e. individuals who do not have an account with WhatsApp, but whose personal data may be collected via the address book of existing WhatsApp users). The DPC replied to the objections raised by the other DPAs on 1 April 2021 and requested them to share their views on a revised version of the Draft Decision. The views of the concerned DPAs remained however in most aspects irreconcilable with the position of the DPC, including on the nature and scope of the GDPR infringements and the method for calculating the fine to be imposed on WhatsApp.

Dispute

Since no compromise could be found between the DPC and the concerned DPAs, on 3 June 2021, the DPC decided to refer the dispute to the EDPB. The task of the EDPB was to issue a binding decision with respect to all the objections raised by the concerned DPAs in accordance with Article 65(1)(a) GDPR (dispute resolution under the consistency mechanism). The dispute concerned the below listed matters in particular.

Legitimate interest as a legal basis

While the DPC had found, in its Draft Decision, that WhatsApp had fully complied with its obligation to inform data subjects about the legitimate interests being relied upon when processing personal data, several concerned DPAs were of the opinion that the information was incomplete and/or unclear, and that WhatsApp was therefore infringing Article 13(1)(d) GDPR.

Qualification of non-users' personal data

While the DPC was unsure whether personal data of non-users could be considered ‘anonymized’ after being subject to a ‘lossy hashing procedure’ conducted by WhatsApp, several concerned DPAs were of the opinion that such data were merely pseudonymised and thus still falling under the scope of application of the GDPR.

Scope of the inquiry

While the DPC was arguing that it had purposefully limited the scope of its own-volition inquiry to Articles 12, 13 and 14 GDPR, and that other concerns raised by individual complaints or DPAs should, where necessary, be subject to a separate inquiry and decision, the German and Hungarian DPAs argued that the scope of the inquiry should have been discussed beforehand and partially extended so as to comprise, among others, (i) the use and validity of data subjects’ ‘consent’ as a legal basis for processing personal data, (ii) the existence of data transfers from WhatsApp to other companies of the Facebook group, (iii) the absence of lawful legal basis for processing the personal data of non-users (should those data indeed qualify as ‘personal data’ under Article 4(1) GDPR), and (iv) an assessment as to whether the processing of non-users’ personal data by WhatsApp was infringing the principle of data minimization under Article 5(1)(c) GDPR.

Additional infringement of the principle of transparency

While the DPC referred several times in its Draft Decision to the principle of transparency and accountability enshrined in Article 5(1)(a) and 5(2) GDPR respectively, it did not discuss whether WhatsApp had infringed these two principles, therefore limiting its analysis to potential infringements of Article 12, 13 and 14 of the GDPR only. A limited assessment which, according to Hungarian and Italian DPAs, was faulty.

Additional infringement of Article 13(2)(e) GDPR

Article 13(2)(e) GDPR provides that when the provision of personal data is a statutory or contractual requirement, the controller should clearly inform the data subject about it, including about the possible consequences of failure to provide such data. While the DPC did not discuss the existence of an infringement by WhatsApp of such an obligation, the concerned DPAs argued this point should have been covered by the Draft Decision given the fact that it had been part of the DPC original inquiry, and that WhatsApp privacy policy was unclear in this respect.

Deadline and actions to be taken by WhatsApp under the compliance order

While the DPC intended, in its Draft Decision, to grant a period of 6 months for WhatsApp to bring its processing operations into compliance by completing seven actions (including amending certain paragraphs of its Privacy Policy), the Hungarian and Dutch DPAs objected to this 6 months’ deadline, considering it unjustifiably long. In addition, the Dutch DPAs was of the opinion that ordering WhatsApp to amend its Privacy Policy with a view of better informing non-users about the processing of their personal data would not be appropriate to comply with Article 14 GDPR, given that non-users are generally unaware of the fact that WhatsApp is processing their personal data in the first place, and are therefore unlikely to spontaneously check WhatsApp privacy policy.

