EDPB - Urgent Binding Decision 01/2021

From GDPRhub
EDPB - Urgent Binding Decision 01/2021
LogoEDPB.png
Authority: EDPB
Jurisdiction: European Union
Relevant Law: Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 7 GDPR
Article 12(1) GDPR
Article 13(1)(e) GDPR
Article 13(1)(c) GDPR
Article 61(5) GDPR
Article 61(8) GDPR
Article 61(9) GDPR
Article 62 GDPR
Article 66(1) GDPR
Article 66(2) GDPR
Type: Other
Outcome: n/a
Started:
Decided: 12.07.2021
Published:
Fine: None
Parties: Hamburg DPA
WhatsApp Ireland Ltd
Facebook Ireland Ltd
National Case Number/Name: Urgent Binding Decision 01/2021
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: EDPB (in EN)
Initial Contributor: SR

The EDPB adopted an urgent binding decision under Article 66 GDPR. Following a provisional measure taken by the Hamburg DPA against WhatsApp, the EDPB analysed WhatsApp's data sharing practices with Facebook. The EDPB did not confirm the provisional measure, but given the high likelihood that data sharing is taking place, it requested the Irish DPA to investigate certain key blind spots in WhatsApp's data processing, including whether data is actually shared with Facebook, whether Facebook acts as processor or joint controller, and whether the legal basis identified in the privacy policy is adequate in relation to the actual processing.

English Summary[edit | edit source]

Facts[edit | edit source]

This summary provides an account of the Urgent Binding Decision No 1/2021 adopted by the EDPB (hereafter, the 'Decision'). We note that most of the facts of the case are not available other than through the account provided by the EDPB in the text of the Decision.

In late 2019 Whatsapp IE informed European users about an upcoming change in its policies. In particular, it announced the beginning of a data sharing with FB IE. On 8.12.20, the Irish Authority (hereinafter, 'IE SA' or, where relevant, 'LSA') used the EDPB's internal communication system ('IMI') to inform the other supervisory authorities of Whatsapp IE intended changes. In doing so, the IE SA attached copies of the relevant documentation. Importantly, for the purposes of this summary, the notice is made through a specific section of the IMI system called Voluntary Mutual Assistance ("VMA").

From 14.1.21 until 4.3.21, a rather heated debate took place via the IMI/VMA system between the Hamburg authority ("HH SA") and IE SA. According to the information available in the Decision, the core of the debate consisted of a fundamental difference of views. The HH SA considered that such data sharing had already taken place, even before WhatsApp/FB's announcement of the policy change. Such a situation would lead to a violation of Articles 5(1), 6(1) and 12(1) of the GDPR. For these reasons, the German authority repeatedly requested specific, fact-based investigations into FB IE's processing operations.

Since there had been no concrete response from the IE SA, on the 12.2.21, the HH SA "give[s] notice of the possibility of an urgency procedure according to Art. 66 GDPR". Having had no reply (at least on the basis of the account provided in the Decision), on 12.4.21, the HH SA "contacts Facebook IE to hear it before issuing provisional measures pursuant to Article 66 (1) GDPR". On 25.4.21, FB IE submitted its observations in response to Hamburg's direct requests. On 10.5.21, the HH SA, not being satisfied with the clarifications, adopts a temporary order against FB IE ("Provisional measure") the purpose of which was essentially to block the alleged data sharing (more details in § 3 of the Decision).

On 11.5.21, HH SA communicated the measure to the EDPB. On 3.6.2021, the HH SA sent the EDPB a request for an urgent binding decision under Article 66(2) GDPR, which was subsequently formalised through the IMI system on the 7.6.2021. Following the request, the EDPB started a series of consultations by sharing the relevant communications and documents between all the parties involved (FB companies, WhatsApp and SAs). During these consultations, FB IE submitted several defences.

Holding[edit | edit source]

Competence to decide

The EDPB first verified its competence to decide under Article 66 GDPR. In the present case, there is (i) an interim measure adopted by an SA (Article 66(1) GDPR) as well as (ii) a request for a collegial decision. The two conditions are therefore met.

Right to good administration

While not obliged to do so, the EDPB recognises the possibility that FB IE and WhatsApp IE may be subject to the negative effects of a binding decision. Accordingly, pursuant to Article 41(2)(a) of the EU Charter, "The EDPB [...] decided to hear Facebook IE and WhatsApp IE directly by inviting them to provide written submissions to the EDPB" (Decision, § 21). The two companies submitted two separate statements.

Overall position of the Hamburg Authority

The Provisional measure concerns five processing purposes which, according to the HH SA, were already being carried out or could have been carried out imminently by Facebook IE as a controller, following the data sharing. These processing operations are: 1) Security and integrity of Facebook; 2) Improvement of the product experience; 3) Marketing communication and direct marketing; 4) WhatsApp Business API; and 5) Cooperation with other Facebook Companies.

In relation to these processing operations, the HH SA raises several critical points. First of all, the consent requested by FB for the modification of the Terms of Service would be flawed because not informed (§ 28) and in any case not freely given due to the dominant position of WhatsApp in the messaging apps sector (§ 29). Equally inapplicable would be the legal basis of the contract under Article 6(1)(b) GDPR for the simple but essential reason that the sharing of one's WhatsApp data with FB cannot be seen as "necessary for the performance of the [WhatsApp] contract" (§ 30). Also inapplicable would be the legal basis of legitimate interest in Article 6(1)(f) GDPR (§ 31).

The EDPB therefore analyses the individual points.

1) Security and integrity of Facebook

The data sharing seems to be used for the security and integrity of Facebook. In particular, according to WhatsApp's user-facing information, the data sharing is carried out in order to keep "WhatsApp and other Facebook Companies' services safe and secure [as] we need to understand which accounts across the Facebook Companies relate to the same user". At the same time, as reported by WhatsApp IE and Facebook IE during the proceeding, such operations are currently not taking place (final part of § 63 of the Decision).

On this point, after analysing the privacy policies and the controller's statements during the proceeding (§§ 41-48), the EDPB 'shares the DE-HH SA's position that there are contradictions between the information included in WhatsApp's user-facing information on the one hand, and the Commitments and Facebook IE's written submissions on the other hand' (§ 54). The Board further considers that “there is a high likelihood that Facebook IE already processes WhatsApp user data as a controller or joint controller for the common purpose of the safety, security and integrity of WhatsApp and the Facebook Companies" (§ 66).

Accordingly, the EDPB requests the LSA to carry out a statutory investigation to unveil whether Facebook IE has already started to process WhatsApp's user data for the common purpose of safety, security and integrity, and if so, whether it is acting as a processor on behalf of WhatsApp IE or as a (joint) controller with WhatsApp IE (§ 69).

2) Improvement of the product experience

WhatsApp users’ data are also shared with Facebook companies for the improvement of the FB service and therefore for Facebook own purposes. According Facebook IE and WhatsApp IE submissions, “Facebook [and the other Facebook companies] processes WhatsApp User Data as processor on behalf of WhatsApp Ireland” acting under WhatsApp IE instructions solely (§ 87).

On this point, the EDPB recalls that a processor is someone who processes personal data on the controller's behalf, which requires that the separate entity processes personal data for the benefit of the controller. This implies that “the legal status of an actor as either a "controller" or a "processor" must in principle be determined by its actual activities in a specific situation, rather than upon the formal designation of an actor as being either a "controller" or "processor" (e.g. in a contract)” (§§ 88-89).

That said, the EDPB expresses "serious doubts" about the role of processor allegedly performed by the Facebook Companies, including Facebook IE. In particular, the EDPB considers that when a data sharing is meant to “understand how WhatsApp Services are being used, and how it compares to usage across the Facebook Companies”, it is likely done not merely for the purpose of improving the products of WhatsApp IE, but also benefits other Facebook Companies, including Facebook IE, for improvement of their product (§ 97).

"If such circumstances were to be confirmed" the EDPB states, (i) "the Facebook Companies, including Facebook IE, potentially (jointly) define the purpose and means for this processing and in such a case they should be considered as (joint) controllers in this respect" and (ii) expresses “serious doubts” as to the validity of the consent or the possible use of the contract or legitimate interest (§§ 102-105).

Taking into account the above, the EDPB concludes that there is a high likelihood that Facebook IE processes WhatsApp users' data as a (joint) controller for its own purpose of improvement of product experience. Accordingly, the EDPB requests the LSA competent for Facebook IE and WhatsApp IE to carry out a statutory investigation to verify this aspect. The EDPB further requests the LSA to carry out a statutory investigation to assess whether Facebook IE has a legal basis to conduct such processing lawfully as a (joint) controller pursuant to Articles 5(1)(a) and 6(1) GDPR (§§ 107-110).

3) Marketing communication and direct marketing

The WhatsApp's Privacy Policy ("How We Use Information") informs the user that "We may provide you with marketing for our Services and those of the Facebook Companies [...] We work with third-party service providers and the Facebook companies to help us operate, provide, improve, understand, customize, support, and market our Services” (§ 120). However, once again, Facebook denies this data sharing is taking place during the proceeding (§ 122).

Whilst the EDPB understands the concerns raised by the DE-HH SA, the EDPB does not have sufficient information in the present procedure to conclude whether Facebook IE is acting as a controller of WhatsApp user data for the purpose of marketing communication and direct marketing. Taking into consideration the lack of clarity in the information, the EDPB calls upon the IE SA to further investigate the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to the processing of WhatsApp user personal data for marketing purposes (§ 126).

4) WhatsApp Business API

The DE-HH SA notes that WhatsApp's user data are also processed, or may be processed, for the general purpose of providing the so-called "WhatsApp Business API". The "WhatsApp Business API" enables companies to use WhatsApp in their corporate communication systems and to communicate with their contacts and customers.

The EDPB understands the concerns raised by the DE-HH SA. The Board expresses concerns that a potential merging of the WhatsApp IE and Facebook IE processing operations and infrastructures for the provision of WhatsApp Business API would in practice lead to Facebook IE processing of WhatsApp's user data for its own purposes, such as for personalising advertisements.

Bearing in mind that Facebook's business model is to a large extent based on advertising, the Board “takes the view that the LSA should further closely investigate the roles that WhatsApp IE, Facebook IE and the businesses concerned would play in the context of the WhatsApp Business API in order to verify their compliance with the GDPR” (§ 146).

5) Cooperation with other Facebook Companies

"WhatsApp works and shares information with the other Facebook Companies to receive services like infrastructure, technology, and systems that help us provide and improve WhatsApp and to keep WhatsApp and the other Facebook Companies safe and secure [...] In order to receive services from the Facebook Companies, WhatsApp shares the information we have about you as described in the "Information We Collect" section of the Privacy Policy. For example, to provide WhatsApp with analytics services, Facebook processes the phone number you verified when you signed up for WhatsApp, some of your device information”.

Again, during the proceeding, Facebook denied this data sharing is taking place bringing the EDPB to conclude that “there are not enough elements allowing to conclude that Facebook IE is processing or is going to process WhatsApp’s user data for its own purposes”. However, due to the lack of sufficient clarity and transparency in WhatsApp’s public-facing information, the EDPB considers “it to be extremely difficult, if not impossible, to have a complete overview of the purposes of processing made under the framework for cooperation with the other Facebook Companies and to verify whether Facebook IE only acts as a processor on behalf of WhatsApp IE for those purposes” (§158-160).

Therefore, the Board calls upon the LSA to carry out an investigation to clarify the processing for the purpose of cooperation with the other Facebook Companies and to analyse the processing roles of different parties involved, in particular to verify whether Facebook IE acts a processor or as a (joint controller) with respect to such processing of WhatsApp user personal data (§§ 160).

On the existence of urgency to adopt final measures by way of derogation from the cooperation and consistency mechanisms

Under Article 66 GDPR, the adoption of a final measures is subject to the existence of an urgent situation involving the rights and freedoms of data subjects. The Board clarifies that the urgency requirement allows for a derogation to the standard consistency and cooperation mechanisms, and therefore must be interpreted restrictively.

Now, the HH SA considers that, in the present case, the urgency requirement is not at stake, as specifically excluded by Article 61(8) GDPR. In summary, the framework in question allows an SA to request another SA to carry out specific investigations at a controller located outside its jurisdiction (in this case, a German authority asks the Irish one to perform an investigation on Irish soil). According to Article 61(8), if the receiving SA (Ireland) does not act within one month, the requesting SA (Hamburg), may take a temporary measure, the urgency of which is presumed by law (“shall be presumed”). This measure must then be confirmed by the EDPB in a binding urgency decision.

In the present case, as reported above, the HH SA had made some specific requests through the IMI system by using, in particular, the VMA channel (Voluntary Mutual Assistance). Now, according to the interpretation provided by the EDPB, "Unlike formal Article 61 GDPR requests, the SA receiving a VMA request does not have a legal obligation to answer to that request" (§ 177). Therefore, the HH SA "did not formally launch an Article 61 GDPR request in the IMI system to the LSA, but merely sent a letter replying to the VMA request flow initiated by the IE SA".

In light of the above, the EDPB considers that the DE-HH SA has not demonstrated that the LSA failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR. The EDPB therefore considers that the urgency cannot be presumed (per Article 61(8) GDPR) and needs to be demonstrated under Article 66(2) GDPR (§ 180 -181).

On the existence of urgency outside any GDPR legal presumption

In the view of the EDPB, notwithstanding the problematic elements observed during the proceeding, there are no sufficient elements to justify the urgency requirement Article 66(2) GDPR (§ 196).

EDPB decision

The EDPB concludes that it sees no reason to request the adoption of a final measures against Facebook IE. In light of the above and in accordance with the tasks of the EDPB under Article 70(1)(t) GDPR to issue urgent binding decisions pursuant to Article 66 GDPR, the Board:

(1) decides that no final measures need to be adopted against Facebook IE;

(2) request the IE SA to carry out a statutory investigation, in particular for verifying, in practice, if (i) the allege d processing are currently taking place and what are the roles of the Facebook Companies involved, (ii) Facebook IE has already started to process WhatsApp's user data as a (joint) controller for its own purposes of marketing communications and direct marketing, (iii) Facebook IE has already started or will soon start to process WhatsApp's user data as a (joint) controller for its own purpose in relation to WhatsApp Business API, (iv) Facebook IE, when using the content of messages sent via WhatsApp to businesses, would be acting as (joint) controller

