DPC (Ireland) - Whatsapp Ireland Limited - IN-18-5-6

From GDPRhub
Revision as of 14:17, 1 February 2023 by Lr (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
DPC - Whatsapp Ireland Limited - IN-18-5-6
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 4 GDPR
Article 5 GDPR
Article 6 GDPR
Article 7 GDPR
Article 9 GDPR
Article 12 GDPR
Article 13 GDPR
Article 21 GDPR
Article 24 GDPR
Article 56 GDPR
Article 58 GDPR
Article 60 GDPR
Article 65 GDPR
Article 77 GDPR
Article 79 GDPR
Article 83 GDPR
Type: Complaint
Outcome: Upheld
Started: 25.05.2018
Decided: 12.01.2023
Published: 19.01.2023
Fine: 5,500,000 EUR
Parties: German Whatsapp user (represented by noyb - European Centre for Digital Rights)
Whatsapp Ireland Limited
National Case Number/Name: Whatsapp Ireland Limited - IN-18-5-6
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): English
Original Source: noyb website (in EN)
Initial Contributor: LR

Following a complaint filed by a German Whatsapp user, the Irish DPA found Whatsapp IE’s processing of personal data for “service improvements” and “security” to be unlawful, and fined the company €5,500,000.

English Summary

Facts

In order to access Whatsapp, an online instant messaging platform ultimately owned and controlled by “Meta Platforms Inc.”, a user was required to accept a series of terms and conditions (the “Terms of Service”) and a Privacy Policy.

Under the GDPR, Whatsapp IE was obliged to have a lawful basis for the processing of any personal data. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Whatsapp platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Whatsapp account.

A German Whatsapp user, the “data subject” and “complainant”, filed a complaint against Whatsapp IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Whatsapp IE’s data processing practices on the Whatsapp platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Hamburg DPA (HmbBfDI) and later transferred to the German Federal DPA (BfDI), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”.

Firstly, there existed a clear imbalance of power between controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleged that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is left with no other realistic alternatives.

Secondly, the use of the Whatsapp service is conditional upon the data subject’s consent to collection of their data, when such data processing is not necessary for the provision of the service. Article 7(4) GDPR, which defines the conditions for consent, specifically states that “utmost account shall be taken of whether, inter alia, the performance of a contract… is conditional on consent to the processing that is not necessary for the performance of that contract”. As such, the “consent” upon which the data controller seeks to rely is invalid.

Additionally, the complaint raises the issue of granularity, as the controller relies on an overall bundled consent to anything contained in the terms and the privacy policy. This represents an “all-or nothing” approach contrary to the requirement of the GDPR for “specific” consent to processing.

Finally, the controller shall enable the data subject to refuse consent without any detriment. However, in this case, the data subject faces significant disadvantage, as their account would be deleted – as a consequence of withdrawal – and they would lose a crucial form of social interaction.

The BfDI referred the case to the Irish DPA (DPC) under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.

Responding to the Complainant’s assertions Whatsapp IE submitted, among other points, that it does not rely on consent as the lawful basis for the relevant processing of personal data. According to the company, “the legitimization of the processing at issue in this inquiry falls under Article 6(1)(b) GDPR [necessary for the performance of a contract] and therefore an assessment under Article 6(1)(b) only is required”. (DPC Preliminary Draft Decision, para 3.4)

Holding

In the Final Decision, the DPC identified four issues which had to be addressed (three issues the DPC intended to address and an additional issue on which the EDPB directed the DPC to make a finding).

Issue 1 – Whether Clicking on the “Accept” Button Constitutes or Must be Consent for the Purposes of the GDPR

The DPC proposed, in its draft report, to make two separate findings on this issue: firstly, that Whatsapp IE has not sought to rely on consent in order to process personal data "to deliver the Terms of Service"; and secondly, that Whatsapp IE is not legally obliged to rely on consent in order to do so (2.21).