Method for calculating the fine

The concerned DPAs had persistent diverging opinions on the interpretation of several paragraphs of Article 83 of the GDPR, as further summarised below.

  • Fining of the ‘gravest infringement’. Article 83(3) GDPR provides that “[i]f a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement” (emphasis added). While the DPC considered that the infringement of Article 14 GDPR by WhatsApp was the ‘gravest’ of all infringements and decided to impose a fine for that infringement alone, noting that the fine could in any case not exceed the maximum amount specified in Article 85(5)(b) GDPR, the German DPA argued that WhatsApp should still be explicitly found guilty of having infringed several provisions of the GDPR. The French and Portuguese DPAs further argued that the DPC should not have calculated the fine for the gravest infringement only, but should have calculated a fine for each infringement, before making sure that the total amount of these combined fines did not exceed the maximum amount set in the GDPR for the gravest of all infringements.
  • Identification of the ‘preceding financial year’ and relevant ‘undertaking’. Article 83(5) GDPR provides that an infringer may be subject to an “administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.” While the DPC calculated the fine to be imposed on WhatsApp on the basis of WhatsApp and Facebook Inc.’s combined turnover in the financial year preceding the Draft Decision (i.e. 2019), the German DPA argued that the turnover of the entire Facebook group of companies should be taken into account (which includes other companies such as Instagram), and that the year of reference should be the year preceding the (final) fining decision by the DPC (i.e. 2020).
  • Factors to be taken into account when deciding on the amount of a fine. Article 83(1) and 83(2) GDPR provide that any fine should be “effective, proportionate and dissuasive”, before listing a series of factors or criteria to be taken into account, such as the nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, the categories of personal data affected by the infringement, or any other aggravating or mitigating factor applicable to the circumstances of the case. In its Draft Decision, the DPC proposed to impose a fine between 30 and 50 million euros on WhatsApp, taking into account, inter alia, (i) the nature, gravity and duration of the infringement, (ii) its intentional or accidental character as well as (iii) the number of data subjects affected, but excluding other factors such as the turnover or profits of WhatsApp or the Facebook group. Several concerned DPAs raised objections in this respect. In particular, the German DPA argued that the fine was not dissuasive enough, especially when taking into account the financial capacity of the Facebook group as a whole. The Polish DPA argued that the proposed fine was too unspecific because of the 20 million difference between the lowest and highest amount proposed by the DPC in its Draft Decision. The Hungarian DPA argued that the DPC had not appropriately addressed the intentional character of the infringement by WhatsApp, and that the fine was not dissuasive enough. Finally, the Italian DPA considered that the intentional character of the infringements as well as other aggravating factors should have been given more weight in the calculation of the fine.

Holding

On 28 July 2021, the EDPB adopted decision 1/2021 with a view of resolving the dispute opposing the DPC and the other concerned DPAs regarding the interpretation and application to be given to the GDPR in that particular case. After determining that a majority of the objections raised by the concerned DPAs were both “relevant and reasoned” in line with Article 4(24) GDPR, the EDPB ruled on the merits of each of the retained objections, and ordered the DPC to amend several aspects of its Draft Decision. In particular, the EDPB came to the following conclusions:

Legitimate interest as a legal basis

The EDPB agreed with the other DPAs that WhatsApp privacy policy did not provide information which was specific enough as to when, by whom and which categories of personal data were processed on the basis of WhatsApp or a third party’s ‘legitimate interest’. In particular, the EDPB found that WhatsApp should have clearly differentiated what legitimate interest related to which set of processing operations, and also specified the categories of personal data concerned, as well as which entity was pursuing each legitimate interest (pt. 57). Referring to examples provided in its own Transparency Guidelines (wp260rev.01), the EDPB further found that several passages of the privacy policy did not meet the necessary threshold of clarity and intelligibility that is required. The EDPB therefore instructed the DPC to amend its final decision so as to include an infringement of Article 13(1)(d) GDPR by WhatsApp.