(3) decides that the IE SA shall carry out, as a priority matter, an investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Adopted 1
Urgent Binding Decision 01/2021 on the request under
Article 66(2) GDPR from theHamburg (German) Supervisory
Authority for ordering the adoption of final measures
regarding Facebook Ireland Limited
Adopted on 12 July 2021
Adopted 2
Table of contents
1 Summary of the facts ...................................................................................................................... 4
2 Competence of the EDPB to adopt an urgent binding decision under Article 66(2) GDPR ............ 7
2.1 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the EEA............ 7
2.2 The SA has taken provisional measures under Article 66(1) GDPR......................................... 7
2.3 Conclusion ............................................................................................................................... 7
3 The Right to good administration.................................................................................................... 7
4 On the need to request final measures........................................................................................... 8
4.1 On the existence of infringements.......................................................................................... 8
4.1.1 Summary of the overall position of the DE-HH SA.......................................................... 8
4.1.2 Security and integrity of Facebook................................................................................ 10
4.1.3 Improvement of product experience ............................................................................ 18
4.1.4 Marketing communications and direct marketing........................................................ 29
4.1.5 WhatsApp Business API................................................................................................. 32
4.1.6 Cooperation with other Facebook Companies.............................................................. 38
4.1.7 Conclusion ..................................................................................................................... 41
4.2 On the existence of urgency to adopt final measures by way of derogation from the
cooperation and consistency mechanisms....................................................................................... 41
4.2.1 Possible application of a legal presumption of urgency justifying the need to derogate
from the cooperation and consistency mechanisms.................................................................... 42
4.2.2 Existence of urgency outside any GDPR legal presumption and the need to derogate
from the cooperation and consistency mechanisms.................................................................... 43
4.2.3 Conclusion ..................................................................................................................... 47
5 On the appropriate final measures............................................................................................... 47
6 Urgent Binding Decision................................................................................................................ 48
7 Final remarks................................................................................................................................. 49
Adopted 3
The European Data Protection Board
Having regard to Article 66 of Regulation 2016/679/EU of the European Parliament and of the Council
of 27 April 2016 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection
Regulation) (hereinafter “GDPR”)1
, Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended
by the Decision of the EEA joint Committee No 154/2018 of 6 July 20182
, Having regard to Articles 11, 13, 23 and 39 of the EDPB Rules of Procedure3
, hereinafter the “EDPB
RoP”.
Whereas:
(1) The main role of the European Data Protection Board (hereinafter the “EDPB” or the “Board”) is to
ensure the consistent application of the GDPR throughout the EEA. To this effect, it can adopt binding
opinion and decisions under different circumstances described under the Articles 63 to 66 GDPR. The
GDPR also established a cooperation mechanism between the supervisory authorities. It follows from
Article 60 GDPR that the lead supervisory authority shall cooperate with the other supervisory
authorities concerned (hereinafter “CSAs”) in an endeavour to reach consensus.
(2) Pursuant to Article 66(1) GDPR, in exceptional circumstances, where a supervisory authority
considers that there is an urgent need to act in order to protect the rights and freedoms of data
subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64
and 65 GDPR or the procedure referred to in Article 60 GDPR, immediately adopt provisional measures
intended to produce legal effects on its own territory with a specified period of validity which shall not
exceed three months.
(3) In accordance with Article 66(2) GDPR, where a supervisory authority has taken a measure pursuant
to Article 66(1) GDPR and considers that final measures need urgently be adopted, it may request an
urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such
opinion or decision. The request for an urgent opinion or urgent binding decision in the context of
Article 66(2) and (3) GDPR is optional.
(4) In accordance with Article 11(2) EDPB RoP, the request of a binding decision shall be submitted to
the EDPB via the information and communication system mentioned in Article 17 EDPB RoP.
(5) In accordance with Article 13(2) EDPB RoP, the supervisory authority requesting an urgent binding
decision shall submit any relevant documents. When necessary, the documents submitted by the
competent supervisory authority shall be translated into English by the EDPB Secretariat. Once the
Chair and the competent supervisory authority have decided that the file is complete, it is
communicated via the EDPB Secretariat to the members of the Board without undue delay.
(6) Pursuant to Article 66(4) GDPR and Article 13(1) EDPB RoP, the urgent binding decision of the EDPB
shall be adopted by simple majority of the members of the EDPB within two weeks following the
decision by the Chair and the competent supervisory authority that the file is complete.
1 OJ L 119, 4.5.2016, p. 1. 2 References to “Member States” made throughout this decision should be understood as references to “EEA
Member States”. References to “EU” should be understood, where relevant, as references to “EEA”. 3 EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020.
Adopted 4
(7) Pursuant to Article 39(1) EDPB RoP, all the final documents adopted by the Board shall be made
public on the Board’s website, unless the Board decides otherwise.
1 SUMMARY OF THE FACTS
1. This document contains an urgent binding decision adopted by the EDPB pursuant to Article 66(2)
GDPR, following a request made by the Hamburg Commissioner for Data protection and freedom of
information (hereinafter the “DE-HH SA” ) within the framework of the urgency procedure under
Article 66 GDPR.
2. Following the notification by WhatsApp Ireland Ltd (hereinafter “WhatsApp IE”) to German users of
its new Terms of Service and Privacy Policy, and the extension of the deadline for users to provide
consent to 15 May 2021, the DE-HH SA came to the conclusion that Facebook Ireland Ltd (hereinafter “Facebook IE”) is already processing data of WhatsApp users residing in Germany for its own purposes
in some cases, and that processing for its own purposes is imminent in other cases. The DE-HH SA
considers that the processing of personal data of WhatsApp IE users residing in Germany by Facebook
IE for the purposes of Facebook IE violates Article 5(1), Article 6(1) and Article 12(1) GDPR. Therefore
the DE-HH SA adopted, on 10 May 2021, provisional measures under Article 66(1) GDPR, based on its
consideration that the circumstances were exceptional and there was an urgent need to act to protect
the rights and freedoms of data subjects. 3. Through its provisional measures, the DE-HH SA prohibited, for a duration of 3 months, Facebook IE
from processing personal data of WhatsApp users residing in Germany, which is transmitted from
WhatsApp IE to Facebook IE for the purposes of 1. Cooperation with other Facebook Companies4
; 2.
Security and integrity of Facebook; 3. Improvement of the product experience; 4. Marketing
communication and direct marketing; 5. WhatsApp Business API; to the extent that the processing is
being carried out for Facebook IE's own purposes.
4. On 7 June 2021, the DE-HH SA requested the EDPB to adopt an urgent binding decision pursuant to
Article 66(2) GDPR, with the effect of ordering the implementation of final measures, by extending its
provisional measures both in time and territorial scope.
5. The following table presents a summarised timeline of the events leading to the submission of the
matter by the DE-HH SA via the urgency procedure:
08.12.2020 The Irish supervisory authority (“Data Protection Commission”, hereinafter the
“IE SA” or, as being the lead supervisory authority in this case, the “LSA”) uses
the EDPB internal information and communication system (the “IMI system”)
flow “Voluntary Mutual Assistance” (hereinafter “VMA”) to inform the CSAs
that WhatsApp IE intends to change its Privacy Policy and Terms of Service
applicable to users residing in the European Union (hereinafter “Updated
Terms”). The LSA shares copies of the revised Privacy Policy, including a redline
version highlighting the changes (hereinafter the “Privacy Policy”), the Legal
Basis Notice (which will be incorporated in the Privacy Policy), the relevant
extract from the Terms of Service, the contact upload feature and the updated
4 A link inserted in WhatsApp public-facing information sends to a page on WhatsApp explaining that the term
‘Facebook Companies’ refers to Facebook Inc., Facebook IE, Facebook Payments Inc., Facebook Payments
International Limited, Facebook Technologies LLC, Facebook Technologies Ireland Limited, WhatsApp LLC, and
WhatsApp IE. In this urgent binding decision, the term ‘other Facebook Companies’ refers to all the Facebook
Companies except WhatsApp IE.
Adopted 5
version of the FAQ “How we work with the Facebook Companies” (hereinafter
together referred to as “WhatsApp public-facing information”). 14.01.2021 The DE-HH SA sends a letter to the LSA using the IMI system flow opened by
the LSA. It raises the fact that the LSA did not provide its view on the Updated
Terms, and shares questions on the Updated Terms, including questions
directly addressed to the LSA.
15.01.2021 The IE SA sends a letter to the CSAs to inform them that it met with WhatsApp
IE to discuss the new Updated Terms, that the IE SA will compile comprehensive
feedback from the CSAs, and will transmit it to WhatsApp IE for follow-up.
Few days after, the LSA shares with the CSAs, via VMA, a letter from WhatsApp
IE dated 5 February 2021 replying to questions raised by the CSAs, including the
DE-HH SA.
12.02.2021 The DE-HH SA shares a letter with the LSA using the same VMA flow on the IMI
system. The DE-HH SA underlines the fact that the LSA did not share its own
views on the matter. The DE-HH SA informs the LSA about its concerns
regarding the data sharing of Facebook IE and WhatsApp IE for different
purposes of each company. The DE-HH SA concludes that “WhatsApp and
Facebook are sharing data for different purposes of each company. In the case
of no deeper inspection by the IDPC as lead authority we give notice of the
possibility of an urgency procedure according to Art. 66 GDPR.”
24.02.2021 Using VMA, the LSA replies to the DE-HH SA by sharing the fact that it had
forwarded the additional questions on Updated Terms to WhatsApp IE on 15
February 2021. The LSA also annexes to its message to DE-HH SA WhatsApp IE’s
latest reply dated 22 February 2021. 04.03.2021 Using VMA, the DE-HH SA sends a new letter to the LSA in which it underlines
the substantial need for further clarifications and makes comments on the
Updated Terms and the answers provided by WhatsApp IE. The DE-HH SA
requests the LSA to conduct investigations into the specific processing of
WhatsApp IE and Facebook.
12.04.2021 The DE-HH SA contacts Facebook IE to hear it before issuing provisional
measures pursuant to Article 66 (1) GDPR. The DE-HH SA informs the EDPB
Secretariat that they intend to start a formal Article 66 GDPR procedure against
Facebook IE, and asks the EDPB Secretariat to inform the Chair of the EDPB and
the LSA. Following a later request from the DE-HH SA, the EDPB Secretariat also
shares the information with all the EDPB members.
19.04.2021 Using VMA, the LSA writes to the CSAs to inform them that the Updated Terms
are “[...] largely a carryover of the text of the existing policy and no new text
signifying any change in WhatsApp’s position is included regarding the sharing
of WhatsApp user data with Facebook or access by Facebook for Facebook’s
own purposes”. The IE SA informs the CSAs that it commenced a supervision
review and assessment of WhatsApp IE’s oversight and monitoring of its data
processors (chiefly Facebook), including the safeguards, mechanisms and audit
processes in place to ensure that Facebook IE does not use WhatsApp IE user
data for its own purposes, inadvertently or otherwise.
25.04.2021 Facebook IE sends written submissions following the hearing letter of the DE- HH SA (hereinafter “Facebook’s written submissions to the DE-HH SA”). 10.05.2021 The DE-HH SA adopts an order relating to provisional measures (the “DE-HH SA
Order” or the “provisional measures”). 11.05.2021 The DE-HH SA communicates its provisional measures to the other supervisory
authorities and informs the EDPB Secretariat.
Adopted 6
03.06.2021 The DE-HH SA writes to the EDPB Chair to announce the request of an urgent
binding decision under Article 66(2) GDPR. 04.06.2021 Via VMA, the IE SA informs the CSAs that, contrary to WhatsApp IE’s previous
intention to limit functionality for its users who had not accepted the Updated
Terms after several weeks following the deadline it had set to 15 May 2021,
WhatsApp IE announced in an updated published FAQ that it has no plans for
these reminders to become persistent and to limit the functionality of its app. 07.06.2021 The DE-HH SA introduces the request of an urgent binding decision under
Article 66(2) GDPR in the IMI system (Article 17 EDPB RoP).
On 25 June 2021, the DE-HH SA reintroduced the file in IMI for technical
reasons.
6. On 7 June 2021, the DE-HH SA requested an urgent binding decision under Article 66(2) GDPR via IMI,
the information and communication system mentioned in Article 17 EDPB RoP.
7. On 9 June 2021, the EDPB Secretariat, working on behalf of the Chair of the EDPB, requested via email
an additional document to the DE-HH SA, as well as confirmation of the accuracy of the English
translation of documents received in German, with the deadline of 11 June 2021. Following a request
sent by the DE-HH SA on 10 June 2021 to extend the deadline to 16 June 2021, the EDPB Secretariat
extended the deadline up to 14 June 2021. On 14 June 2021, the DE-HH SA sent the additional
document and approved the English translation of the original German documents. 8. On 15 June 2021, the EDPB sent a letter to Facebook IE and to WhatsApp IE thereby allowing Facebook
IE and WhatsApp IE to exercise their respective right to be heard with the deadline of 18 June 2021. This letter included a list of all the documents in the file and attached them all, except the ones
originating from Facebook IE or WhatsApp IE. On 16 June 2021, Facebook IE asked an extension of
deadline to 23 June 2021 close of business. The EDPB replied on the same day and consented to extend
the deadline to 23 June 2021 12:00 (CET). 9. On 18 June 2021, the EDPB Secretariat, working on behalf of the Chair of the EDPB, urgently requested
additional documents from the DE-HH SA, which were provided on the same day. On 21 June 2021,
the EDPB sent a letter to Facebook IE and to WhatsApp IE with the additional documents provided by
the DE-HH SA, and taking into account of these new elements, extended the deadline for both
companies to provide their written contribution to 25 June 2021 12:00 (CET). 10. On 23 June 2021, the IE SA sent, on its own initiative, additional documents it considered important to
be added in the file. The Chair of the EDPB agreed and decided to add two documents in the file. On
24 June 2021, the Chair informed WhatsApp IE and Facebook IE about those two additional documents, and extended the deadline for their written submission to 25 June 2021 16:00 (CET).
11. On 25 June 2021, Facebook IE and WhatsApp IE provided their written submissions to the EDPB. 12. On 28 June 2021, after the DE-HH SA and the Chair of the EDPB confirmed the completeness of the
file, the EDPB Secretariat circulated the file to the EDPB members.
13. On 5 July 2021 12:00 (CET), the EDPB decided, in accordance with Article 11 EDPB RoP, to add in the
file the redline version of the FAQ “How we work with the Facebook Companies” highlighting the
changes made at the occasion of the Updated Terms, which was shared by the IE SA. On the same day,
the EDPB sent a letter to Facebook IE and WhatsApp IE to invite them to provide additional written
Adopted 7
submissions about a legal argument discussed between the EDPB members and the redline version of
the FAQ “How we work with the Facebook Companies”, with a deadline of 6 July 2021 12:00 (CET).
Following Facebook IE and WhatsApp IE’s request, the deadline was extended to 7 July 16:00 (CET).
On 7 July 2021, Facebook IE and WhatsApp IE provided their written submissions to the EDPB.
2 COMPETENCE OF THE EDPB TO ADOPT AN URGENT BINDING
DECISION UNDER ARTICLE 66(2) GDPR
2.1 Existence of a request pursuant to Article 66(2) GDPR coming from a SA in the
EEA
14. Following the adoption of provisional measures under Article 66(1) GDPR on 10 May 2021, the DE-HH
SA requested the EDPB to adopt an urgent binding decision pursuant to Article 66(2) GDPR, by
introducing a formal request in the IMI (Article 17 EDPB RoP) on 7 June 2021.
15. The EDPB therefore considers that this condition is fulfilled.
2.2 The SA has taken provisional measures under Article 66(1) GDPR
16. On 10 May 2021, the DE-HH SA adopted provisional measures pursuant to Article 66(1) GDPR, prohibiting Facebook IE from processing the personal data of WhatsApp users residing in Germany,
which are transmitted from WhatsApp IE or WhatsApp LLC to Facebook IE for the purposes of (1)
cooperation with other Facebook Companies; (2) security and integrity of Facebook; (3) improvement
of the product experience; (4) marketing communication and direct marketing; (5) WhatsApp Business
API; to the extent that the processing is being carried out for Facebook IE's own purposes.
17. The EDPB therefore considers that this condition is fulfilled.
2.3 Conclusion
18. The EDPB is competent to adopt an urgent binding decision under Article 66(2) GDPR.
3 THE RIGHT TO GOOD ADMINISTRATION
19. The EDPB is subject to the EU Charter of fundamental rights (hereinafter the “EU Charter”), in
particular its Article 41 (right to good administration). This is also reflected in Article 11(1) EDPB RoP.
20. Similarly, as provided under Article 65(2) GDPR, an Article 66(4) EDPB urgent binding decision is
addressed to the national supervisory authorities and binding on them. It is not aimed to address
directly any third party. However, as a precautionary measure, and in order to address the possibility
that Facebook IE and WhatsApp IE might be affected by the EDPB urgent binding decision, the EDPB
assessed whether all the documents it received and used in order to take its decision were already
known by Facebook IE and WhatsApp IE, and whether Facebook IE and WhatsApp IE had been heard
on them.
21. While Facebook IE was heard during the DE-HH SA’s national procedure, on the basis of Article 66(1),
neither Facebook IE nor WhatsApp IE had been heard yet on the DE-HH SA’s Article 66(2) GDPR
Adopted 8
request. The EDPB therefore decided to hear directly Facebook IE and WhatsApp IE by inviting them
to provide written submissions to the EDPB.
22. During the assessment of the completeness of the file, the EDPB shared all the documents of the file
(see above the para 9, 10, 11 and 14 ) to Facebook IE and WhatsApp IE directly to ensure the exercise
of their right to be heard in line with Article 41(2)(a) EU Charter.
23. Facebook IE and WhatsApp IE provided written submissions to the EDPB in the context of their right
to be heard on 25 June 2021, 6 July 2021, and 7 July 2021 (respectively hereinafter “Facebook’s written
submissions to the EDPB” and “WhatsApp’s written submissions to the EDPB”). 4 ON THE NEED TO REQUEST FINAL MEASURES
4.1 On the existence of infringements
4.1.1 Summary of the overall position of the DE-HH SA
24. According to the DE-HH SA, Facebook IE is already processing data of WhatsApp users for its own
purposes or will imminently do so. 25. The DE-HH SA’s analysis is based on WhatsApp’s public-facing information such as Terms of Service
and privacy-related public-facing information, including WhatsApp’s Privacy Policy applicable to EU
users and FAQ, as well as Facebook IE’s written submissions in the context of its hearing carried out by
the DE-HH SA before adopting the provisional measures, including, inter alia, an affidavit signed by
Facebook IE’s Head of Data Protection on 25 April 2021 (hereinafter the “Affidavit”)5
, which adheres
and supports commitments WhatsApp IE took towards the Article 29 Working Party (hereinafter the
“WP29”) and the LSA (hereinafter the “Commitments”)6
, respectively in February and June 2018. 26. The DE-HH SA considers that Facebook IE has no legal basis for the processing of WhatsApp user data
for its own purposes, hence it is unlawful due to the lack of effective consent of WhatsApp users within