In two other similar decisions – based on complaints filed by noyb concerning forced consent on social media platforms Facebook and Instagram – the DPC proposed similar conclusions on the issue of consent and the EDPB directed them to dismiss these findings (Please see IN-18-5-5; IN-18-5-7). However, in the present case the EDPB decision does not contain any instruction or direction that would require the DPC to disturb proposed finding 1 (2.22). However, given that finding 1 represented the dismissal/rejection of part of the compliant, a separate decision must be adopted by the supervisory authority of the complainant (HmbBfDI), in accordance with the procedure in Article 60(9) GDPR. Accordingly, the DPC removed its proposed “Finding 1” from its Final Decision (2.23).


Issue 2 – Reliance on Article 6(1)(b) GDPR as a Lawful Basis for Personal Data Processing

The second issue concerns whether Whatsapp IE can rely on Article 6(1)(b) as the lawful basis for processing of personal data. In order to do so, the controller has to demonstrate that such “processing is necessary for the performance of a contract to which the data subject is a party”. Addressing this issue, the DPC first sought to address the question of scope – identifying which processing practices they are concerned with in this context – before moving to the question of contractual necessity as a lawful basis.

In terms of scope, the DPC began by stating that their analysis will be based only on the Whatsapp Terms of Service, and not on the Privacy Policy. In their view, the Privacy Policy is essentially an explanatory document for the purposes of transparency, and not part incorporated within the terms of service (3.4 – 3.5). The DPC then takes issue with the generality, or vagueness of the complaint, which – in their view – does not identify “specific processing operations by reference to an identifiable body of data with any clarity of precision” (3.6). Furthermore, according to the DPC, the complainant was not entitled to request that the DPC “conduct an assessment of all processing operations carried out by Whatsapp” (3.6). After stating that “the Complaint does, however, focus on a number of particular processing activities and has a specific focus on data processed to facilitate improvements to services and advertising” (3.7), the DPC explains that their draft decision proposed an assessment of whether Whatsapp IE can rely on Article 6(1)(b) GDPR for data processing for service improvements, providing metrics to third parties (such as companies within the same group of companies), and advertising. However, on the question of advertising, the DPC states that “no evidence has been presented by the Complainant that Whatsapp processes personal data for the purpose of advertising” (3.8), and therefore data processing for advertising is not relevant to this inquiry. With regards to “providing metrics to third parties”, the DPC states later in the decision that “any sharing with affiliated companies formed part of the general ‘improvements’ that are carried out pursuant to Article 6(1)(b) GDPR” (3.33). Therefore, the DPC took the view that providing metrics to third parties forms part of service improvements as “any clear delineation between these two forms of processing was artificial” (3.33). As a result, the DPC restricted the scope of their inquiry to “regular improvements and maintaining standards of security”.

Issuing its Binding Decision, the EDPB disagreed with the DPC’s assessment of scope, stating as follows:

...the [DPC] did not handle the complaint with all due diligence. The EDPB considers the lack of any basis for Whatsapp IE's processing operations for the purposes of behavioural advertising, the potential processing of special categories of personal data, applicable legal basis for provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, as well as the processing of personal data for the purposes of marketing as an omission’” (EDPB – 218).

Accordingly, the EDPB directed the DPC to commence a new inquiry into whether Whatsapp processes data in the ways described (EDPB 222). The DPC did not conduct this inquiry as, in their view, “that direction cannot be addressed… in this decision” and proceeded in their analysis, continuing to exclude questions of data processed for the purposes described above. It is also important to note that the DPC, when referring to the EDPB direction on this matter, removed the EDPB's use of the word "omission" and claimed the EDPB merely said the DPC "ought to" engage in the investigation described above. The DPC's decision not to follow the directions of the EDPB Binding Decision, and to reframe the language of it, is relevant to understand the case at hand (please see para 2.19).