Qualification of non-users’ personal data and additional infringement of Article 14 GDPR

The EDPB agreed with the concerned DPAs that non-users’ personal data could not be considered as anonymised after being subject to WhatsApp ‘lossy hashing procedure’. The EDPB reached this conclusion based on the fact that WhatsApp had the capacity to single out and therefore re-identify data subjects on the basis of the hashed data and the personal data of users, including their address book. The EDPB considered in particular that WhatsApp had failed to demonstrate that the processing environment in which non-users’ data were processed was subject to such organizational and technical measures that the risk of re-identification was purely speculative. In the opinion of the EDPB, the risk was not just “greater-than-zero” but plausible given the means available to WhatsApp. The EDPB further clarified that the statement according to which WhatsApp had no intention to re-identify non-users was irrelevant in this respect. The EDPB was indeed of the opinion that the possibility to re-identify non-users could materialize irrespective of whether such technical ability was coupled with the actual motivation to do so. The EDPB therefore instructed the DPC to amend its Draft Decision so that the table of ‘lossy hashes’ kept by WhatsApp would constitute personal data. The EDPB further instructed the DPC to amend its Draft Decision so as to find that the infringement by WhatsApp of Article 14 of the GDPR extends to such data (pt. 299).

Scope of the inquiry

The EDPB rejected the objections of the German and Hungarian DPAs with respect to the need to extend the scope of the inquiry. In particular, the EDPB considered that the objections raised by the two concerned DPAs were not relevant and reasoned enough, as required by Article 4(24) GDPR. With respect to the request of the Hungarian DPA to investigate the validity of ‘consent’ as a legal basis, the EDPB considered that the Hungarian DPA had failed to demonstrate that leaving this point out of the Draft Decision would present a risk for the fundamental rights and freedoms of data subjects, or why such a risk would be substantial and plausible. With respect to the request of the German DPA to investigate data transfers from WhatsApp to other companies of the Facebook group, the EDPB considered that the German DPA had failed to set out which elements of such transfers should have been considered, and that abstract or broad concerns cannot be considered relevant. As a consequence, the EDPB rejected the request to extend the scope of the investigation to this point.

With respect to the request of the German DPA to also analyze the lawfulness of the processing of personal data of non-users, the EDPB found the objection to be both relevant and reasoned as required by Article 4(24) GDPR. The EDPB however noted that such a matter had not been part of the DPC’s original inquiry, and that the file submitted to the EDPB did not contain sufficient elements that would allow the EDPB to establish the absence or existence of an infringement of Article 6(1) GDPR. After underlying that any concerned DPA could submit a request for mutual assistance under Article 61 GDPR and thereby trigger a new inquiry on that specific point, the EDPB decided not to require the DPC to amend its Draft Decision in this respect.

With respect to the request of the Hungarian DPA to also analyze a possible infringement of the principle of data minimization under Article 5(1)(c) GDPR, in the sense that the processing of personal data of non-users by WhatsApp would be excessive, the EDPB found the objection to be relevant and reasoned enough. The EDPB however noted that WhatsApp had not been required to provide a full submission dedicated to this aspect and that the file did not contain sufficient elements that would allow the EDPB to establish the absence or existence of an infringement of Article 5(1)(c) GDPR. After recalling that each concerned DPA could submit a request for mutual assistance under Article 61 GDPR and thereby trigger a new inquiry on that specific point, the EDPB decided not to require the DPC to amend its Draft Decision in this respect.