the meaning of Article 6(1)(a) and Article 7 GDPR, and of a legitimate interest within the meaning of
Article 6(1)(f) GDPR. 27. The DE-HH SA considers that the consent requested by WhatsApp in its Terms of Service of 4 January
2021 does not meet the requirements of informed and free consent within the meaning of
Article 6(1)(a) and Article 7 GDPR7
. 28. The DE-HH SA states that the Updated Terms are not understandable by users; they do not comply
with the transparency requirements under Article 5(1)(a), Article 12(1) and Article 13(1)(c) and (e))
GDPR; the explanations on data exchange are partly contradictory and inconsistent, as well as largely
undefined
8
; the statements on data exchange are scattered in various documents at different levels9
5 Facebook’s submissions to the DE-HH SA. This also includes (Letter from WhatsApp IE to the WP29 dated 4
February 2018, p.1; and Letter from WhatsApp IE to the IE SA dated 8 June 2018, p. 2). 6 Facebook’s submissions to the DE-HH SA. This also includes (Letter from WhatsApp IE to the WP29 dated 4
February 2018, p.1; and Letter from WhatsApp IE to the IE SA dated 8 June 2018, p. 2). 7 DE-HH SA Order, Section II.2)aa), p. 13. 8 DE-HH SA Order, p. 14. 9 There are in total 15 documents linked to the terms, with a total of 20.000 words (DE-HH SA Order, pp. 5-6).
Adopted 9
and do not allow users to take note of them in a uniform manner10
. The DE-HH SA also explains why
the transparency requirements are not fulfilled in relation to each of the specific purposes it identified
(see hereinafter)11
. 29. In addition, the DE-HH SA underlines that considering the market position of Facebook and WhatsApp, users do not have a choice to consent or not, as not using WhatsApp is not an acceptable alternative
because of the wide use of such a closed messenger system12. According to the DE-HH SA, it is not
possible to continue the use of WhatsApp’s service on the basis of WhatsApp’s previously applicable
terms and conditions.
30. The DE-HH SA states that Article 6(1)(b) GDPR is not relevant as the transfer of WhatsApp user data to
by Facebook IE, and further processing by the latter for its own purpose, is not necessary for the
performance of a contract concluded between WhatsApp IE and the data subjects13 or between
Facebook IE and the data subjects14. For those WhatsApp users who are not Facebook users, the DE- HH SA considers that there is already a lack of corresponding contractual relationship between
Facebook IE and such concerned WhatsApp users. 31. The DE-HH SA notes that, should Facebook IE use Article 6(1)(f) GDPR as a ground for such processing
, it would need to transparently inform users about this on the basis of Article 13(1)(c) GDPR.
Moreover, according to the DE-HH SA, even for purposes for which a legitimate interest may exist, for
example to prevent the sending of spam in the area of network security, Facebook’slegitimate interest
does not outweigh the fundamental rights and freedoms of the users. The DE-HH SA underlines in
particular the large amount of data processed, which cannot be justified by Facebook’s legitimate
interests15. The DE-HH SA also raises that there is a complete lack of necessity for the data sharing with
Facebook IE of WhatsApp users that are not Facebook users16
. 32. Besides, the DE-HH SA underlined a violation of the transparency requirements under Article 5(1) GDPR
and Article 12(1) GDPR17. This is due to the large number of different documents that users need to
read to understand what is done with their personal data; to the inadequate consideration of the fact
that users usually access such information via their smartphones, which, from a technical perspective,
makes it more difficult to comprehend; to the existence of two versions of Terms of Service (one for
users within the EEA and one for users from the rest of the world); and to how easy it is for users in
the EEA to confuse the public-facing information applicable to them and the information applicable to
non-EEA users18
. 33. The DE-HH SA identified five processing purposes which it considers are already being carried out or
could be carried out imminently by Facebook IE as a controller: 1) Security and integrity of Facebook;
2) Improvement of the product experience; 3) Marketing communication and direct marketing; 4)
10 DE-HH SA Order, Section II.2)aa), p. 14. 2 versions of the Terms of Service exist, one for the EEA and one for
the rest of the world, and EEA users may access pages for non EEA users without even noticing it, DE-HH SA
Order, p. 7. 11 DE-HH SA Order, Section II.2)aa), p. 15-28. 12 Letter of the DE-HH SA requesting an EDPB urgent binding decision, p. 4. 13 DE-HH SA Order, Section II.2)aa), p. 2. 14 DE-HH SA Order, Section II.2)aa), p. 28. 15 DE-HH SA Order, Section II.2)aa), p. 29-30. 16 DE-HH SA Order, Section II.2)aa), p. 29-30. 17DE-HH SA Order, p. 2. 18 DE-HH SA Order, p. 3.
Adopted 10
WhatsApp Business API; and 5) Cooperation with other Facebook Companies. These purposes are
subject to the provisional measures ordered by the DE-HH SA and are further assessed hereinafter.
4.1.2 Security and integrity of Facebook
4.1.2.1 Summary of the position of the DE-HH SA
34. According to the DE-HH SA, the other Facebook Companies process WhatsApp user data for their own
security and integrity purposes. They are not acting in the context of a commissioned processing on
behalf of WhatsApp IE, but rather carry out an independent processing of WhatsApp user data19
. 35. For the DE-HH SA, the processing aiming at combatting spam and abuse on other Facebook services
than WhatsApp; protecting such other Facebook services; and ensuring the security of all Facebook
Companies constitutes a separate purpose that is part of Facebook IE’s own purposes20
. 36. The DE-HH SA notes that there is ambiguity in WhatsApp’s FAQ21 on the meaning of the term ‘our
services’, which actually refers to all services of Facebook Companies, including WhatsApp’s. It could
therefore be assumed that the same meaning is used for the other parts of WhatsApp’s user-facing
information, in which case Facebook IE extensively uses WhatsApp user data as a controller22
. 37. The DE-HH SA’s views on the Commitments relating to safety and security23 are the following:  The statements that no sharing of WhatsApp user data is taking place with Facebook, including
Facebook IE, for Facebook’s own purposes of safety and security only excludes that such
sharing is currently taking place, but they do not exclude that Facebook IE is processing
WhatsApp user data for its own purposes of safety and security, or that such processing is at
least imminent24
.  WhatsApp’s user-facing information does not reflect the Commitments since it mentions this
processing as taking place already25
. Besides, such voluntary Commitments are not, by nature,
legally binding26, and “the GDPR does not provide for “consent” or “authorisation” for data
19 DE-HH SA Order, Section II.2)aa), p. 17. 20 DE-HH SA Order, Section II.2)aa), p. 19. 21 DE-HH SA Order, Section II.2)aa), p. 17, in particular footnote 13, and p. 19. 22 DE-HH SA Order, Section II.2)aa), p. 19. 23 Facebook IE referred to the Commitments by which WhatsApp IE had not started to share the data of
WhatsApp users residing in Germany with Facebook IE for safety and security purposes and on a controller-to- controller basis, and should it change, to do so “following further engagement and consultation with [the IE SA]”,
and that it intends to only share such data on a case-by-case basis, “for example sharing of data related to
individuals previously identified as a safety or security risk” (Facebook’s written submissions to the DE-HH SA,
Annex 1, Letter from WhatsApp IE to the WP29 dated 4 February 2018, p. 2, and Letter from WhatsApp IE to the
IE SA dated 8 June 2018, p. 2). Facebook IE assured that the Commitments were still accurate as “German
WhatsApp users’ data” are not shared yet by WhatsApp IE with Facebook Companies, including Facebook IE for
Facebook’s own safety and security purposes (Facebook’s written submissions to the DE-HH SA, Annex 2, the
Affidavit, point B., 4th paragraph). 24 DE-HH SA Order, Section III, p. 30. 25 DE-HH SA Order, Section III, p. 31. 26 In Facebook IE’s opinion, WhatsApp IE’s “clear and unequivocal” Commitments to the WP29 and the IE SA fall
within the controller’s obligation to cooperate with a SA - which has enforcement powers - in accordance with
Article 31 GDPR. Facebook IE added that it “takes compliance with [WhatsApp IE’s] Commitments very seriously”
(Facebook’s written submissions to the DE-HH SA, section 2.7, p. 9).
Adopted 11
processing operations by [SAs]. The formulated restriction is therefore without legal
significance.”
27
38. Overall, the DE-HH SA concluded that WhatsApp IE shares all its user data with Facebook IE “(...) for
the purposes of making the systems more secure and combating spam, threats, abuse and rights
violations for all products of the Facebook companies”
28
. 4.1.2.2 Analysis of the EDPB
39. The EDPB assessed the security and integrity purpose in relation to the alleged unlawful processing of
WhatsApp user data by Facebook IE as a controller, and in relation to the alleged infringement of the
transparency requirements in WhatsApp’s user-facing information. The EDPB took into account the
views of the DE-HH SA, as well as the position expressed by both Facebook IE and WhatsApp IE. 4.1.2.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a controller
40. In relation to safety, security and integrity, the EDPB notes the following extracts from WhatsApp’s
user-facing information (emphasis added underlined):
41. WhatsApp’s Privacy Policy applicable to users living in the European Union: “Third-Party Information [...]
Third-Party Service Providers. We work with third-party service providers and other Facebook
Companies to help us operate, provide, improve, understand, customise, support, and market our
Services. For example, we work with them to [...]; provide engineering support, cybersecurity
support, and operational support; [...] ensure safety, security and integrity; and help with customer
service. These companies may provide us with information about you in certain circumstances; [...].
The “How We Work With Other Facebook Companies” section below provides more information
about how WhatsApp collects and shares information with the other Facebook Companies. You can
also learn more in our Help Center on how we work with the Facebook Companies. [...]
Information You And We Share [...]
Third-Party Service Providers. We work with third-party service providers and other Facebook
Companies to help us operate, provide, improve, understand, customise, support, and market our
Services. We work with these companies to support our Services, such as to [...] protect the safety,
security and integrity of users and others; [...]. When we share information with third-party service
providers and other Facebook Companies in this capacity, we require them to use your information
on our behalf in accordance with our instructions and terms. For further information on how the
Facebook Companies help us to operate and provide our Services, see “How We Work With Other
Facebook Companies” below. You can also learn more in our Help Center on how we work with the
Facebook Companies. [...]
How We Work With Other Facebook Companies
As part of the Facebook Companies, WhatsApp receives information from, and shares information
with, the other Facebook Companies to promote safety, security and integrity across the Facebook
Company Products, e.g., to fight spam, threats, abuse, or infringement activities. WhatsApp also
works, and shares information with the other Facebook Companies who act on our behalf to help us
operate, provide, improve, understand, customise, support, and market our Services. This includes
27 DE-HH SA Order, Section III, p. 31. 28 DE-HH SA Order, Section II.2)aa), p. 20.
Adopted 12
the provision of infrastructure, technology, and systems, [...] and securing systems. When we receive
services from the Facebook Companies, the information we share with them is used on WhatsApp’s
behalf and in accordance with our instructions. Any information WhatsApp shares on this basis
cannot be used for the Facebook Companies’ own purposes. We’ve set out further information in
our Help Center about how WhatsApp works with the Facebook Companies. [...]
How We Process Your Information - Provision Of The Services In Accordance With The Terms
[...] Legitimate Interests
We rely on our legitimate interests or the legitimate interests of a third party where they are not
outweighed by your interests or fundamental rights and freedoms ("legitimate interests"):
Why And How We Process Your Data: • [...] To share information with the Facebook Companies to promote safety and security and
integrity. See also "How We Work with Other Facebook Companies" for more information.
o Legitimate Interests Relied On: To secure systems and fight spam, threats, abuse, or
infringement activities and promote safety and security across the Facebook Company
Products.
o Data Categories Used: We use information described in the "Information You Provide,"
"Automatically Collected Information," and "Third-Party Information" sections of this
Privacy Policy for this purpose.” 42. WhatsApp’s FAQ ”How we work with the Facebook Companies” (emphasis added underlined): “Why does WhatsApp share information with the Facebook Companies?
WhatsApp works and shares information with the other Facebook Companies to receive services like
infrastructure, technology, and systems that help us provide and improve WhatsApp and to keep
WhatsApp and the other Facebook Companies safe and secure. When we receive services from the
Facebook Companies, the information we share with them is used to help WhatsApp in accordance
with our instructions. Working together allows us for example to: • [...] Ensure safety, security, and integrity across WhatsApp and the Facebook Company Products
by removing spam accounts and combating abusive activity. [...].
What information does WhatsApp share with the Facebook Companies?
[...] WhatsApp also shares information with other Facebook Companies when this is necessary for
the purpose of promoting safety, security, and integrity across the Facebook Companies. This
includes the sharing of information that enables Facebook and the other Facebook Companies to
determine whether a certain WhatsApp user is also using other Facebook Company Products, and
to assess whether the other Facebook Companies need to take action, either against such user or to
protect them. For example, WhatsApp could share the information that is necessary to enable
Facebook to also take action against an identified spammer on Facebook, such as information on
the incident(s) as well as the phone number they verified when they signed up for WhatsApp or
device identifiers associated with the same device or account. Any such transfer is carried out in
accordance with the “Our Legal Basis For Processing Data” section of the Privacy Policy.
How is my WhatsApp information used by the Facebook Companies? • [...] To keep WhatsApp and other Facebook family services safe and secure.
o We share information with the other Facebook Companies in accordance with the “Our Legal
Basis For Processing Data” section of the Privacy Policy, and vice versa, to help fight spam
and abuse on our Services, help keep them secure, and promote safety, security, and integrity
on and off our Services. So if, for example, any member of the Facebook Companies discovers
that someone is using its services for illegal purposes, it can disable their account and notify
Adopted 13
the other Facebook Companies so that they can also consider doing the same. In this way, we
only share information for this purpose in relation to users that have first been identified as
having violated our having violated our Terms of Service or threatened the safety or security
of our users or others, about which other members of our family of companies should be
warned. o To keep WhatsApp and other Facebook Companies' services safe and secure, we need to
understand which accounts across the Facebook Companies relate to the same user, so we
can take appropriate action when we identify a user who violates our Terms of Services or
presents a safety or security threat to others.” 43. In their written submissions to the EDPB, Facebook IE and WhatsApp IE referred to the Commitments
made to the WP29 and the IE SA, i.e., “[...] following the GDPR Update [in 2018] WhatsApp intended
to commence the sharing of its EU users’ data with Facebook on a controller-to-controller basis for
safety and security purposes only. We made this clear to our users in the User Engagement Flow and
our Privacy Policy as well as explaining to users the legal bases on which we will rely for this sharing,
which includes legitimate interest, contractual necessity, vital interests and public interest”. It also
includes the following: “However, it’s important to note that WhatsApp has not yet commenced the
sharing of this data with Facebook on this basis. Whilst we plan to commence this sharing in the
foreseeable future, we can confirm that WhatsApp will only do so following further engagement and
consultation with [the IE SA]. For your information, as and when we do commence this sharing (which,
as I say, will only follow further engagement and consultation with your Office) our current intention is
that it would only involve sharing of data on a case by case basis, for example sharing of data related
to individuals previously identified as a safety or security risk.”
44. Facebook IE also stated that: “The current status quo is that Facebook companies other than WhatsApp
Ireland (collectively “Facebook”) process WhatsApp user data shared by WhatsApp Ireland as
processors acting on the latter’s behalf and under its instructions. Neither Facebook Ireland nor any of
the other Facebook companies are conducting any of the Alleged Processing29 – i.e. no Facebook
companies, other than WhatsApp Ireland, are processing such WhatsApp user data as controllers (the
“Status Quo”)”
30
. 45. This statement was further confirmed in the Affidavit31, according to which “It has also been confirmed
to me by WhatsApp Ireland that German WhatsApp users’ data is not being provided to Facebook
Ireland (or any other Facebook Company) by WhatsApp Ireland on a controller-to-controller basis for it
to be used for Facebook’s own safety and security purposes. It has been confirmed to me by WhatsApp
Ireland that this will only occur in the future following further engagement and consultation with the
[IE SA] (who in turn I believe, again, would consult with other supervisory authorities concerned as
appropriate under Art. 60 GDPR). Again, I can confirm my understanding from my role at Facebook
Ireland that Facebook Ireland supports and adheres to the commitments WhatsApp Ireland has made
in this regard.”
29 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 20. In Facebook’s written submissions
to the EDPB, ‘Alleged Processing’ is defined by reference to the processing prohibited by the DE-HH SA Order,
i.e., “[...] Facebook Ireland [...] processing personal data of WhatsApp users residing in Germany [...] transmitted
by WhatsApp Ireland to Facebook Ireland as a controller, for a broadly described list of Facebook Ireland’s own
purposes”, para. 3. 30 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 20. 31 This Affidavit was first attached to Facebook’s written submissions to the DE-HH SA, and provided again in
Facebook’s written submissions to the EDPB as Annex 2.
Adopted 14
46. Facebook IE repeated its support and adherence to the Commitments once more in its written
submissions to the EDPB, explaining that “[...] to remove any possibility for concern in this respect,
Facebook Ireland has already provided clear confirmation to the [DE-HH SA] that it supports and
adheres to the Commitments and hereby expressly confirms such adherence again.”
32
47. In reference to the DE-HH SA’s claim that the Commitments were not legally binding, Facebook IE
submitted “[...] that under Article 31 GDPR, WhatsApp Ireland as a controller is legally obligated to
cooperate with the [IE SA] as LSA, which has extensive enforcement powers under GDPR as well as Irish
law. Therefore, neither WhatsApp Ireland nor Facebook Ireland could simply cease to comply with the
Commitments in the manner the [DE-HH SA] alleges. On the contrary, both companies are dedicated to
upholding the Commitments [...].”33
48. Furthermore, Facebook IE submitted that the wording included in WhatsApp’s FAQ ”How we work
with the Facebook Companies” (see relevant extract above) “[...] does not support in any way the
allegations made by the [DE-HH SA]. It is not indicative of the Alleged Processing, other than in respect
of the planned future controller-to-controller sharing of WhatsApp User Data for safety and security
purposes, which (a) has been provided for in WhatsApp’s privacy policies since at least 2016, and which
(b) will only be commenced by WhatsApp Ireland following further engagement with the IDPC, in line
with the Commitments. This quote otherwise relates (i) to processing which Facebook conducts as a
service provider and processor for WhatsApp Ireland’s purposes, on the latter’s behalf and under its
instructions; or (ii) to situations where no EU WhatsApp user data is shared.”34
49. In relation to the quote at stake, the EDPB observes that it expressly sets out that WhatsApp’s user
data shared with the other Facebook Companies to receive services from the latter, for example in
relation to safety, security and integrity across WhatsApp and the products offered by the other
Facebook Companies is done in accordance with WhatsApp IE’s instructions. On Facebook IE’s claim
that the extract may concern “situations where no EU WhatsApp user data is shared”, the EDPB notes