Regarding the second question, whether the data processing is necessary for the purpose of a contract between Whatsapp IE and its users, the DPC agreed with the complainant’s submissions and the EDPB guidelines that “the ‘core’ functions of a contract must be assessed in order to determine what processing is objectively necessary in order to perform it” (3.27). However, the DPC added that “necessity is to be determined by reference to the particular contract” (3.27) and “it is not for an authority such as the [DPC], tasked with the enforcement of data protection law, to make assessments as to what will or will not make the performance of a contract possible” (3.45). The DPC took a broad approach to determining what is necessary for the performance of a contract based on “the actual bargain which has been struck between the parties” (3.30). The DPC stated “it seemed to me… that Whatsapp’s model and the service being offered is explicitly one that includes improvements to an existing service, and a commitment to upholding certain standards relating to abuse, etc., that is common across all affiliated platforms” (3.42). Accordingly, the Draft Decision “proposed to conclude, in the Draft Decision... that WhatsApp was, in principle, entitled to rely on Article 6(1)(b) GDPR for processing personal data” (3.50).

However, when issuing its Binding Decision, with regard to Article 6(1)(b) GDPR as a lawful basis for data processing and the determination of what is necessary for the performance of a contract, the EDPB stated as follows:

The EDPB agrees with the IE SA and Whatsapp IE that there is no hierarchy between these legal bases. However, this does not mean that a controller, as Whatsapp IE in the present case, has absolute discretion to choose the legal basis that suits better its commercial interests. The controller may only rely on one of the legal basis established under Article 6 GDPR if it is appropriate for the processing at stake" (EDPB - 100).

"The GDPR makes Whatsapp IE, as a data controller for the processing at stake, directly responsible for complying with the Regulation’s principles, including the processing of data in a lawful, fair and transparent manner, and any obligations derived therefrom. This obligation applies even where the practical application of GDPR principles… is inconvenient or runs counter to the commercial interests of Whatsapp IE and its business model” (EDPB - 101).

"The EDPB agrees that SAs do not have under the GDPR a broad and general competence in contractual matters. However, the EDPB considers that the supervisory tasks that the GDPR bestows on SAs imply a limited competence to assess a contract's validity, insofar as it is relevant to the fulfilment of their tasks under the GDPR" (EDPB - 102).

[i]t is important to determine the exact rationale of the contract, i.e. its substance and fundamental objective, as it is against this that it will be tested whether the data processing is necessary for its performance” (EDPB – 105).

"the concept of necessity has its own independent meaning under EU law. It must be interpreted in a manner that fully reflects the objective pursued by an EU instrument, in this case, the GDPR" (EDPB - 110).

Turning to the facts of the case, the EDPB outlines a number of factors which, in contradiction to the view of the DPC, support the argument that data processing for service improvements and security is not essential to the contract between Whatsapp IE and its users. The EDPB observes that Whatsapp is under a duty to consider the possibility of less intrusive ways to pursue the stated purpose, for example, “rely on a pool of users, who voluntarily agreed, by providing consent, to the processing of their personal data for this purpose” (EDPB - 109).

Furthermore, the EDPB points to an imbalance of knowledge surrounding the contract, “an average user cannot fully grasp what is meant by processing for service improvements and security features, be aware of its consequences and impact on their rights to privacy and data protection, and reasonable expect it solely based on Whatsapp IE’s Terms of Service” (EDPB – 111). As explained by the EDPB, the DPC has already acknowledged that Whatsapp IE infringed its transparency obligations under the GDPR (see “Issue 3” below), and this undermines the argument that the processing is lawful on the basis of contractual performance. This is because, “one of the parties (in this case a data subject) [has not been] provided with sufficient information to know they are signing a contract, the processing of personal data that it involves, for which specific purposes and on which legal basis, and how this processing is necessary to perform the services delivered… These transparency requirements are not only an additional and separate obligation, but also an indispensable and constitutive part of the legal basis” (EDPB - 117).