Additional infringement of the principle of transparency

According to the EDPB, it is apparent, under the GDPR, that transparency is envisaged as an overreaching concept that governs several provisions and specific obligations. In particular, transparency is enshrined on the one hand as a general principle in Article 5(1)(a) GDPR, and on the other hand as a specific set of information obligations in Articles 12 to 14 GDPR. The EDPB notes that infringement of the principle on the one hand, as well as of the information obligations, can each be subject to a separate administrative fine under Article 83(5)(a) and (b), respectively. On this basis, the EDPB considers that the transparency principle is not circumscribed by Articles 12-14 GDPR, although the latter give a partial concretization of the former. Whether an infringement of Articles 12-14 GDPR leads to an infringement of the transparency principle depends on the circumstances. In this particular case, the EDPB notes that the DPC itself acknowledges a ‘significant information deficit’ on the part of WhatsApp which may prevent WhatsApp users from exercising their rights. With respect to non-users, the DPC further acknowledges a “total failure” to provide the latter with the required information. Given the significance of those shortcomings, the EDPB considers that the DPC should have also find WhatsApp in breach of Article 5(1)(a) GDPR (transparency principle), besides the breaches relating to Articles 12-14 (transparency obligations), and therefore instructed the DPC to amend its Draft Decision accordingly.

Additional infringement of Article 13(2)(e) GDPR

In its Draft Decision, the DPC addressed a recommendation to WhatsApp for the latter to clarify when providing personal data was a contractual requirement for data subjects. The EDPB agreed with the concerned DPAs that the existence of a potential infringement by WhatsApp of its obligation under Article 13(2)(e) GDPR should have been more seriously assessed in the Draft Decision, and that a mere recommendation in this respect was insufficient. The EDPB, after finding that WhatsApp privacy policy indeed did not contain this mandatory piece of information, instructed the DPC to amend its Draft Decision in this respect and more particularly to find an additional infringement of Article 13(2)(e) GDPR.

Deadline and actions to be taken by WhatsApp under the compliance order

With respect to the 6-month period granted to WhatsApp to bring its privacy policy into compliance, the EDPB agreed with the Hungarian DPA that such a deadline was not appropriate or proportionate, taking into account the action to be undertaken by WhatsApp and the impact that such a delay would have on the rights of data subjects. The EDPB therefore concluded that it was in the interests of the affected data subjects to provide for a shorter time frame, and instructed the DPC to amend its Draft Decision accordingly. In particular, the EDPB required the DPC to shorten the deadline for compliance to a 3-monts period. With respect to the objection of the Hungarian DPA on the necessity to inform data subjects who are non-users by other means that an online privacy policy, the EDPB acknowledged that many data subjects who do not make an active use of WhatsApp services may not visit the website in order to retrieve the relevant information. The EDPB however noted that since the Draft Decision already ordered WhatsApp to give careful consideration to the placement of the privacy policy to non-users, there was as such no need to request the DPC to amend its Draft Decision. The EDPB however added that such a decision was without prejudice to any assessment that the EDPB may be called upon to make in the future, including in any case involving the same parties.

Method for calculating the fine

The EDPB clarified how to interpret and apply Article 83 of the GDPR in several aspects:

  • Fining of the ‘gravest infringement’ (Article 83(3) GDPR). In relation to the objections of the several DPAs concerning the application of Article 83(3) GDPR, the EDPB considered that this Article should be interpreted as meaning that the DPC should have calculated a fine for each infringement separately, combine them, and then ensure that the total amount of these fines does not exceed the maximum amount set in the GDPR for the gravest infringement. The EDPB therefore required the DPC to amend its Draft Decision in respect to Article 83(3) GDPR in order to also take into account the other infringements – in addition to the gravest infringement – when calculating the fine, subject to the criteria of Article 83(1) GDPR of effectiveness, proportionality and dissuasiveness.
  • Identification of the ‘preceding financial year’ and of the relevant ‘undertaking’ (Article 83(5) GDPR).  In relation to the objection by the German DPA regarding the turnover figure of the preceding financial year, the EDPB agreed with the German DPA and instructed the DPC to amend its draft decision in order to: (a) take into account the total turnover of all the component companies of the single undertaking within the meaning of Article 101 and 102 TFEU; and (b) consider the date of the final decision taken by the DPC pursuant to Article 65(6) GDPR as the event from which the preceding financial year should be considered. Consequently, instead of only considering the turnover of WhatsApp Ireland and Facebook Inc. only in the year 2019, the DPC was requested to consider the turnover of all the companies of the Facebook group in the year 2020.
  • Factors to be taken into account when deciding on the amount of a fine (Article 83(1) and 83(2) GDPR). With respect to the fact that the DPC had proposed to impose a fine ranging from 30 to 50 million euros instead of a fixed sum, the EDPB considered that the objection of the Polish DPA was insufficiently reasoned and relevant, and therefore rejected it. With regard to the objections of the Italian and Hungarian DPAs on the fact that the intentional character called for a more important fine, the EDPB considered that the arguments put forward by the concerned DPAs had failed to provide objective elements that indicate the intentionality of the behavior. With regard to the assessment of the other factors under Article 83(2) GDPR, the EDPB considered that the DPA had adequately qualified the relevance of those elements and, therefore, that the Draft Decision did not need to be amended in this regard. By contrast, by relying on principles of competition law, the EDPB found that it was necessary to re-calculate the fine so as to take into account the global annual turnover of the Facebook group in its entirety. It also decided that the fine needed to be re-calculated to include the additional infringements found in its decision, as well as some aggravating factors already identified by the DPC which had not been given proper weight. Consequently, the EDPB instructed the DPC to amend its Draft Decision by setting out a higher fine amount.

Comment

It is the second decision that the EDPB adopts under Article 65(1)(a) GDPR in the context of a dispute opposing a lead supervisory authority to several other DPAs on the interpretation and application of the GDPR. In both cases, the DPC was acting as the lead supervisory authority.

The EDPB decision is interesting and helpful with respect to many points that still needed clarification, such as the appropriate method for calculating an administrative fine. This decision however also shows the weaknesses of the cooperation and consistency mechanisms put in place by the GDPR, especially when it comes to the scope of the inquiry conducted by the lead supervisory authority, and the consequences that it may have at a later stage of the procedure. In this case in particular, the German DPA raised an objection with the DPC regarding the scope of its inquiry and asked the DPC to also address one seemingly important aspect of the case; the apparent absence of any valid legal basis for the processing of personal data of non-users by WhatsApp. Before investigating whether a controller has provided sufficient information to data subjects, determining whether the processing operations are even lawful seems indeed to come as a prerequisite. Yet, the DPC excluded from the scope of its inquiry any questions relating to the lawfulness of WhatsApp processing operations on (non-)users’ personal data, and decided to exclusively focus instead on the obligations of WhatsApp to inform data subjects under Article 12 to 14 GDPR.

In theory, the lead supervisory authority has the obligation to cooperate with the other concerned national DPAs with an “endeavour to reach consensus” (Article 60(1) GDPR). In its binding decision 1/2021, the EDPB added that, even in case of an own-volition inquiry, the lead supervisory authority should seek consensus regarding the scope of the procedure and should anyway frame the scope in such a way that permits the other concerned DPAs to effectively fulfill their role (pt. 225 of EDPB binding decision 1/2021). If, following the request of another DPA, a lead supervisory authority nonetheless refuses to extend its inquiry to one or several additional elements – for whatever reason it may provide –, there is practically no possibility for the other DPA to force the lead supervisory authority to do so, or bring that additional point within the procedure at a later stage. By the time any dispute on the scope of an inquiry would reach the EDPB, the latter will only be able to note that, since this point was not properly investigated and discussed among the parties, the file is incomplete, and no decision on the merits can be taken. The only solution for the other DPA would then be to start a new inquiry on the point that has been overlooked, as part of a separate procedure. This, of course, may lead to significant delays in terms of bringing into compliance unlawful data processing operations, as well as avoidable loss of resources.

Further Resources

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.