that such extract is included under the heading “Why does WhatsApp share information with the
Facebook Companies?”.
50. According to Facebook IE, the extract from the FAQ “How we work with the Facebook Companies” (see
para. 43 above) “is a simplified and accessible explanation of complex technical processing operations,
which is designed to assist users of varying sophistication in understanding how their data is being
processed by WhatsApp Ireland. It was not intended to provide a detailed explanation of complex legal
concepts contained in the GDPR, nor can its wording provide sufficient basis on which to conclude a
regulatory process on such matters35”. 51. Based on these statements, the EDPB notes that Facebook IE is unambiguous about the fact that it
intends to start processing WhatsApp’s user data as a controller for the purpose of safety, security and
integrity of the other Facebook Companies, but is less clear on whether it is currently processing
WhatsApp’s user data for that same purpose, as an alleged processor. In its letter addressed to the
EDPB on 7 July 2021, Facebook IE stated that this “is not taking place and will not take place premised
on the WhatsApp Update”. 52. The EDPB observes that in their current drafting, the statements included in WhatsApp’s user-facing
information do not mirror the Commitments by providing an indication to users that this processing
32 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 28. 33 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 27. 34 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 36. 35 Facebook’s written submissions to the EDPB dated 7 July 2021, p. 5.
Adopted 15
for safety, security and integrity purpose is, for now, only a plan, whereas the Commitments relating
to product improvement and advertising are mirrored in WhatsApp’s user facing information. 53. Transparency obligations stem from Article 5(1)(a) and Article 12(1) GDPR. They are an expression of
the principle of fairness in relation to the processing of personal data expressed in Article 8 EU
Charter36. Hence, controllers’ public-facing data protection statements aim at explaining to data
subjects how and why their personal data are processed and at empowering them to exercise control
over their personal data by exercising their rights enshrined in Chapter III GDPR. To that end, it is of
the utmost importance that public facing statements mirror the processing undertaken or to be
imminently undertaken by controllers, in order to provide a fairly accurate description of what data
subjects may reasonably expect in relation to the processing of their personal data when reading
privacy policies and other public-facing statements (e.g., FAQs).
54. Therefore, the EDPB shares the DE-HH SA’s position that there are contradictions between the
information included in WhatsApp’s user-facing information on the one hand, and the Commitments
and Facebook IE’s written submissions on the other hand.
55. According to the GDPR, a controller is “[...] the natural or legal person, [...] which, alone or jointly with
others, determines the purposes and the means of the processing of personal data”
37, hence is serving
its own interests38
. 56. The EDPB remarks that, in the analysis of a processing which may be divided into several smaller
processing operations and which involves several actors, it is important to consider whether, at
“macro-level”, these processing operations should not be considered as a “set of operations” pursuing
a joint purpose using jointly defined means39
. Besides, the EDPB recalls that the underlying objective
of attributing the role of controller is to ensure accountability and the effective and comprehensive
protection of the personal data, therefore the concept of ‘controller’ should be interpreted in a
sufficiently broad way, favouring as much as possible effective and complete protection of data
subjectsso as to ensure full effect of EU data protection law, to avoid lacunae and to prevent possible
circumvention of the rules, while at the same time not diminishing the role of the processor40
. 57. In relation to the determination of means, the EDPB recalls that a distinction can be made between
essential and non-essential means, whereby:  Essential means are to be determined by the controller, and are closely linked to the purpose
and the scope of the processing (e.g., type of personal data which are processed, duration of
the processing, categories of recipients, categories of data subjects).  Non-essential means can be determined by the controller or the processor, and concern more
practical aspects of implementation (e.g., choice for a particular type of hard- or software or
the detailed security measures)41
.
36 See WP29 Guidelines on transparency under Regulation 2016/679, as last revised and adopted on 11 April
2018 (WP260 rev.01), endorsed by the EDPB on 25 May 2018, https://edpb.europa.eu/our-work-tools/our- documents/guidelines/transparency_en, para 2. 37 See Article 4(7) GDPR. 38 See by analogy, EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR (final version
after public consultation adopted on 7 July 2021), para 80. 39 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 43. 40 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, para. 14. 41 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 40.
Adopted 16
58. In relation to the concept of joint controllership, the EDPB considers that it “[...] can take the form of
a common decision taken by two or more entities or result from converging decisions by two or more
entities, where the decisions complement each other and are necessary for the processing to take place
in such a manner that they have a tangible impact on the determination of the purposes and means of
the processing."42 As per converging decisions, the EDPB specifies that “[a]n important criterion [...] is
whether the processing would not be possible without both parties’ participation in the sense that the
processing by each party is inseparable, i.e. inextricably linked.”43 Besides, the EDPB observes that “[j]oint controllership exists when entities involved in the same processing carry out the processing for
jointly defined purposes. This will be the case if the entities involved process the data for the same, or
common, purposes.”
44 59. According to the GDPR, a processor is ““[...] the natural or legal person, [...] which processes personal
data on behalf of the controller”
45, hence is serving the interests of someone else46 and may not carry
out processing for its own purpose(s)47
. 60. The EDPB takes note of Facebook IE’s claim that the other Facebook Companies only process
WhatsApp IE’s user data shared by the latter as WhatsApp IE’s processors, and that the processing
identified by the DE-HH SA as being allegedly performed by the other Facebook Companies are
processing WhatsApp IE’s user data shared by the latter as controllers, is not taking place48
. 61. The EDPB remarks that it is unclear from WhatsApp’s user-facing information, whether the processing
of WhatsApp’s user data by WhatsApp IE and the other Facebook Companies, for the common purpose
of safety, security and integrity across WhatsApp and the other Facebook Companies is currently being
carried out by Facebook IE as a processor acting under the instructions of WhatsApp IE (see for instance
(emphasis added underlined): “When we receive services from the Facebook Companies, the
information we share with them is used to help WhatsApp in accordance with our instructions. Working
together allows us for example to: • [...] Ensure safety, security, and integrity across WhatsApp and the
Facebook Company Products by removing spam accounts and combating abusive activity. [...]”49); or
being carried by Facebook IE as a (joint) controller with WhatsApp IE (see for instance (emphasis added
underlined), “As part of the Facebook Companies, WhatsApp receives information from, and shares
information with, the other Facebook Companies to promote safety, security and integrity across the
Facebook Company Products, e.g., to fight spam, threats, abuse, or infringement activities, e.g., to fight
spam, threats, abuse, or infringement activities.”50). 62. Furthermore, whilst the EDPB acknowledges the Commitments, and the Affidavit, the EDPB notices
the use of ambiguous wording by both Facebook IE and WhatsApp IE in both documents(e.g., “shared”
could exclude covering other processing operations; “by WhatsApp Ireland” could exclude covering
sharing by other Facebook Companies; “any of the Alleged Processing” could exclude covering the
42 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version
Executive summary. 43 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version para. 55. 44 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version para. 59. 45 See Article 4(8) GDPR. 46 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version para. 80. 47 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version para. 81. 48 Facebook’s written submissions to the EDPB dated 25 June and 7 July 2021. 49 See the FAQ “How we work with the Facebook Companies”, Why does WhatsApp share information with the
Facebook Companies?
50 See the FAQ “How we work with the Facebook Companies”, How We Work With Other Facebook Companies
Adopted 17
processing of WhatsApp users residing outside Germany; “such WhatsApp user data” could exclude
WhatsApp users residing outside Germany or WhatsApp user data shared by WhatsApp IE).
63. In addition, the EDPB observes that the fact that “for the purpose of promoting safety, security, and
integrity across the Facebook Companies”
51, WhatsApp’s user-facing information refers to the current
exchange of data between WhatsApp IE and the other Facebook Companies “[...] to determine whether
a certain WhatsApp user is also using other Facebook Company Products, and to assess whether the
other Facebook Companies need to take action, either against such user or to protect them”52 and “To
keep WhatsApp and other Facebook Companies' services safe and secure, we need to understand which
accounts across the Facebook Companies relate to the same user”
53
, means that, from a practical
perspective, WhatsApp’s user data would need to be combined or at least compared with the data of
users of products and services offered by the other Facebook Companies. In their response to the EDPB
dated 7 July 2021, Facebook IE and WhatsApp IE submitted that the sharing of WhatsApp’s user data
with the other Facebook Companies for Facebook IE’s own purpose of safety and security is not taking
place, and did not further comment on any possible combination or comparison of WhatsApp’s user
data with other data sets controlled by Facebook IE for the purpose of safety, security and integrity.
64. Should it actually take place in practice, WhatsApp and Facebook Companies’ decision to combine or
at least compare at individual level the personal data of their respective users - possibly all data in the
case of WhatsApp IE54 in order to understand whether a particular person uses different services of
the Facebook Companies, would serve the interests of both WhatsApp IE and the other Facebook
Companies; hence would go beyond a controller-to-processor relationship.
65. Indeed, the EDPB notes that since the combination or comparison would aim at assessing if a certain
user identified as requiring action on one product or service (e.g., if they send spam or violate
WhatsApp’s or Facebook’s terms and conditions) also uses Facebook Companies’ products or services
(including WhatsApp IE’s), hence also face possible consequences of their acts on those other
accounts, shows that, without such combination or at least comparison of both data sets, the
processing would not be possible. In other words, the processing described in the FAQ “How we work
with the Facebook Companies” involving actions by both WhatsApp IE and the other Facebook
Companies, is inseparable, i.e. inextricably linked.
66. Considering the clear contradictions within WhatsApp’s user-facing information that should reflect
the practice, as well as the contradictions between WhatsApp’s user-facing information and the
statements made to the EDPB by Facebook IE and WhatsApp IE, including in their letters dated 7 July
2021, the Board considers that there is a high likelihood that Facebook IE already processes
WhatsApp user data as a controller or joint controller for the common purpose of the safety, security
and integrity of WhatsApp and the Facebook Companies.
51 See the FAQ “How we work with the Facebook Companies”, What information does WhatsApp share with the
Facebook Companies?
52 See the FAQ “How we work with the Facebook Companies”, What information does WhatsApp share with the
Facebook Companies?
53 See the FAQ “How we work with the Facebook Companies”, What information does WhatsApp share with the
Facebook Companies?
54 See FAQ ”How we work with the Facebook Companies”, How We Process Your Information > Provision Of The
Services In Accordance With The Terms > Legitimate Interests > To share information with the Facebook
Companies to promote safety and security and integrity > Data Categories Used: “We use information described
in the "Information You Provide," "Automatically Collected Information," and "Third-Party Information" sections
of this Privacy Policy for this purpose.”
Adopted 18
67. Nonetheless, in the face of the various contradictions, ambiguities and uncertainties noted in
WhatsApp’s user-facing information, the Commitments, and Facebook IE and WhatsApp IE’s
respective written submissions, the EDPB is not in a position to determine with certainty which
processing operations the other Facebook Companies, including Facebook IE, are actually carrying out
in relation to WhatsApp’s user data and in which capacity.
68. Accordingly, the EDPB requests the LSA competent for Facebook IE and WhatsApp IE to carry out a
statutory investigation to unveil whether Facebook IE has already started to process WhatsApp’s
user data for the common purpose of safety, security and integrity of the Facebook Companies, and
if so, whether it is acting as a processor on behalf of WhatsApp IE or as a (joint) controller with
WhatsApp IE. In particular, to this respect the LSA should analyse the possible combination and/or
comparison at individual level the personal data of WhatsApp users with the data of the Facebook
Companies which enables the Facebook Companies to understand whether a particular person uses
different services of the Facebook Companies, which serves their common purpose of the safety,
security and integrity. The EDPB further requests the LSA to carry out a statutory investigation to
assess whether Facebook IE has a legal basis to conduct such processing lawfully as a (joint)
controller pursuant to Articles 5(1)(a) and 6(1) GDPR. 69. Whilst the EDPB considers that SAs enjoy a certain degree of discretion to decide how to frame the
scope of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure
consistency throughout the EU, and the cooperation between the LSA and CSAs is one of the means to
achieve this. Therefore, the EDPB calls upon the LSA to make full use of the cooperation tools
provided for by the GDPR (including Articles 61 and 62 GDPR) while carrying out such investigation. 4.1.2.2.2 On the alleged infringement of the transparency obligations under GDPR
70. The EDPB takes note of the concerns of the DE-HH SA regarding transparency towards data subjects,
in particular in relation to the processing of WhatsApp’s user data for the purpose of security and
safety of the Facebook Companies. However, the EDPB underlines that WhatsApp’s user-facing
information for EU users is currently subject to a one-stop-shop procedure led by the IE SA that is due
to come to an end shortly.
4.1.3 Improvement of product experience
4.1.3.1 Summary of the position of the DE-HH SA
71. According to the DE-HH SA, it can be read in the FAQ “How we work with the Facebook Companies”
that in order to understand how people use WhatsApp services in comparison with other apps and
improve the WhatsApp services, WhatsApp can track the use of services and compare these results
across the Facebook companies. WhatsApp may be able to match whether the user of a particular
WhatsApp account also uses another Facebook company's service55
. The DE-HH SA concluded that
Facebook IE’s processing for its own purpose of product improvement and advertising is not presented
transparently56
. 72. Moreover, according to DE-HH SA, with the new terms of use, WhatsApp is expanding the list of data
to be exchanged with Facebook in the future. In particular, this relates to Facebook hosting services
55 DE-HH SA Order, Section II.2)aa), p. 17. 56 DE-HH SA Order, Section II.2)cc), p. 20.
Adopted 19
and “discovering a business” features57. According to DE-HH SA, this means that, in the future, data
will also be exchanged between WhatsApp and Facebook for marketing purposes, which Facebook can
use for its own purposes, in particular for profiling58
. 73. The DE-HH SA notesthat the relevant section in the FAQ “How we work with the Facebook Companies”
in its version before the consultation letter of the DE-HH SA of 12 April 2021 stated that Facebook does
not use “account information” for purpose of improving Facebook product experience and Facebook
ads59
. According to DE-HH SA, “account information” covers a very broad catalogue of information. It
is not clear what is meant by “account information” and which types of data should be assigned to this
data category and which should not. The DE-HH SA observes that WhatsApp collects a considerable
number of other data categories.
74. The DE-HH SA further states that following the consultation letter of the DE-HH SA of 12 April 2021,
the wording of “account information” in the FAQ “How we work with the Facebook Companies” has
been expanded to include all personal data. The DE-HH SA notesthat while previously in the FAQ “How
we work with the Facebook Companies” the use of “account information” by Facebook was described
by WhatsApp as “currently” not taking place, it is now only mentioned that WhatsApp is “currently” not passing on60 (all) personal data for these purposes. Thus, the fact that Facebook IE does not actually
use WhatsApp users’ data for these purposes is not (any longer) clear from the amended terms and
conditions61
.
57 DE-HH SA Order, Section II.2)cc), p. 20, the relevant quote: “In the explanations it says (emphasis by the
undersigned): “Facebook hosting services: […] Some large businesses need to use hosting services to manage their
communication. Which is why we’re giving businesses the option to use secure hosting services from Facebook to
manage WhatsApp chats with their customers, answer questions, and send helpful information like purchase
receipts. But whether you communicate with a business by phone, email, or WhatsApp, it may use that
information for its own marketing purposes, which may include advertising on Facebook. To make sure you’re
informed, we clearly label conversations with businesses that are choosing to use hosting services from Facebook.
Discovering a business: You may see an ad on Facebook with a button to message a business using WhatsApp. If
you have WhatsApp installed on your phone, you’ll have the option to message that business. Facebook may use
the way you interact with these ads to personalize the ads you see on Facebook. (emphasis added by author).
Discovering a business: People can already discover businesses on Facebook or Instagram from ads that show a
button you can click to message them using WhatsApp. Just like other ads on Facebook, if you choose to click on
these ads, it may be used to personalize the ads you see on Facebook. Again, WhatsApp and Facebook cannot
see the content of any end to end encrypted messages.“ (emphasis added by author).
Here we would like to emphasise once again that WhatsApp and Facebook cannot see the content of end-to-end
encrypted messages.“ (see https://faq.whatsapp.com/general/security-and-privacy/about-new-business�featuresand-whatsapps-privacy-policy-update/?lang=en).”
58 DE-HH SA Order, Section II.2)cc), p. 20. 59 DE-HH SA Order, Section II.2)cc), p. 20. 60 It should be noted that the exact wording from the WhatsApp Updated terms and the Commitments is
“shared”. 61 DE-HH SA Order, Section II.2)cc), p. 21, the relevant quote: “However, it is no longer confirmed that Facebook
does not use user data for these purposes, but only that data is not passed on for these purposes. Since then, it
has only stated (emphasis added by the undersigned): “We do not share data to use it to improve Facebook products on Facebook or to provide more relevant
advertising experiences on Facebook.
Currently, WhatsApp does not share your personal data with Facebook to improve your product experience on
Facebook or to show you more engaging Facebook ads. This is the result of discussions with the Irish Data
Protection Authority and other data protection authorities in Europe. We are constantly working on new ways to
improve your experience on WhatsApp and other Facebook company products you use. If we decide in the future
Adopted 20
75. The DE-HH SA makes reference to Facebook’s statements regarding the commitment made by
WhatsApp IE not to share EU WhatsApp user data with Facebook for the purpose of Facebook using
this data to improve its products or advertisements without prior consultation with the IE SA. The DE- HH SA states that this represents a non-binding commitment and requires no further user’s consent62
. The DE-HH SA also stresses that this commitment only refers to the purposes for which WhatsApp IE
shares data with Facebook and does not include any commitment by Facebook not to process data for
its own purposes
63
. 76. Regarding the issue of legal basis, the DE-HH SA states that it is not clear whether WhatsApp would
consider it necessary to obtain the consent of users for a transfer for these purposes. According to the