The EDPB continues, outlining the inherent risk of a finding in the DPC’s decision that Whatsapp IE can process personal data on the basis of Article 6(1)(b) GDPR:

[T]here is a risk that the Draft Decision’s failure to establish Whatsapp IE's infringement of Article 6(1)(b) GDPR, pursuant to the interpretation by the [DPC], nullifies this provision and makes theoretically lawful any collection and reuse of personal data in connection with the performance of a contract with a data subject" (EDPB - 119). “This precedent could encourage other economic operators to use the contractual performance legal basis of Article 6(1)(b) GDPR for all their processing of personal data. There would be the risk that some controllers argue some connection between the processing of the personal data of their consumers and the contract to collect, retain, and process as much personal data from their users as possible and advance their economic interests at the expense of the safeguards for data subjects” (EDPB – 120).

In light of all of the above, the EDPB directed the following:

Processing for the purposes of service improvements and security features performed by Whatsapp IE are objectively not necessary for the performance of Whatsapp IE's alleged contract with its users and are not an essential or core element of it" (EDPB - 121). "Whatsapp IE has inappropriately relied on Article 6(1)(b) GDPR to process the complainant's personal data for the purposes of service improvements and security in the context of its Terms of Service and therefore lacks a legal basis to process the data. The EDPB was not required to examine whether data processing for such purposes could be based on other legal bases because the controller relied solely on Article 6(1)(b) GDPR. Whatsapp IE has consequently infringed Article 6(1) GDPR by unlawfully processing personal data” (EDPB - 122).

Accordingly, under instruction from the EDPB, The DPC altered “Finding 2” of its Draft Decision, finding that “Whatsapp was not entitled to rely on Article 6(1)(b) GDPR to process the Complainant’s personal data for the purpose of service improvement and security in the context of the Whatsapp Terms of Service” (Finding 2).


Issue 3 – Whether Whatsapp Provided the Requisite Information on the Legal Basis for Processing on foot of Article 6(1)(b) GDPR and Whether it did so in a Transparent Manner

On the issue of transparency, Article 13(1) GDPR outlines the information the controller must provide to a data subject at the time when personal data are obtained and Article 12(1) GDPR details the manner in which this data must be provided.

Prior to the issuing its decision in the case at hand, the DPC concluded an own-volition inquiry in relation to the extent to which Whatsapp’s Privacy Policy achieved compliance with the GDPR’s transparency framework (“the Whatsapp Decision”). This decision concluded that Whatsapp had infringed Articles 12(1) and 13(1)(c) GDPR, and exercised corrective powers against Whatsapp, including an administrative fine. Therefore, addressing this issue in this Final Decision, the DPC restated the conclusion of the Whatsapp Decision and upheld the aspect of the complaint that identified infringements of the GDPR in this context.


Issue 4 (Additional Issue) – Whether Whatsapp Infringed the Article 5(1)(a) GDPR Principle of Fairness

During the course of the Article 60 GDPR consultation period, the Italian DPA raised an objection to the DPC’s draft decision. The purpose of this objection was to require the amendment of the Draft Decision to include a new finding of infringement of the Article 5(1)(a) GDPR principle of fairness. The DPC decided not to follow the objection, as the “principle of fairness was not examined during the course of this inquiry and, consequently, Whatsapp was not afforded the opportunity to be heard in response to a particularised allegation of wrongdoing” (5.1). The matter was referred to the EDPB, who determined as follows:

Fairness is an overarching principle which requires that personal data should not be processed in a way that is unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading to the data subject” (EDPB – 143)

"the principle of fairness has an independent meaning and… an assessment of Whatsapp IE’s compliance with the principle of transparency does not automatically rule out the need for an assessment of Whatsapp IE’s compliance with the principle of fairness too" (EDPB - 147).

"the concept of fairness stems from the EU Charter… [it] underpins the entire data protection framework and seeks to address power asymmetries between controllers and data subjects in order to cancel out the negative effects of such asymmetries and ensure the effective exercise of the data subjects’ rights” (EDPB - 148).