DE-HH SA, it must be assumed that the transfer of its users’ data to Facebook IE for these purposes on
the legal basis of legitimate interest, Article 6(1)(f) GDPR64
. The DE-HH SA further states that users lack
proper information about such transfers: “In the view of both companies, the legal requirements for
data transfer by WhatsApp and processing by Facebook Ireland Ltd for these purposes already exist.
The consequence of this is that the users, since they are not requested to give their consent, do not
obtain any secure knowledge of a data transfer for these purposes to Facebook Ireland Ltd. Rather, a
data transfer for these purposes has been and is being decided and implemented by the companies
“behind the scenes”, whereby it is completely unclear for users whether and if so, when and in what
form they will become aware of this and whether they will be asked for consent to a data transfer and
processing for these purposes or will have the possibility to object to it or not”
65
. 4.1.3.2 Analysis of the EDPB
77. The EDPB assessed the improvement of product experience purpose66 in relation to the alleged
unlawful processing of WhatsApp user data by Facebook IE as a controller and in relation to the alleged
infringement of the transparency requirements in WhatsApp’s user-facing information. The EDPB took
into account the views of the DE-HH SA, as well as the positions expressed by both Facebook IE and
WhatsApp IE. 4.1.3.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a
controller
78. In relation to improvement of product experience, the EDPB notes the following descriptions provided
in relevant extracts from WhatsApp’s Privacy Policy (emphasis added underlined): “WhatsApp also works, and shares information with, the other Facebook Companies who act on our
behalf to help us operate, provide, improve, understand, customise, support, and market our
to share such data with the Facebook companies for this purpose, it will only be done if the head of the Irish data
protection authority agrees to a mechanism that allows such use. We will keep you updated on new experiences
we offer and our information practices.””
62 Annex to Facebook’s submissions to the DE-HH SA, para 2.4, p. 7-8, Letter to the EDPB Chair requesting a
binding decision of the EDPB according to Art. 66 (2) GDPR, 3 June 2021, p. 6. 63 DE-HH SA, Letter to the EDPB Chair requesting a binding decision of the EDPB according to Art. 66(2) GDPR, 3
June 2021, p. 6. 64 DE-HH SA Order, Section II.2)cc), p. 22. 65 DE-HH SA Order, Section II.2)cc), p. 22. 66 This processing purpose in different parts of the DE-HH SA order is referred as “improvement of the product
experience” (see the DE-HH SA order, p. 1) and/or as “Product experiences and Facebook ads” (see the DE-HH
SA order, p. 20). In this section, the EDPB assesses the purpose of improvement of product experience in a broad
sense. The specific advertisement related elements are addressed by the EDPB in the section 4.1.4 of the current
decision.
Adopted 21
Services. This includes the provision of infrastructure, technology, and systems, e.g., for providing
you with fast and reliable messaging and calls around the world; improving infrastructure and
delivery systems; understanding how our Services are used; helping us provide a way for you to
connect with businesses; and securing systems. When we receive services from the Facebook
Companies, the information we share with them is used on WhatsApp’s behalf and in accordance
with our instructions. Any information WhatsApp shares on this basis cannot be used for the
Facebook Companies’ own purposes”
67
. 79. The EDPB also notesthe relevant extracts from the information included by WhatsApp in its FAQ “How
we work with the Facebook Companies” (emphasis added underlined): “Why does WhatsApp share information with the Facebook Companies?
WhatsApp works and shares information with the other Facebook Companies to receive services like
infrastructure, technology, and systems that help us provide and improve WhatsApp and to keep
WhatsApp and the other Facebook Companies safe and secure. When we receive services from the
Facebook Companies, the information we share with them is used to help WhatsApp in accordance
with our instructions. Working together allows us for example to:
• Provide you fast and reliable messaging and calls around the world and understand how our
Services and features are performing.
• Ensure safety, security, and integrity across WhatsApp and the Facebook Company Products
by removing spam accounts and combating abusive activity.
• Connect your WhatsApp experience with Facebook Company Products.
Today, WhatsApp does not share your personal information with Facebook to improve your
Facebook product experiences or provide you more relevant Facebook ad experiences on Facebook.
We're always working on new ways to improve how you experience WhatsApp and the other
Facebook Company Products you use. We'll keep you updated on new experiences we offer and our
data practices”
68
.
[...] “How is my WhatsApp information used by the Facebook Companies?
To receive services that will help WhatsApp operate, improve, and develop our business. When
WhatsApp shares information with the Facebook Companies in these ways, the Facebook
Companies act as service providers and the information we share with them is used to help
WhatsApp in accordance with our instructions (emphasis added).  We share information with the other Facebook Companies as service providers. Service
providers help companies like WhatsApp by providing infrastructure, technologies, systems,
tools, information, and expertise to help us provide and improve the WhatsApp service for our
users.  This enables us, for example, to understand how our Services are being used, and how it
compares to usage across the Facebook Companies. By sharing information with the other
Facebook Companies, such as the phone number you verified when you signed up for WhatsApp
and the last time your account was used, we may be able to work out whether or not a particular
WhatsApp account belongs to someone who also uses another service in the Facebook
Companies. This allows us to more accurately report information about our Services and to
improve our Services. So, for example, we can then understand how people use WhatsApp
services compared to their use of other apps or services in the other Facebook Companies, which
in turn helps WhatsApp to explore potential features or product improvements (emphasis
added). We can also count how many unique users WhatsApp has, for example, by establishing
which of our users do not use any other Facebook apps and how many unique users there are
67 In the Privacy Policy (valid as of 8 February 2021), section “How we work with other Facebook Companies”. 68 FAQ “How we work with the Facebook Companies”> How is my WA information used by the FB Companies.
Adopted 22
across the Facebook Companies. This will help WhatsApp more completely report the activity on
our service, including to investors and regulators. [...]
We do not share data for improving Facebook products on Facebook and providing more relevant
Facebook ad experiences.  Today, WhatsApp does not share your personal information with Facebook to improve your
Facebook product experiences or provide you more relevant Facebook ad experiences on
Facebook. This is a result of discussions with the Irish Data Protection Commission and other
Data Protection Authorities in Europe. We're always working on new ways to improve how you
experience WhatsApp and the other Facebook Company Products you use. Should we choose to
share such data with the Facebook Companies for this purpose in the future, we will only do so
when we reach an understanding with the Irish Data Protection Commission on a future
mechanism to enable such use. We'll keep you updated on new experiences we offer and our
information practices”
69
. 80. The EDPB also notes the relevant extracts from the information included by WhatsApp in the Legal
Basis notice (emphasis added underlined):
“Provision Of The Services In Accordance With The Terms
We process the data we have about you (as described in the "Information We Collect" section) as
necessary to perform our contract with you (the Terms). The categories of data we process will
depend on the data you choose to provide and the manner in which you use our Services (which
determines the information we collect automatically). The processing purposes necessary to provide
our contractual services are:
Why And How We Process Your Data:
• To operate, provide, improve, customise, and support our Services as described in the "Our
Services" section of our Terms which includes providing ways for you to connect and
communicate with other WhatsApp users including businesses. This includes collecting
information from you to create a WhatsApp account, connecting you with businesses reachable
via WhatsApp, analysing your use of our Services, providing customer support in response to an
issue or deleting your data if you choose to close your account.
• We use Messaging Metadata for the transmission of the communication; the operation of the
Services, including general traffic management and the prevention, detection, investigation and
remediation of failures; and for billing, where applicable.
• Data Categories Used: We use information described in the "Information You Provide,"
"Automatically Collected Information," and "Third-Party Information" sections of this Privacy
Policy for this purpose.
[...]
Legitimate Interests
We rely on our legitimate interests or the legitimate interests of a third party where they are not
outweighed by your interests or fundamental rights and freedoms ("legitimate interests"):
Why And How We Process Your Data:
• For providing measurement, analytics, and other business services where we are processing data
as a controller.
• Legitimate Interests Relied On:
69 See FAQ “How we work with the Facebook Companies” > How is my WA information used by the FB
Companies?
Adopted 23
• To provide accurate and reliable aggregated reporting to businesses and other partners, to
ensure accurate pricing and statistics on performance, and to demonstrate the value our
partners realise using our Services; and
• In the interests of businesses and other partners to help them understand their customers
and improve their businesses and validate our pricing models, and evaluate the effectiveness
and distribution of their services and messages, and understand how people interact with
them on our Services.
• Data Categories Used: We use information described in the "Information You Provide,"
"Automatically Collected Information," and "Third-Party Information" sections of this Privacy
Policy for these purposes.” 81. According to the submissions of Facebook IE, WhatsApp IE is the sole data controller: “Facebook
processes WhatsApp User Data as processor on behalf of WhatsApp Ireland”
70 and the other Facebook
companies (including Facebook IE) only process the data of WhatsApp users shared by WhatsApp IE as
processors acting under WhatsApp IE instructions71. Facebook IE added that no Facebook companies,
including Facebook IE, process the personal data of WhatsApp users shared by WhatsApp IE for
Facebook’s own purposes72
. 82. Facebook IE noted that the alleged processing is subject to the commitment that WhatsApp IE made
to WP 29 and the EU supervisory authorities that it will not share personal data of WhatsApp users in
the EU with other Facebook companies for the purpose of Facebook using this data to improve its
products or advertisements, and that no such use will occur without prior engagement with the IE SA
in its capacity as LSA and sole interlocutor under Article 56(6) GDPR73. Facebook IE provided an affidavit
reaffirming the commitments and confirming that the May Update will not change the status quo74
. 83. The EDPB observes that in the Commitments WhatsApp IE, inter alia, committed to not commence
sharing WhatsApp data relating to EU users with Facebook to improve Facebook products and
advertisements, and should it change, to do so “with continued discussion with [the IE SA]”
75. In its
submissions to the EDPB, Facebook IE claimed that this commitment is being followed by WhatsApp
IE and the WhatsApp data is not being shared with Facebook for the purpose of Facebook using this
data to improve Facebook products or Facebook ad experiences76
.
70 Facebook’s written submissions to DE-HH SA, section 2.11, p. 9. 71 Facebook’s written submissions to DE-HH SA, sections 2.9-2.12, p. 9-10. 72 Facebook’s written submissions to DE-HH SA, for instance section 1.1.A), p. 2. 73 Facebook’s written submissions to DE-HH SA, Annex 1, Letter from WhatsApp Ireland to the Article 29 Working
Party dated 4 February 2018, p.1, and Letter from WhatsApp Ireland to the DPC dated 8 June 2018, p.2. In the
commitments WhatsApp took towards the WP 29 and the LSA, respectively in February and June 2018,
WhatsApp IE:  Committed to not commence sharing WhatsApp data relating to EU users with Facebook to improve
Facebook products and advertisements, and should it change, to do so “with continued discussion with [the
IE SA]”.  Confirmed that Facebook will carry on providing services to WhatsApp Ireland as a processor for “areas such
as infrastructure, analytics and monetisation”. 74 Facebook’s written submissions to DE-HH SA, Annex 2. 75 Facebook’s written submissions to DE-HH SA, Annex 1, Letter from WhatsApp Ireland to the Article 29 Working
Party dated 4 February 2018, p.1, and Letter from WhatsApp Ireland to the DPC dated 8 June 2018, p.2. 76 Facebook’s written submissions to the EDPB dated 25 June 2021, para. 15, 26.
Adopted 24
84. According to Facebook IE, as the alleged processing77 is not taking place, the statements by the DE-HH
SA regarding the legal basis that WhatsApp IE or Facebook IE might rely on for such processing are not
relevant to the scope of this urgency procedure. Even if they were, the DE-HH SA attempts to
proactively prohibit future reliance on legal bases for future processing would be unlawful78
. 85. According to Facebook IE, the extract from the FAQ “How we work with the Facebook Companies” (see
para. 80 above) is a simplified and accessible explanation of complex technical processing operations,
which is designed to assist users of varying sophistication in understanding how their data is being
processed by WhatsApp IE. It was not intended to provide a detailed explanation of complex legal
concepts contained in the GDPR, nor can its wording provide sufficient basis on which to conclude a
regulatory process on such matters. Facebook IE further stated that while it understood from
WhatsApp IE that certain processing falling within this simplified description is taking place (e.g.
WhatsApp Ireland is using its processor in order to establish how many unique users its service has), it
is not relevant to the present proceedings for two reasons: (1) the entity providing these services to
WhatsApp Ireland is in fact Facebook, Inc. and (2) Facebook, Inc. handles EU WhatsApp User Data
solely as a processor on behalf of WhatsApp IE and not as a controller79
. WhatsApp IE stated the same: “[t]he entity providing the services [...] is in fact Facebook, Inc. and the processing of EU WhatsApp User
Data involves Facebook, Inc. acting as a “service provider”, i.e. as a processor on behalf of WhatsApp
Ireland, and not as a controller”
80
. 86. Regarding the role of a processor, Facebook IE stated that “there are no other requirements or
conditions attached to the concept of a processor and no rules on the types of activities that can be
undertaken or the data that can be processed. Contrary [...] the categories or sources of other data
processed by an entity are clearly not relevant to determining whether an entity processes specific
personal data received from a specific controller as a controller or a processor. As the EDPB
acknowledges in its Draft Guidelines: “[t]wo basic conditions for qualifying as processor exist: that it is
a separate entity in relation to the controller and that it processes personal data on the controller’s
behalf” - both of which are applicable to the processing described in the third Extract”81
. 87. Facebook IE further claimed that “WhatsApp Ireland is the entity that determines the purposes and
means regarding the processing of EU WhatsApp User Data [...]82. Facebook Inc. handles EU WhatsApp
User Data solely in accordance with WhatsApp Ireland’s instructions pursuant to both strict contractual
and technical controls. Among other things, these controls prohibit Facebook, Inc. from using EU
WhatsApp User Data for its own purposes, and from disclosing any such personal data to any other
Facebook companies, including in particular to Facebook Ireland. The outputs of these services received
by WhatsApp Ireland from Facebook, Inc. are made available in the form of aggregated information
77 In Facebook’s written submissions to the EDPB dated 25 June 2021, ‘Alleged Processing’ is defined by reference
to the processing prohibited by the DE-HH SA Order, i.e., “[...] Facebook Ireland [...] processing personal data of
WhatsApp users residing in Germany [...] transmitted by WhatsApp Ireland to Facebook Ireland as a controller,
for a broadly described list of Facebook Ireland’s own purposes”, para 3. 78 Facebook’s written submissions to DE-HH SA, p. 6, para. 1.1 (J). 79 Facebook’s written submissions to the EDPB dated 7 July 2021, p. 5. 80 WhatsApp’s written submissions to the EDPB dated 7 July 2021. 81 Facebook’s written submissions to the EDPB dated 7 July 2021, p. 7. 82 This particular section from the Facebook’s written submissions to the EDPB refers to the processing described
FAQ “How we work with the Facebook Companies” > How is my WA information used by the FB Companies?
(See above para. 80 of the current decision).
Adopted 25
only. Any sharing of this information by WhatsApp Ireland with any other Facebook company could
therefore not involve any sharing of EU WhatsApp User Data with that company”
83
. 88. The EDPB firstly recalls that a processor is someone who processes personal data on the controller’s
behalf84. “Processing personal data on the controller’s behalf” firstly requires that the separate entity
processes personal data for the benefit of the controller85. If the separate entity processes the personal
data also for its own benefit, that entity goes beyond the role of the processor. Moreover, the EDPB
considers that a processor cannot combine data it processes on behalf of a company with other data
it processes as controller without going outside its role as the processor.
89. The EDPB further notes that the concepts of controller and processor are functional concepts: they
aim to allocate responsibilities according to the actual roles of the parties. This implies that the legal
status of an actor as either a “controller” or a “processor” must in principle be determined by its actual
activities in a specific situation, rather than upon the formal designation of an actor as being either a
“controller” or “processor” (e.g. in a contract)86
. 90. The EDPB recalls that the underlying objective of attributing the role of controller is to ensure
accountability and the effective and comprehensive protection of the personal data, therefore the
concept of ‘controller’ should be interpreted in a sufficiently broad way, favouring as much as possible
effective and complete protection of data subjectsso as to ensure full effect of EU data protection law,
to avoid lacunae and to prevent possible circumvention of the rules, while at the same time not
diminishing the role of the processor87
. Further, the EDPB notes that in the analysis of processing of
personal data which may be divided into several smaller processing operations and involve several
actors, it is important to consider whether at “macro-level” these processing operations could be
considered as a “set of operations” pursuing a joint purpose using jointly defined means88
. 91. According to the GDPR, a controller is “[...] the natural or legal person, [...] which, alone or jointly with
others, determines the purposes and the means of the processing of personal data”
89
, and is
consequently serving its own interests90
. The EDPB recalls that “[j]oint controllership exists when
entities involved in the same processing carry out the processing for jointly defined purposes. This will
be the case if the entities involved process the data for the same, or common, purposes”
91
. 92. The EDPB observes that in their current drafting, the statements included in WhatsApp’s public-facing
information also include reference to the Commitments by providing an explanation to users that: “WhatsApp does not share your personal information with Facebook to improve your Facebook product
experiences or provide you more relevant Facebook ad experiences on Facebook”. The EDPB also takes
note of the positions of Facebook IE and WhatsApp IE that WhatsApp IE only shares the WhatsApp
83 Facebook’s written submissions to the EDPB dated 7 July 2021, p. 7. 84 GDPR Article 4(8). 85 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 78. 86 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 12. 87 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 14. 88 EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final version, para. 43. 89 See Article 4(7) GDPR. 90 See by analogy, EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, final
version, para 80. 91 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, para. 59.
Adopted 26
user data with the other Facebook Companies for the purposes of receiving services which the other
Facebook Companies provide as processors, i.e. controller to processor data sharing92
. 93. The EDPB has serious doubts about the interpretation of the processing role of the other Facebook
Companies, including Facebook IE, regarding WhatsApp user data in the present situation as claimed
by Facebook IE and WhatsApp IE.
94. The EDPB notes that while the Privacy Policy and the FAQ “How we work with the Facebook
Companies” are explicit that WhatsApp data is not shared with Facebook for the purpose of Facebook
using this data to improve Facebook products and/or providing more relevant Facebook ad
experiences, the FAQ explicitly states that the WhatsApp data is shared with Facebook to understand
how WhatsApp “Services are being used, and how it compares to usage across the Facebook
Companies93
. The FAQ adds that “we may be able to work out whether or not a particular WhatsApp
account belongs to someone who also uses another service in the Facebook Companies” and that “[w]e
can also count how many unique users WhatsApp has, for example, by establishing which of our users
do not use any other Facebook apps and how many unique users there are across the Facebook
Companies”
94 (emphasis added underlined). 95. The EDPB therefore considers that the FAQ “How we work with the Facebook Companies” already
incorporates elements that give indication that Facebook actions, insofar as they concern the
processing of WhatsApp users’ data for the benefit of the Facebook Companies, including Facebook
IE95, go beyond the Commitments, despite the Commitments to consult the IE SA in case of any change.
96. Based on the FAQ “How we work with the Facebook Companies”, it seems apparent that the WhatsApp
user data is being compared with the data of the other Facebook Companies, including Facebook IE. Moreover, considering the information provided in the FAQ “How we work with the Facebook
Companies”, it could be observed that WhatsApp IE and other Facebook Companies, including
Facebook IE, share with each other and possibly combine data, such as phone numbers, in order to
understand whether a particular person uses different services (also referred to as “Facebook apps”)
of the Facebook Companies, which include Facebook IE96
. 97. The EDPB considers that such sharing of data “with Facebook to understand how WhatsApp Services
are being used, and how it compares to usage across the Facebook Companies” is likely done not
merely for the purpose of improving the products of WhatsApp IE, but also benefits other Facebook
Companies, including Facebook IE, for improvement of their products.
92 Facebook’s written submissions to the EDPB of 7 July 2021, p. 3, also WhatsApp’s written submissions to the
EDPB of 7 July 2021. 93 See FAQ “How we work with the Facebook Companies”> How is my WA information used by the FB
Companies?
94 See FAQ “How we work with the Facebook Companies”> How is my WA information used by the FB
Companies?
95 A link inserted in WhatsApp public-facing information sends to a page on WhatsApp explaining that the term
‘Facebook Companies’ refers to Facebook Inc., Facebook IE, Facebook Payments Inc., Facebook Payments
International Limited, Facebook Technologies LLC, Facebook Technologies Ireland Limited, WhatsApp LLC, and
WhatsApp IE. In this urgent binding decision, the term ‘other Facebook Companies’ refers to all the Facebook
Companies except WhatsApp IE. 96 For example, a link inserted in WhatsApp public-facing information sends to a page on WhatsApp explaining
that the term as follows: “The Facebook Company Products are, together, the Facebook Products and other
products provided by the Facebook Companies that are subject to a separate, stand-alone terms of service and
privacy policy, including the WhatsApp and Oculus Products (when using an Oculus account)”.
Adopted 27
98. Based on the FAQ “How we work with the Facebook Companies”, the EDPB considers it to be likely
that the processing of WhatsApp user data is done for the overall (i.e. “macro”) purpose of improving
products of the Facebook Companies (inter alia, by assessing “which accounts across the Facebook
Companies relate to the same user” and “how WhatsApp Services are being used, and how it compares
to usage across the Facebook Companies”). The EDPB observes that, if confirmed, such processing
would go beyond the processing of WhatsApp user data forthe purpose forimprovement of WhatsApp
products by WhatsApp IE as the only data controller. 99. The EDPB takes note of the information provided by WhatsApp IE and Facebook IE that the entity
providing the above-described services to compare usage across the Facebook Companies is Facebook,
Inc. and the processing of EU WhatsApp user data involves Facebook, Inc. acting as a service provider
for this purpose. The EDPB raises concerns that the processing of the WhatsApp user data for the
purpose for improvement of products is potentially done for the benefit of all the Facebook
Companies, and not solely for WhatsApp IE own purpose of improvement of WhatsApp products. 100. Therefore, if such circumstances were to be confirmed, the Facebook Companies, including Facebook
IE, potentially (jointly) define the purpose and means for this processing97 and in such a case they
should be considered as (joint) controllers in this respect98. Accordingly, if these circumstances were
confirmed, the EDPB considers that Facebook IE could be regarded as a (joint) controller, i.e.
determining the purpose and means of processing the personal data of WhatsApp users in the EU,
insofar asthe processing is done for the purpose of improvement of Facebook products. However, the
Board considers that based on the information available in the present procedure, it is not in a position
to reach final conclusions on this matter.
101. The EDPB further considered whether, in case such processing by Facebook IE as a controller was
confirmed, Facebook IE would have a legal basis under Article 6(1) GDPR to process the WhatsApp
user data for the purpose for improvement of Facebook products lawfully pursuant to Article 5(1)(a)
GDPR. 102. Regarding consent as a possible legal basis for such processing by Facebook IE as the controller, based
on the information available to the EDPB, there is no indication that consent from users is currently
collected regarding such processing99
. Therefore, the EDPB considers it unlikely that Facebook IE
currently could rely on Article 6(1)(a) GDPR to lawfully conduct such processing of WhatsApp user data.
The EDPB further considers that Facebook IE could not rely on performance of contract legal basis
under Article 6(1)(b) GDPR as there is no contractual relations between the WhatsApp users and
Facebook IE. 103. The EDPB has serious doubts whether Facebook IE as a (joint) controller could rely on legitimate
interest legal basis under Article 6(1)(f) GDPR for the processing of the WhatsApp user data for the
purpose of improvement of Facebook products, as in the present case the controller’s interests are
likely to be overridden by the interests and fundamental rights and freedoms of the data subjects.
97 See EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, para. 59. 98 CJEU judgement in case C-210/16 Wirtschaftsakademie, 5 June 2018, para. 30. 99 The EDPB took note that in their submissions WhatsApp IE stated several times that the consent to the new
terms is not meant to constitute the consent as a legal basis for processing of personal data under the GDPR.
Currently WhatsApp IE collects consent from WhatsApp service users only through the device-based settings to
allow access to device information, such as for location, camera and photo, in order to provide the services
described when users enable the settings. In the WhatsApp Legal Basis notice.
Adopted 28
104. The EDPB recalls that relying on Article 6 (1)(f) GDPR requires, first, the identification of a legitimate
interest pursued by the controller or by a third party, second a need to process personal data for the
purposes of the legitimate interest pursued and a balancing test: the legitimate interest of the
controller or third party must be balanced against the interests or fundamental rights and freedoms of
the data subject100
. The EDPB also recalls that in order to carry out the balancing test it is first important
to consider the nature and source of the legitimate interests on the one hand and the impact on the
data subjects on the other hand. The legitimate interests of the controller (or third parties) must be
balanced against the interests or fundamental rights and freedoms of the data subject101
. 105. While such type of interest, i.e. improvement of products, could be considered to be legitimate102, the
EDPB stresses that this commercial interest could be less compelling when weighed against the rights
of data subjects103. Therefore, in the present case, when carrying out the balancing test, more
prominent weight should be given to the consideration of interests of data subjects and the impact on
their rights.
106. Taking into account the high number of WhatsApp users and the large amount of personal data104 that
are processed and possibly combined with other data by Facebook IE for the purpose of improvement
of products of the Facebook Companies, the EDPB has serious doubts that the controller’s interest
would override the interests of data subjects.
107. The EDPB recalls that the reasonable expectations of the data subject, especially with regard to the
use and disclosure of the data in the relevant context, is another important element to consider in the
balancing test105
. 108. Taking into account the above, the EDPB concludes that there is a high likelihood that Facebook IE
processes WhatsApp users’ data as a (joint) controller for its own purpose of improvement of
product experience. However, considering the Commitments and the submissions of Facebook IE, as
well as the limited information available in this procedure, the Board concludes that it does not have
sufficient information to verify whether and to what extent such processing takes places in practice
and whether such processing by Facebook IE is lawful pursuant to Articles 5(1)(a) and 6(1) GDPR. 109. Accordingly, the EDPB requests the LSA competent for Facebook IE and WhatsApp IE to carry out a
statutory investigation to unveil whether Facebook IE is processing WhatsApp user data for the
common purpose of improvement of products of the Facebook Companies as a (joint) controller. In
particular, in this respect the LSA should investigate the processing of personal data by the Facebook
Companies which enables them to identify whether a particular person uses different services of the
Facebook Companies possibly facilitated by the use of unique identifiers and analyse the possible
100 EDPB Recommendations 02/2021 on the legal basis for the storage of credit card data for the sole purpose
of facilitating further online transactions, adopted 19 May 2021, , para. 7-9. 101Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7
of Directive 95/46/EC, adopted on 9 April 2014, p. 23. 102 Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7
of Directive 95/46/EC, adopted on 9 April 2014, p. 25. 103 Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7
of Directive 95/46/EC, adopted on 9 April 2014, p. 26. 104 Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7
of Directive 95/46/EC, adopted on 9 April 2014, p. 39. 105 Working Party 29 Opinion WP 217 on the notion of legitimate interests of the data controller under Article 7
of Directive 95/46/EC, adopted on 9 April 2014, p. 50.
Adopted 29
combination or at least comparison of the WhatsApp users’ data with data of the Facebook
Companies based on the elements outlined by the EDPB in this section of the current decision. 110. The EDPB further requests the LSA to carry out a statutory investigation to assess whether Facebook
IE has a legal basis to conduct such processing lawfully as a (joint) controller pursuant to Articles
5(1)(a) and 6(1) GDPR. 111. Whilst the EDPB considers that SAs enjoy a certain degree of discretion to decide how to frame the
scope of their inquiries, the EDPB recalls that one of the main objectives of the GDPR is to ensure
consistency throughout the EU, and the cooperation between the LSA and CSAs is one of the means to
achieve this. Therefore, the EDPB calls upon the LSA to make full use of the cooperation tools
provided for by the GDPR (including Articles 61 and 62 GDPR) while carrying out such investigation. 4.1.3.2.2 On the alleged infringement of the transparency obligations under GDPR
112. The EDPB takes note of the concerns of the DE-HH SA regarding transparency, in particular in relation
to processing of WhatsApp user data for improvement of products of Facebook, possible
contradictions in the privacy policy, and lack of sufficiently detailed, easily accessible and clear
information. However, the EDPB underlines that the WhatsApp IE privacy policy is currently subject to
a one stop shop procedure led by the IE SA.
4.1.4 Marketing communications and direct marketing
4.1.4.1 Summary of the position of the DE-HH SA
113. Another issue investigated by the DE-HH SA were changes in the Privacy Policy introduced with respect
to processing of personal data for marketing purposes. According to the DE-HH SA, with the Updated
Terms, WhatsApp IE is expanding the circle of data to be exchanged with Facebook in the future. In its
explanations, the DE-HH SA referred to the WhatsApp FAQ page relating to its Privacy Policy (emphasis
by the DE-HH SA):
Facebook hosting services: […] Some large businesses need to use hosting services to manage their
communication. Which is why we’re giving businesses the option to use secure hosting services from
Facebook to manage WhatsApp chats with their customers, answer questions, and send helpful
information like purchase receipts. But whether you communicate with a business by phone, email,
or WhatsApp, it may use that information for its own marketing purposes, which may include
advertising on Facebook. To make sure you’re informed, we clearly label conversations with
businesses that are choosing to use hosting services from Facebook.
Discovering a business: You may see an ad on Facebook with a button to message a business using
WhatsApp. If you have WhatsApp installed on your phone, you’ll have the option to message that
business. Facebook may use the way you interact with these ads to personalize the ads you see
on Facebook. (emphasis added by author).
Discovering a business: People can already discover businesses on Facebook or Instagram from ads
that show a button you can click to message them using WhatsApp. Just like other ads on Facebook,
if you choose to click on these ads, it may be used to personalize the ads you see on Facebook.
Again, WhatsApp and Facebook cannot see the content of any end to end encrypted
messages.“(emphasis added by author). Here we would like to emphasise once again that
WhatsApp and Facebook cannot see the content of end-to-end encrypted messages.“ (see
https://faq.whatsapp.com/general/security-and-privacy/about-new-business-featuresand- whatsapps-privacy-policy-update/?lang=en)
Adopted 30
114. According to the DE-HH SA, this Privacy Policy entails that in the future, data will also be exchanged
between WhatsApp IE and Facebook IE for marketing purposes, which Facebook IE can use for its own
purposes, in particular for profiling106
.
115. As regards the legal basis for the processing of personal data for marketing communications and direct
marketing, the DE-HH SA makes reference to the fact that WhatsApp IE claims to rely on the legitimate
interests of WhatsApp IE, as well as the legitimate interests of a third party, including Facebook IE. The
DE-HH SA points out that “legitimate interests” are not further differentiated despite the update on
15 May 2021107
. Therefore, the DE-HH SA finds it not clear whose legitimate interests would be
assumed in case of marketing communications and which categories of data are used in connection
with the processing for direct marketing purposes. Moreover, the DE-HH SA underlines that under
"Third Party Providers", purposes are again listed that do not have to be exclusively those pursued by
WhatsApp IE alone, but could also fall under the common purposes of WhatsApp IE and third parties
such as Facebook, e.g. "to help you connect with businesses using our services”
108
. In its Privacy Policy, as an example of legitimate interest, WhatsApp IE, mentions “providing an innovative, relevant, safe,
and profitable service to our users and partners”
109
. 116. As pointed out by the DE-HH SA110, in WhatsApp’s privacy policy of 24 April 2018
(https://www.whatsapp.com/legal/privacy-policyeea), WhatsApp explained the following regarding
the legal basis for marketing communications under "How we process your information" (emphasis
added by the DE-HH SA): "Our legitimate interests or the legitimate interests of a third party, unless your interests or
fundamental rights and freedoms prevail ("legitimate interests"):
[…]
o To provide you with marketing communications.
o These are the legitimate interests on which we rely for this processing: To promote
Facebook companies' products and publish direct marketing." 117. The DE-HH SA underlined that while WhatsApp IE referred in the past to the "publication" of direct
advertising, in the Updated Terms WhatsApp IE refers to “sending” direct advertising111
. According to
the DE-HH SA, this update seems to change the way and the form in which direct marketing is sent to
users: “The mailing suggests an even more targeted approach to the person concerned, especially by
third parties”
112
. 4.1.4.2 Analysis of the EDPB
118. The EDPB assessed the marketing purpose in relation to the alleged unlawful processing of WhatsApp
user data by Facebook IE as a controller, and in relation to the alleged infringement of the transparency
requirements in WhatsApp’s user-facing information. The EDPB took into account the views of the DE- HH SA, as well as the position expressed by both Facebook IE and WhatsApp IE.
106 DE-HH SA Order, p. 20. 107 DE-HH SA Order, p. 23. 108 DE-HH SA Order, p. 24. 109 WhatsApp’s Privacy Policy, section “Our Legal Basis For Processing Data”. 110 DE-HH SA Order, p.22. 111 DE-HH SA Order, p.23. 112 DE-HH SA Order, p.24.
Adopted 31
4.1.4.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a
controller
119. After comparing the old and updated version of WhatsApp’s user-facing information, the EDPB
concludes that, the changes made by WhatsApp in relation to the processing of personal data for
marketing communications and direct marketing are quite limited in their scope.
120. In relation to marketing, the EDPB notes the following descriptions provided in the relevant extracts
from WhatsApp’s Privacy Policy, in particular in the section “How We Use Information”113 (emphasis
added underlined):
How We Use Information
“We use information we have (subject to choices you make and applicable law) to operate,
provide, improve, understand, customize, support, and market our Services”. “Communications About Our Services And The Facebook Companies. We use information we
have to communicate with you about our Services and let you know about our terms, policies,
and other important updates. We may provide you marketing for our Services and those of the
Facebook Companies.” How We Work With Other Facebook Companies
WhatsApp also works, and shares information with the other Facebook Companies who act on
our behalf to help us operate, provide, improve, understand, customise, support, and market our
Services.
Third Party Information
Third-Party Service Providers. We work with third-party service providers and the Facebook
companies to help us operate, provide, improve, understand, customize, support, and market our
Services
WhatsApp Provision Of The Services In Accordance With The Terms
We rely on our legitimate interests or the legitimate interests of a third party where they are not
outweighed by your interests or fundamental rights and freedoms ("legitimate interests"):
Why And How We Process Your Data:
For providing measurement, analytics, and other business services where we are processing data
as a controller.
• Legitimate Interests Relied On:
•For providing marketing communications to you.
• Legitimate Interests Relied On: The legitimate interests we rely on for this processing
are: To promote Facebook Company Products and send direct marketing.
121. WhatsApp’s Privacy Policy clearly indicates WhatsApp IE uses data to provide marketing for its services
and those of Facebook Companies. This element does not per se imply its sharing of data to Facebook
IE, with Facebook IE acting as data controller.
113 https://www.whatsapp.com/legal/updates/privacy-policy/?lang=en .
Adopted 32
122. The EDPB takes into account also Facebook IE’s position, which informed the DE-HH SA that, although
WhatsApp’s Privacy Policy enables it to engage in sending direct marketing to WhatsApp’s EU users,
to promote WhatsApp IE’s or Facebook IE’s products and services, it currently does not do it in practice
and that “It is included in the Privacy Policy should WhatsApp IE decide to commence this processing
(which is a standard form of processing for most companies) in the future”
114
. 123.On the basis of the above excerpts from WhatsApp’s user-facing information, it can also be concluded
that WhatsApp IE works with third parties and the other Facebook Companies for marketing purposes.
However, there is not enough evidence to prove that the exchange of data is taking place and that in
the context of such alleged processing, Facebook IE acts as a controller or a joint controller. At the
same time, it should be underlined that WhatsApp’s user-facing information refers to the legitimate
interest of third parties as the legal basis and does not explicitly exclude the possibility of sharing of
data with Facebook IE for the latter’s direct marketing purposes.
124. Based on the information provided by the DE-HH SA, as well as WhatsApp IE and Facebook IE’s written
submissions, it can be concluded that in relation to the processing of personal data for marketing