Considering the constantly increasing economic value of personal data in the digital environment, it is particularly important to ensure that data subjects are protected from any form of abuse and deception, intentional or not, which would result in the unjustified loss of control over their personal data… Therefore, the EDPB disagrees with the [DPC]’s finding that assessing Whatsapp IE’s compliance with the principle of fairness ‘would therefore… represent a significant departure from the scope of the inquiry.’ In addition, it is important to note that Whatsapp IE has been heard on the objections and therefore submitted written submissions on this matter” (EDPB- 150).

Whatsapp has presented its service to users in a misleading manner… The combination of factors, such as the unbalanced relationship between Whatsapp IE and its users, combined with the ‘take it or leave it’ situation that they are facing… systematically disadvantages them, limits their control over the processing of their personal data and undermines the exercise of their rights” (EDPB – 154, 156).

Accordingly, the EDPB instructed the DPC to include a finding of an infringement of the principle of fairness under Article 5(1)(a) of the GDPR by Whatsapp IE, and to “adopt the appropriate corrective measures, by addressing, but without being limited to, the question of an administrative fine for this infringement” (EDPB – 157).

As directed by the EDPB, the DPC found that “Whatsapp has infringed the principle of fairness pursuant to Article 5(1)(a) GDPR".


Summary of Envisaged Action

On the Transparency issue, the DPC’s draft decision proposed findings of infringement which overlapped with those that were found to have already occurred in another DPC's decision on Whatsapp [see issue 3 above]. Accordingly, the DPC did not propose the exercise of further corrective powers (7.1). However, as a consequence of the infringements of Article 6(1) and the Article 5(1)(a) principle of fairness that were established by the EDPB, the DPC was further directed by the EDPB to address those infringements by way of the exercise of corrective powers, namely the making of an order to bring processing into compliance and the imposition of an administrative fine (7.2).