communications and direct marketing, Facebook IE is planning to act, at least as a processor, on behalf
of WhatsApp IE. At the same time, the information analysed by the EDPB does not reveal that a data
exchange is currently taking place and that Facebook IE processes data of WhatsApp’s users for its own
marketing purposes. However, the description of the services and of the roles provided in WhatsApp’s
user-facing information is not clear. This matter thus requires further investigation.
125. In conclusion, the EDPB understands the concerns raised by the DE-HH SA on the need to closely
analyse the roles and legal qualification of the parties involved in the processing of WhatsApp’s user
data for marketing purposes. However, the EDPB does not have sufficient information in the present
procedure to conclude whether Facebook IE is acting as a controller of WhatsApp user data for the
purpose of marketing communication and direct marketing. 126. Taking into consideration the lack of clarity in the information part of the file as regards how data are
processed, the EDPB calls upon the IE SA to further investigate the role of Facebook IE, i.e. whether
Facebook IE acts a processor or as a (joint controller), with respect to the processing of WhatsApp
user personal data for marketing purposes, taking into due account the matters indicated above by
the EDPB. 4.1.4.2.2 On the alleged infringement of the transparency obligations under GDPR
127. The EDPB takes note of the concerns of the DE-HH SA regarding the transparency requirements, in
particular in relation to the processing of data for marketing purposes and the fact that WhatsApp’s
user-facing information is not transparent on which categories of data are used for the marketing
communications115
. However, the EDPB underlines that WhatsApp IE’s user-facing information is
currently subject to a one stop shop procedure led by the IE SA that is due to come to an end shortly. 4.1.5 WhatsApp Business API
4.1.5.1 Summary of the position of the DE-HH SA
128. The DE-HH SA notes that WhatsApp’s user data are also processed, or may be processed, for the
general purpose of providing the so-called “WhatsApp Business API”. “WhatsApp Business API”
114 Facebook IE response to the DE-HH SA hearing before issuing the DE-HH SA Order of 10 May 2021, dated 25
April 2021, p.12-13. 115 DE-HH SA Order, p. 24.
Adopted 33
enables companies to use WhatsApp in their corporate communication systems and to communicate
with their contacts and customers. Those companies may rely on third party hosting services to
manage their messaging function on their behalf. Facebook IE plans to start offering the WhatsApp
Business API service later this year116, i.e. it would host and operate a WhatsApp business client,
something that, according to Facebook IE, other service providers already do117
. 129. Facebook IE assured the DE-HH SA that these services would not be offered under the Updated Terms
coming into effect, and committed to not launch them in Germany (or the EU) without an additional
briefing of the IE SA, in its capacity as LSA.118
130. According to Facebook IE, the Updated Terms aim to clarify inter alia that Facebook IE will, in the
future, be one of the service providers that businesses can choose from when implementing the
WhatsApp Business API119
. Facebook IE underlined that the hosting and operation of a WhatsApp
business client by Facebook IE will be completely optional for businesses and will be offered by
Facebook IE to businesses in a manner whereby Facebook IE will act as a processor on behalf of and
under the instructions ofsuch business customers120
. Furthermore, according to Facebook IE, it is clear
from WhatsApp’s encryption FAQ121 that the business becomes a controller of any messagesit receives
from its customers on WhatsApp and that “it is the business’ responsibility to comply with any
applicable legal requirements and terms”
122
. 131. According to the DE-HH SA, the data protection regulations concerning Facebook Business Tools, i.e.
the Facebook Controller Addendum123
, regulate the joint responsibility between the companies and
Facebook IE124. The DE-HH SA notes that WhatsApp, in its Business Data Processing Terms125, considers
the use of the WhatsApp Business API as a contract processing126. However, since WhatsApp offers
businesses their presence on WhatsApp, which is comparable to a Facebook page, the DE-HH SA
considered that a joint controllership should be applied, in light of the CJEU rulings
Wirtschaftsakademie and Fashion ID127
. 132. The DE-HH SA notes that Facebook IE receives, via Facebook Business Tools, business tool data in the
form of impression data sent from Facebook social plugins (such as the "Like" and "Share" buttons)
and from Facebook Login, as well as from certain APIs such as Messenger Customer Match via the Send
API128
. 133. According to the DE-HH SA, once Facebook IE starts helping businesses to set up, host, and operate a
WhatsApp business client (WhatsApp Business API), “WhatsApp users' communications with
116 Facebook’s written submissions to the DE-HH SA, p. 14, para. 2.31. 117 Facebook’s written submissions to the DE-HH SA, p. 14, para. 2.31; Facebook’s written submissions to the
EDPB dated 25 June 2021, p. 26, para. 37. 118 Facebook’s written submissions to the DE-HH SA, section 1.1, G, p. 5; Facebook’s written submissions to the
EDPB dated 25 June 2021, footnote 31. 119 Facebook’s written submissions to the DE-HH SA, p. 14, para. 2.32. 120 Facebook’s written submissions to the DE-HH SA, p. 14, para. 2.31. 121 https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption. 122 Facebook’s written submissions to the DE-HH SA, p. 15, para. 2.32. 123 https://www.facebook.com/legal/controller_addendum. 124 DE-HH SA Order, Section II.2) ee), p. 24. 125 https://www.whatsapp.com/legal/business-data-processing-terms
126 https://www.whatsapp.com/legal/business-data-processing-terms
127 The DE-HH SA refers to CJEU, C-210/16, Wirtschaftsakademie, ECLI:EU:C:2018:388 and C-40/17, Fashion ID, ECLI:EU:C:2019:629. 128 https://www.facebook.com/legal/terms/businesstools/
Adopted 34
companies that can be reached on WhatsApp will become available to Facebook in plain text without
end-to-end encryption”.129 The DE-HH SA is of the opinion that the way in which WhatsApp IE refers to
these circumstances in its Updated Terms is “non-transparent” and “partly contradictory”130
. 134. The DE-HH SA considers that it is unclear from the wording of WhatsApp’s FAQ page131 summarising
information about the Updated Terms that "personal conversations" protected by end-to-end
encryption include only those that are not conducted with companies via a vendor and not all
conversations of private users132
. 135. According to the DE-HH SA, from the terms of the WhatsApp Privacy Policy133, “it is hardly discernible
that with regard to a communication with companies using the WhatsApp business client, there is no
end-to-end encryption of the messages and Facebook Ireland Ltd. can be granted access to information
on messages and their content”. The DE-HH SA quotes in particular parts of WhatsApp’s Privacy Policy
(‘Information You Provide’) where it is stated that WhatsApp IE does not retain users’ messages in the
ordinary course of providing its services, but there is a description of two situations where WhatsApp
IE may store its users’ messages in the course of delivering them, i.e. for undelivered messages and
media forwarding134. The DE-HH SA then compared this information with the information provided by
WhatsApp on its Encryption FAQ webpage under the title “About end-to-end encryption”, and more
specifically, to the sections entitled “Personal Messaging” and “Business Messaging”
135
. The DE-HH SA
considered that “for WhatsApp users, it remains unclear in which situations their personal data and
message content are processed by Facebook Ireland Ltd” because “different, sometimes contradictory
information is communicated to them at different levels”
136
. 136. Furthermore, according to the DE-HH SA, it is not apparent to WhatsApp IE’s users when they
communicate with Facebook IE as a vendor, and whether their data found in the specific
communication can be used for advertisements on Facebook137
. The DE-HH SA was of the opinion that
WhatsApp IE “ultimately intends, on the basis of its amended terms of service, to transmit message
content to Facebook Ireland Ltd. with the purpose of enabling Facebook Ireland Ltd. to personalise
advertisements” and referred to Facebook IE and WhatsApp IE as to “both data controllers”.138
137. The DE-HH SA reached the conclusion that it was not made transparent to WhatsApp’s users that the
processing operations of WhatsApp IE and Facebook IE will “merge even more with each other through
the new business model”
139 and that the legal basis for such data processing by Facebook IE was not
sufficiently clear from the Updated Terms. 138. According to Facebook IE, the allegation that WhatsApp IE plans to share message content with
Facebook IE to enable the personalisation of advertising on Facebook cannot be derived from the
wording of the FAQ on encryption and ensures that every message sent on WhatsApp uses the same
industry leading signal protocol that protects messages from before they are sent until they are
129 DE-HH SA Order, Section II.2) ee), p. 25
130 DE-HH SA Order, Section II.2)ee), p. 25, para. 2. 131 https://faq.whatsapp.com/general/security-and-privacy/were-updating-our-terms-and-privacy-policy/
132 DE-HH SA Order, Section II.2)ee), p. 25, para. 3. 133 https://www.whatsapp.com/legal/updates/privacy-policy-eea (footnote 25 of the De-HH SA Order) 134 DE-HH SA Order, Section II.2)ee), pp. 25-26. 135 https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/
136 DE-HH SA Order, Section II.2)ee), p. 26. 137 DE-HH SA Order, Section II.2)ee), p. 27. 138 DE-HH SA Order, Section II.2)ee), p. 26. 139 DE-HH SA Order, Section II.2)ee), p. 26, last para.
Adopted 35
delivered to the intended recipient, meaning that WhatsApp IE cannot grant access to Facebook IE or
any other third party to such content140
. 4.1.5.2 Analysis of the EDPB
139. The EDPB assessed the WhatsApp Business API purpose in relation to the alleged unlawful processing
of WhatsApp IE’s user data by Facebook IE as a controller, as well as in relation to the alleged
infringement of the transparency requirements in WhatsApp’s user-facing information. The EDPB took
into account the views of the DE-HH SA, as well as the position expressed by both Facebook IE and
WhatsApp IE. 4.1.5.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a
controller
140. The EDPB analysed the documents referred to in the DE-HH SA Order with regard to the alleged
unlawful processing of WhatsApp’s user data by Facebook IE as a controller for the provision of
WhatsApp Business API. 141. The EDPB notes that WhatsApp’s Privacy Policy provides the following information (emphasis added
underlined): “How we use information
[...] Business Interactions. We enable you and third parties, like businesses, to communicate
and interact with each other using our services, such as Catalogs for businesses on WhatsApp
through which you can browse products and services and place orders. Businesses may send
you transaction, appointment, and shipping notifications; product and service updates; and
marketing. For example, you may receive flight status information for upcoming travel, a
receipt for something you purchased, or a notification when a delivery will be made. Messages
you receive from a business could include an offer for something that might interest you. We
do not want you to have a spammy experience; as with all of your messages, you can manage
these communications, and we will honor the choices you make.
Information You And We Share
[...] Businesses On WhatsApp. We offer specific services to businesses such as providing them
with metrics regarding their use of our services. Third-Party Information
[...] Businesses On WhatsApp. Businesses you interact with using our Services may provide us
with information about their interactions with you. We require each of these businesses to act
in accordance with applicable law when providing any information to us. When you message with a business on WhatsApp, keep in mind that the content you share may
be visible to several people in that business. In addition, some businesses might be working
with third-party service providers (which may include Facebook) to help manage their
communications with their customers. For example, a business may give such third-party
service provider access to its communications to send, store, read, manage, or otherwise
process them for the business. To understand how a business processes your information,
140 Facebook’s written submissions to the DE-HH SA, p. 14 para. 2.29 and 2.30.
Adopted 36
including how it might share your information with third parties or Facebook, you should review
that business’ privacy policy or contact the business directly.
Information you provide
[...] We offer end-to-end encryption for our Services. End-to-end encryption means that your
messages are encrypted to protect against us and third parties from reading them. Learn more
about end-to-end encryption and how businesses communicate with you on WhatsApp. [...]
142. The EDPB also considered the information provided on WhatsApp’sIE FAQ page which summarisesthe
changes made to the Updated Terms. The following extract is quoted by the DE-HH SA in the DE-HH
SA Order141 (emphasis added underlined): “[...] Our commitment to your privacy isn’t changing. Your personal conversations are still
protected by end-to-end encryption, which means no one outside of your chats, not even
WhatsApp or Facebook, can read or listen to them.142 [...] ” 143. In addition, the EDPB takes note of the following extract which can be read on WhatsApp FAQ Page
“About end-to-end encryption”
143 (emphasis added underlined):
Personal Messaging
WhatsApp's end-to-end encryption is used when you chat with another person using WhatsApp
Messenger. End-to-end encryption ensures only you and the person you're communicating with
can read or listen to what is sent, and nobody in between, not even WhatsApp. This is because
with end-to-end encryption, your messages are secured with a lock, and only the recipient and
you have the special key needed to unlock and read them. All of this happens automatically: no
need to turn on any special settings to secure your messages. Business Messaging
Every WhatsApp message is protected by the same Signal encryption protocol that secures
messages before they leave your device. When you message a WhatsApp business account,
your message is delivered securely to the destination chosen by the business.
WhatsApp considers chats with businesses that use the WhatsApp Business app or manage and
store customer messages themselves to be end-to-end encrypted. Once the message is
received, it will be subject to the business’s own privacy practices. The business may designate
a number of employees, or even other vendors, to process and respond to the message.
Some businesses will be able to choose WhatsApp’s parent company, Facebook, to securely
store messages and respond to customers. While Facebook will not automatically use your
messages to inform the ads that you see, businesses will be able to use chats they receive for
their own marketing purposes, which may include advertising on Facebook. You can always
contact that business to learn more about its privacy practices.
141 WhatsApp’s FAQ page referred to by the DE HH-SA in the DE-HH SA Order, p. 25. 142 https://faq.whatsapp.com/general/security-and-privacy/were-updating-our-terms-and-privacy-policy/ . The
DE-HH SA uses a translation of this extract which is slightly different than the original English version (DE-HH SA
Order, Section II.2) ee), p. 25). 143 https://faq.whatsapp.com/general/security-and-privacy/end-to-end-encryption/ referred to by the DE HH-SA
in the DE-HH SA Order, p. 26.
Adopted 37
144. The EDPB took into account the allegations of the DE-HH SA, as well as the views expressed by both
Facebook IE and WhatsApp IE. 145. The EDPB notes that despite the wording already provided in WhatsApp’s public-facing information, Facebook IE indicated that Facebook IE is not providing the WhatsApp Business API service yet and
plans to start offering it later this year144
. In addition, the EDPB takes note of the fact that Facebook IE
committed, both in its submissions to the DE-HH SA before the issuing of the provisional measures and
in its submissions to the EDPB, that it will not launch the service in the EU without prior consultation
with the LSA and that, in any event, Facebook IE would only act as a processor on behalf of the
businesses using the WhatsApp Business API service145
. 146. In conclusion, the EDPB understands the concerns raised by the DE-HH SA on the need to closely
analyse the roles and legal qualification of the parties. The Board is concerned that a potential merging
of the WhatsApp IE and Facebook IE processing operations and infrastructures for the provision of
WhatsApp Business API would in practice lead to Facebook IE processing of WhatsApp’s user data for
its own purposes, such as for personalising advertisements. Bearing in mind that Facebook’s business
model is to a large extent based on advertising, the Board takes the view that the LSA should further
closely investigate the roles that WhatsApp IE, Facebook IE and the businesses concerned would play
in the context of the WhatsApp Business API in order to verify their compliance with the GDPR. 147. However, the Board considers that, at this stage, it does not have sufficient information in the present
procedure to establish with certainty that Facebook IE already started or will soon start processing
WhatsApp’s user data in the context of the WhatsApp Business API service as a controller.
148. Therefore, the Board calls upon the LSA to assess the role of Facebook IE, i.e. whether Facebook IE
acts a processor or as a (joint controller), with respect to the processing of WhatsApp user personal
data in the context of the WhatsApp business API. The LSA should further analyse the situations in
which businesses decide to rely on Facebook for advertisements and determine whether Facebook
IE, when using the content of messages sent via WhatsApp to businesses, would be acting as (joint)
controller. 4.1.5.2.2 On the alleged infringement of the transparency obligations under GDPR
149. The EDPB would first like to stress the lack of consistency between the assurance provided by Facebook
IE to not launch this process without an additional briefing of the IE SA, in its capacity as LSA146 and the
content of WhatsApp’s user-facing information, which should provide reliable, up-to-date information
and reflect WhatsApp IE and Facebook IE’s current roles in the provision of the WhatsApp Business
API. 150. The EDPB takes note of the concerns of the DE-HH SA regarding the transparency requirements, in
particular in relation to the WhatsApp Business API services. However, the EDPB underlines that
WhatsApp’s public-facing information is currently subject to a one-stop-shop procedure led by the IE
SA due to come to an end soon.
144 Facebook’s written submissions to the DE-HH SA, section 2.31, p. 14. 145 Facebook written submissions to the DE-HH SA, section 1.1, G, p.5; Facebook’s written submissions to the
EDPB dated 25 June 2021, footnote 31. 146 Facebook’s written submissions to the DE-HH SA, section 1.1, G, p. 5; Facebook’s written submissions to the
EDPB dated 25 June 2021, footnote 31.
Adopted 38
4.1.6 Cooperation with other Facebook Companies
4.1.6.1 Summary of the position of the DE-HH SA
151. The DE-HH SA notes that WhatsApp IE, in its public-facing information, claims that when it receives
services from the other Facebook Companies, WhatsApp IE’s user data are processed by the other
Facebook Companies on behalf of WhatsApp IE and according to its instructions147
. However, the DE- HH SA considered that “The extent to which data is transferred and processed by Facebook Ireland Ltd.
for the various purposes is not clear from the terms and conditions”. Besides, the DE-HH SA noted that
the condition "when we receive services from other Facebook Companies" remains unclear and
“obviously does not refer to cases in which the exchange of data takes place for common purposes or
for the purposes of the other Facebook companies”.148
152. The DE-HH SA is of the opinion that due to the wording "some device information" and "some of your
usage information" it is unclear which categories of data are concerned, and it is also unclear why the
aforementioned data processed by Facebook IE are needed for the purpose of receiving services from
the other Facebook Companies.149 The DE-HH SA also noted that “After all, this includes the phone
number and account and device information, which are only mentioned by way of example, suggesting
that further personal data is shared”
150
. 153. According to the DE-HH SA, it can be reasonably assumed, on the basis of the statements included in
WhatsApp’s public-facing information, that a number - if not all - personal data collected by WhatsApp
IE on its users are already shared or could be shared at any time and used across the other Facebook
Companies, including by Facebook IE, for their own purposes151, including for cooperation. 4.1.6.2 Analysis of the EDPB
154. The EDPB assessed the cooperation with the other Facebook Companies purpose in relation to the
alleged unlawful processing of WhatsApp’s user data by Facebook IE as a controller, as well as in
relation to the alleged infringement of the transparency requirements in WhatsApp’s user-facing
information. The EDPB took into account the views of the DE-HH SA, as well as the position expressed
by both Facebook IE and WhatsApp IE. 4.1.6.2.1 On the alleged unlawful processing of WhatsApp user data by Facebook IE as a