Accordingly, the DPC made an order pursuant to Article 58(2)(d) GDPR, requiring Whatsapp IE to bring processing into compliance (“the Order”) within a period of six months commencing on the day following the date of service, in Whatsapp, of this Decision. “More specifically, in this regard, WhatsApp is required to take the necessary action to address the EDPB’s finding that WhatsApp is not entitled to carry out the Processing on the basis of Article 6(1)(b) GDPR… Such action may include, but is not limited to, the identification of an appropriate alternative legal basis, in Article 6(1) GDPR, for the Processing together with the implementation of any necessary measures, as might be required to satisfy the conditionality associated with that/those alternative legal basis/bases” (9.105). Furthermore, “An administrative fine is hereby imposed, pursuant to Articles 58(2)(i) and 83 GDPR, addressed to WhatsApp, in the amount of €5.5 million” (9.106).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.
1
In the matter of the General Data Protection Regulation
DPC Inquiry Reference: IN-18-5-6
In the matter of JG, a complainant, concerning a complaint directed against WhatsApp Ireland Limited
in respect of the WhatsApp Service
Decision of the Data Protection Commission made pursuant to Section 113 of the Data Protection Act,
2018 and Articles 60 and 65 of the General Data Protection Regulation
Further to a complaint-based inquiry commenced pursuant to Section 110 of the Data Protection Act
2018
DECISION
Decision-Maker for the Commission:
Helen Dixon
________________________________
Commissioner for Data Protection
Dated the 12 th day of January 2023
Data Protection Commission
This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.
2
21 Fitzwilliam Square South
Dublin 2, Ireland
1. I NTRODUCTION AND P ROCEDURAL B ACKGROUND
P URPOSE OF THIS DOCUMENT
1.1 This document is a decision (“the Decision”) of the Data Protection Commission (“the Commission”),
made in accordance with Section 113 of the Data Protection Act 2018 (“the 2018 Act”), arising
from an inquiry conducted by the Commission, pursuant to Section 110 of the 2018 Act (“the
Inquiry”).
1.2 The Inquiry, which commenced on 20 August 2018, examined whether WhatsApp Ireland Limited
(“WhatsApp”) complied with its obligations under the EU General Data Protection Regulation
(Regulation (EU) 2016/679 of the European Parliament and of the Council) (“the GDPR”) in respect
of the subject matter of a complaint made by Mrs. (“the Complainant”). The complaint was
referred to the Commission by the Hamburg Data Protection Authority: Der Hamburgische
Beauftragte für Datenschutz und Informationsfreiheit (“the Hamburg DPA“) on 25 May 2018 (“the
Complaint“). The Hamburg DPA subsequently passed the Complaint to the German Federal Data
Protection Authority, the relevant national authority: Bundesbeauftragter für den Datenschutz
und die Informationsfreiheit (“the German Federal DPA“). The Complainant is at all times
represented by noyb – European center for digital rights.
1.3 This Decision further reflects the binding decision that was made by the European Data Protection
Board (the “EDPB” or, otherwise, the “Board”), pursuant to Article 65(2) of the GDPR 1 (the
“Article 65 Decision”), which directed changes to certain of the positions reflected in the draft
decision that was presented by the Commission for the purposes of Article 60 GDPR (“the Draft
Decision”) as detailed further below. The Article 65 Decision will be published on the website of
the EDPB, in accordance with Article 65(5) of the GDPR, and a copy of same is attached at Schedule
2 to this Decision.
1.4 Further details of procedural matters are set out in Schedule 1 to this Decision.
2. FACTUAL B ACKGROUND AND THE C OMPLAINT
FACTUAL B ACKGROUND
2.1 WhatsApp is an online instant messaging platform. In order to access the WhatsApp service, a
prospective user must create a WhatsApp account. To create a WhatsApp account, a prospective
user is required to accept a series of terms and conditions, referred to by WhatsApp as its Terms
1 Binding Decision 5/2022 on the dispute submitted by the Irish SA on WhatsApp Ireland Limited, adopted 5
December 2022
This document reflects the view of the DPC. Many positions brought by noyb are reframed by the DPC.
3
of Service (the “Terms of Service”). When a prospective user accepts the Terms of Service, the
terms contained therein constitute a contract between the (new) user and WhatsApp. It is only
on acceptance of the Terms of Service that the individual becomes a registered WhatsApp user.
2.2 In April 2018, WhatsApp updated the Terms of Service to give effect to changes it sought to implement
to comply with the obligations which would arise when the GDPR became applicable from 25 May
2018. Obligations introduced by the GDPR include, inter alia, a requirement that organisations
processing personal data have a lawful basis for any such processing. Legal bases provided for in
the GDPR include consent of the data subject, necessity based on the requirement to fulfil a
contract with the data subject or processing based on the legitimate interests of the data
controller. In addition, such organisations are required to provide detailed information to users
at the time personal data is obtained in relation to the purposes of any data processing and the
legal basis for any such processing. In essence, there must be a legal basis for each processing
operation or sets of operations (of personal data) and there are transparency requirements in
respect of the communication of such information to individual users.
2.3 To continue to access the WhatsApp service, all users were required to accept the updated Terms of
Service prior to 25 May 2018. The updated Terms of Service were brought to the attention of
existing users by way of a series of information notices and options, referred to as an
“engagement flow” or “user flow”. The engagement flow was designed to guide users through
the processing of accepting the updated Terms of Service; the option to accept the updated
“terms” was presented to users at the final stage of the engagement flow. As referenced in the
full text of the Terms of Service, a separate Privacy Policy provides information to users on
WhatsApp’s processing of personal data in respect of the service.
2.4 Existing users were not provided with an opportunity to disagree and continue to use the service, to
copy their account, or to delete their account. The only available choice was to accept the Terms
of Service, stop using the app or uninstall the app.2
2.5 Figures 2.1 below is a screenshot of the final stage of the “engagement flow” which brought an existing
user, the Complainant, through the process of accepting the updated Terms of Service. The
screenshot is in German; an English translation can be found below.
2 Complaint, paragraph 1.4.