controller
155. The EDPB notes that WhatsApp’s FAQ “How we work with the Facebook Companies” provides the
following information: “Why does WhatsApp share information with the Facebook Companies?
WhatsApp works and shares information with the other Facebook Companies to receive services like
infrastructure, technology, and systems that help us provide and improve WhatsApp and to keep
WhatsApp and the other Facebook Companies safe and secure. When we receive services from the
Facebook Companies, the information we share with them is used to help WhatsApp in accordance
with our instructions. Working together allows us for example to:
147 DE-HH SA Order, Section II.2)aa), p. 16. and p. 18 refers to WhatsApp Privacy Policy’s section “How We Work
With Other Facebook Companies”. 148 DE-HH SA Order, Section II.2)aa), p. 18. 149 DE-HH SA Order, Section II.2)aa), p. 17. 150 DE-HH SA Order, Section II.2)aa), p. 17. 151 DE-HH SA Order, Section II.2)aa), p. 16.
Adopted 39
 Provide you fast and reliable messaging and calls around the world and understand how our
Services and features are performing.  Ensure safety, security, and integrity across WhatsApp and the Facebook Company Products
by removing spam accounts and combating abusive activity.  Connect your WhatsApp experience with Facebook Company Products.
What information does WhatsApp share with the Facebook Companies?
In order to receive services from the Facebook Companies, WhatsApp shares the information we
have about you as described in the “Information We Collect” section of the Privacy Policy. For
example, to provide WhatsApp with analytics services, Facebook processes the phone number you
verified when you signed up for WhatsApp, some of your device information (your device identifiers
associated with the same device or account, operating system version, app version, platform
information, your mobile country code and network code, and flags to enable tracking of the
update acceptance and control choices), and some of your usage information (when you last used
WhatsApp and the date you first registered your account, and the types and frequency of your
features usage) on WhatsApp’s behalf and in accordance with our instructions. [...]
Whose WhatsApp information is shared with the Facebook Companies for these purposes?
We share information for all WhatsApp users if they choose to use our Services. This may include
those WhatsApp users who are not Facebook users because we need to have the ability to share
information for all of our users, if necessary, in order to be able to receive valuable services from
the Facebook Companies and fulfill the important purposes described in our Privacy Policy and this
article.
In all cases, we share the minimum amount of information that is needed to fulfill these purposes. We also ensure that the information we share is up to date, so if you choose to update your
WhatsApp phone number, for example, that number will also be updated by the members of the
Facebook family who have received it from us.
Importantly, WhatsApp does not share your WhatsApp contacts with Facebook or any other
members of the Facebook Companies for use for their own purposes, and there are no plans to do
so.” 156. The EDPB also took into account the following extracts from WhatsApp’s Privacy Policy:
“Information We Collect
WhatsApp must receive or collect some information to operate, provide, improve, understand,
customize, support, and market our Services, including when you install, access, or use our Services.
The types of information we receive and collect depend on how you use our Services. [...]
How We Work With Other Facebook Companies “When we receive services from the Facebook Companies, the information we share with them is
used on WhatsApp’s behalf and in accordance with our instructions. Any information WhatsApp
shares on this basis cannot be used for the Facebook Companies’ own purposes.
We’ve set out further information in our Help Center about how WhatsApp works with the
Facebook Companies.”
Adopted 40
157. The EDPB further notes that in its Order the DE-HH SA quoted the following extracts from Facebook’s
privacy statement152: "How do Facebook companies work together?
"Facebook and Instagram share infrastructure, systems and technology with other Facebook
companies (including WhatsApp and Oculus) to deliver an innovative, relevant, consistent and
secure experience across all of the Facebook companies' products that you use. For these purposes,
we also process information about you across Facebook companies as permitted by applicable law
and in accordance with their terms and policies. For example, we process information from
WhatsApp regarding accounts that send spam on the service so that we can take appropriate
action against such accounts on Facebook, on Instagram or in Messenger. We also try to find out
how people use and interact with Facebook companies' products, for example to find out about the
number of individual users on different Facebook companies' products."
Regarding the term "Facebook company", Facebook states153:
"In addition to the services offered by Facebook Inc. and Facebook Ireland Ltd, Facebook owns and
operates all of the companies listed below in accordance with their respective terms of service and
privacy policies. We may share information about you within our group of companies in order to
facilitate, support and integrate their activities and to improve our services.
For more information about the privacy practices of Facebook companies and how they handle user
information, please see the links below:  Facebook Payments Inc. (https://www.facebook.com/payments_terms/privacy) and Facebook
Payments International Limited (https://www.facebook.com/payments_terms/EU_privacy)  Onavo (http://www.onavo.com/privacy_policy)  Facebook Technologies, LLC and Facebook Technologies Ireland Limited
(https://www.oculus.com/store-dp/).  WhatsApp Inc. and WhatsApp Ireland Limited (http://www.whatsapp.com/legal/#Privacy).  CrowdTangle (https://www.crowdtangle.com/privacy)”
158. The EDPB concludes that, for the processing described by the DE-HH SA, there are not enough
elements allowing to conclude that Facebook IE is processing or is going to process WhatsApp’s user
data for its own purposes. While Facebook IE, in its submissions to the EDPB, explicitly states that the
alleged processing is not taking place, the DE-HH SA fails to provide concrete arguments proving the
contrary and does not sufficiently identify the processing at stake.
159. However, due to the lack of sufficient clarity and transparency in WhatsApp’s public-facing
information, the EDPB considers it to be extremely difficult, if not impossible, to have a complete
overview of the purposes of processing made under the framework for cooperation with the other
Facebook Companies (additional to the ones already identified by the EDPB under Sections 4.1.2, 4.1.3.,4.1.4. and 4.1.5) and to verify whether Facebook IE only acts as a processor on behalf of
WhatsApp IE for those purposes. 160. Therefore, the Board calls upon the LSA to carry out an investigation to clarify the processing for the
purpose of cooperation with the other Facebook Companies and to analyse the processing roles of
152 DE-HH SA Order, Section II.2)ee), p. 15. 153 https://www.facebook.com/help/111814505650678?ref=dp. DE-HH SA Order, footnote 10, p. 15.
Adopted 41
different parties involved, in particular to verify whether Facebook IE acts a processor or as a (joint
controller) with respect to such processing of WhatsApp user personal data
4.1.6.2.2 On the alleged infringement of the transparency obligations under GDPR
161. Although it cannot be established that Facebook IE acts as a controller for the purpose of cooperation
with other Facebook Companies, the EDPB shares the DE-HH SA’s concerns on the lack of clarity and
transparency in WhatsApp’s user-facing information. 162. However, the EDPB underlines that WhatsApp’s public-facing information is currently subject to a one- stop-shop procedure led by the IE SA due to come to an end soon.
4.1.7 Conclusion
163. The EDPB considers that it does not have sufficient information in the present procedure to conclude
whether infringements are taking place.
4.2 On the existence of urgency to adopt final measures by way of derogation from
the cooperation and consistency mechanisms
164. The second main element to assess on the need for the EDPB to order the adoption of final measures
is the existence of an urgent situation for the protection of the rights and freedoms of data subjects, which requires the application of Article 66(2) GDPR by way of derogation from the regular
consistency and cooperation mechanisms. 165. The possible urgent intervention of the EDPB under Article 66(2) GDPR is exceptional and derogates
from the general rules applicable to the consistency or cooperation mechanisms, such as the one-stop- shop procedure.
166. In the present procedure, the EDPB has to urgently decide and possibly request an SA to adopt final
measures to be imposed on a controller or processor. Conversely, the one-stop-shop procedure
provides some time for the LSA and CSAsto cooperate before the LSA’s preparation of its draft decision
and during the consultation phases provided under paragraphs 4 and 5 of Article 60 GDPR. 167. Considering the fact that the urgency procedure under Article 66(2) GDPR is a derogation to the
standard consistency and cooperation mechanisms, it must be interpreted restrictively. Therefore, the
EDPB will request final measures under Article 66(2) only if the regular cooperation or consistency
mechanisms cannot be applied in their usual manner due to the urgency of the situation. 168. According to Recital 137 GDPR “there may be an urgent need to act in order to protect the rights and
freedoms of data subjects, in particular when the danger exists that the enforcement of a right of a
data subject could be considerably impeded”. While this recital relates to provisional measures based
on Article 66(1) GDPR, the adoption of final measures pursuant to Article 66(2) GDPR also requires the
existence of urgency, even if the threshold to establish the urgency in that case is higher than in Article
66(1) GDPR situations. 169. The EDPB further considers that the nature, gravity and duration of an infringement, as well as the
number of data subjects affected and the level of damage suffered by them, may play an important
part when deciding whether or not there is an urgent need to act in a particular case.
Adopted 42
170. The GDPR provides for two situations for which the urgency is presumed and does not have to be
demonstrated, namely in accordance with Article 62(7) GDPR and Article 61(8) GDPR. The EDPB will
therefore first examine whether a legal presumption is applicable in this particular case, and if not,
whether there is the existence of urgency in the case at hand. 4.2.1 Possible application of a legal presumption of urgency justifying the need to derogate
from the cooperation and consistency mechanisms
4.2.1.1 Summary of the position of the DE-HH SA
171. The DE-HH SA considers that Article 61(8) GDPR is applicable in this case154
. Under Article 61(8) GDPR,
an urgency is presumed when the SA subject to an information and mutual assistance request from
another SA has not provided the information required by Article 61(5) GDPR within one month. 172. In the case at hand, the IE SA shared the Updated Terms with the CSAs on 8 December 2020 using the
IMI system, which gave rise to various follow-up questions that the DE-HH SA and other CSAs asked
the IE SA in the IMI system. According to the DE-HH SA, the IE SA responded to the DE-HH SA’s letter
of 14 January 2021 "by forwarding all the questions asked” by the CSAs to WhatsApp IE “and playing
back WhatsApp's answers. The IE SA did not communicate its own position on the [DE-HH SA’s]
questions or WhatsApp IE's answers155”. 173. The DE-HH SA responded to this with a letter to the IE SA on 12 February 2021 and urged the IE SA, as
the LSA, to conduct its own investigations in order to clear up various ambiguities that remained even
after the letter of WhatsApp IE of 5 February 2021. The DE-HH SA underlined that WhatsApp IE and
Facebook IE “are sharing data for different purposes of each company156” and that “a legal ground for
this cannot be seen157”. The DE-HH SA explicitly pointed out that “in case no deeper inspection was
carried out by the [IE SA] as lead authority, we give notice of the possibility of an urgency procedure
pursuant to Art. 66 GDPR158”. 174. However, according to the DE-HH SA, “there was no reaction to this request in the form of a statement
by the [IE SA] or the opening of an investigation. Rather, the [IE SA] was content of forwarding the
letters of various supervisory authorities and with sharing the response letters. The [IE SA] forwarded
WhatsApp response letter of 24 February 2021 without comments. Even after a last request from [the
DE-HH SA] on 4 March 2021, the [IE SA] did not comment on whether or not it intended to initiate a
corresponding investigation159”. According to the DE-HH SA’s formal request to the EDPB to adopt an
urgent binding decision, the IE SA did not respond to that date to the DE-HH SA's request to investigate
the actual processing operations and data exchange between WhatsApp IE and Facebook IE. 175. In sum, in view of the DE-HH SA, the urgency of the case must therefore already be presumed based
on procedural reasons: the DE-HH SA considers to have sent a large number of questions regarding the
Updated Terms to the LSA within the framework of the mutual assistance procedure initiated by the
IE SA, without having received a response from the IE SA within the meaning of Article 61(5) of the
GDPR.
154 DE-HH SA's letter of 3 June 2021 to the EDPB Chair, requesting an urgent binding decision pursuant to Article
66(2) GDPR, p. 9. 155 DE-HH SA Order, p. 12. 156 DE-HH SA's letter of 12 February 2021 to the IE SA. 157 Ibidem. 158 Ibidem. 159 DE-HH SA Order, p. 12.
Adopted 43
4.2.1.2 EDPB analysis
176. Article 61(9) GDPR provides the possibility for the European Commission (hereinafter the “EC”) to
specify, by means of implementing acts, the format and procedures for mutual assistance and the
arrangements for the exchange of information by electronic means between SAs. On 16 May 2018, the
EC adopted an implementing act relating to the use of the EC Internal Market Information system for
GDPR consistency and cooperation procedures, including for Article 61 GDPR mutual assistance
requests (IMI system).160
177. The IMI system provides for a procedure relating to formal Article 61 GDPR requests, technically
implementing the legal deadline of one month to reply. Following a request made by the EDPB
members, the IMI system also includes a procedure relating to “Voluntary Mutual Assistance requests”
(“VMA requests”). This procedure allows an SA to informally ask to or share information with the other
SAs (in accordance with Article 57(1)(g) GDPR). Unlike formal Article 61 GDPR requests, the SA
receiving a VMA request does not have a legal obligation to answer to that request.
178. The EDPB notes that all the communications between the LSA and the DE-HH SA were made by using
the procedure for VMA requests. This VMA request was first initiated by the IE SA when it shared the
Updated Terms on 8 December 2020 with the CSAs, and all the further exchanges between the LSA
and the DE-HH SA were made within this framework. The DE-HH SA did not formally launch an Article
61 GDPR request in the IMI system to the LSA, but merely sent a letter replying to the VMA request
flow initiated by the IE SA.
179. Furthermore, following the DE-HH SA’s hearing letter sent to Facebook IE on 12 April 2021, the LSA
wrote on 19 April 2020 to the CSAs to inform them that in its view, “[...] the substance of the text of
the revised WhatsApp [IE] privacy policy is largely a carryover of the text of the existing policy and no
new text signifying any change in WhatsApp’s position is included regarding the sharing of WhatsApp
user data with Facebook or access by Facebook for Facebook’s own purposes”. The IE SA also informed
the CSAs that “in March 2021 the DPC commenced a supervision review and assessment of WhatsApp
Ireland’s oversight and monitoring of its data processors (chiefly Facebook), including the safeguards,
mechanisms and audit processes in place to ensure that Facebook does not use WhatsApp Ireland user
data for its own purposes, inadvertently or otherwise”. 180. In light of the above, the EDPB considers that the DE-HH SA has not demonstrated that the LSA failed
to provide information in the context of a formal request for mutual assistance under Article 61 GDPR. 181. The EDPB therefore considers that Article 61(8) GDPR is not applicable in this specific case. Accordingly, the urgent nature of the DE-HH SA’s Article 66(2) GDPR request cannot be presumed
and needs to be demonstrated. 4.2.2 Existence of urgency outside any GDPR legal presumption and the need to derogate
from the cooperation and consistency mechanisms
4.2.2.1 Summary of the position of the DE-HH SA
182. According to the DE-HH SA, the urgent need for adoption of final measures goes hand in hand with the
urgency for provisional measures under Article 66(1) GDPR and the risk of serious and irreparable harm
160 See EC Implementing Decision (EU) 2018/743 of 16 May 2018 on a pilot project to implement the
administrative cooperation provisions set out in Regulation (EU) 2016/679 of the European Parliament and of
the Council by means of the Internal Market Information System C/2018/2814, https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=uriserv%3AOJ.L_.2018.123.01.0115.01.ENG&toc=OJ%3AL%3A2018%3A123%3ATOC.
Adopted 44
for the rights and freedoms of data subjects without the adoption of final measures. The DE-HH SA
considers that the Updated Terms lead to a more intensive use of WhatsApp’s user data by Facebook
IE, such as location information or message content without a transparent and reasonable legal basis. The DE-HH SA considers that Facebook IE’s infringement of Articles 5(1), 6(1) and 12(1) GDPR will
continue if no final measure is adopted.161
183. The DE-HH SA considers that the exceptional risks for the right to data protection of data subjects are
imminent. WhatsApp’s users were requested to consent to the Updated Terms by 15 May 2021, which
makes imminent the risk of new processing of WhatsApp’s user data by Facebook IE . The DE-HH SA
considers that the exceptional intensity of the interference with the right to data protection of data
subjects, and the exceptionally high number of data subjects using WhatsApp’s services, require a
derogation from the regular cooperation and consistency procedures in order to “safeguard the status
quo”.162
184. According to the DE-HH SA, ceasing to use WhatsApp is not likely to be a serious alternative for many
users, as it is the most widely used messenger service in Germany, with 58 million active users in 2019,
and it is also a closed system. The DE-HH SA further considers that if WhatsApp IE’s users decide to
give their consent, they run the risk that their data will be used by Facebook while they cannot see the
extent of this use. Once Facebook starts merging WhatsApp’s user data with its own data sets, complete disentanglement of the data sets will no longer be possible.163
185. The DE-HH SA therefore considers that it is unacceptable for data subjects to wait and see how the
situation develops, since a fait accompli can be created by Facebook at any time after 15 May 2021. In
the DE-HH SA’s view, the fact that similarly worded consents have already been requested from users
in the past does not remove the urgency, because these consents are currently being legally renewed,
precisely in order to justify a data exchange, at least for the future. The DE-HH SA expects that
Facebook products will merge even more and the data transfer between the Facebook Companies will
grow164, which will further increase the number of people affected.165
186. Therefore, in the view of DE-HH SA, the exceptional severity of the interference with data subjects’
rights and freedoms results from the number and composition of the persons affected by the
processing, as well as from the quality of the interference.166
161 DE-HH SA’s, Letter to the EDPB Chair requesting a binding decision of the EDPB according to Article 66(2)
GDPR, 3 June 2021, p. 5. 162 DE-HH SA Order, p. 2; DE-HH SA, Letter to the EDPB Chair requesting a binding decision of the EDPB according
to Article 66(2) GDPR, 3 June 2021, pp. 3 and 9. 163 DE-HH SA Order, section II, 1)a), pp. 9-10; DE-HH SA, letter to Facebook IE - Hearing before issuing an order in
accordance with Article 58(2)(f) GDPR in conjunction with Article 66(1) GDPR, 12 April 2021, p. 11. 164 The DE-HH SA cited the following references in this context: https://www.areamobile.de/Facebook-Firma- 215528/News/Messaging-bei-Facebook-und-Instagramverschmilzt-Zukuenftig-auch-mit-WhatsApp-1359113/;
https://www.netzwelt.de/news/179506-whatsapp-facebook-messenger-erste-hinweise-verschmelzung- aufgetaucht.html; https://about.instagram.com/blog/announcements/say-hi-to-messenger-introducing-new- messaging-features-for-instagram
165 DE-HH SA Order, section II, 1)a), pp. 9-10; DE-HH SA, letter to Facebook IE - Hearing before issuing an order in
accordance with Article 58(2)(f) GDPR in conjunction with Article 66(1) GDPR, 12 April 2021, p. 11. 166 DE-HH SA, letter to the EDPB Chair requesting a binding decision of the EDPB according to Article 66(2) GDPR,
3 June 2021, p. 7; as well as DE-HH SA Order of 10 May 2021, section II 1)b), p. 9; and DE-HH SA, letter to Facebook
IE - Hearing before issuing an order in accordance with Article 58(2)(f) GDPR in conjunction with Article 66(1)
GDPR, 12 April 2021, p. 11.
Adopted 45
187. The DE-HH SA also refers to Facebook IE’s plans to process the personal data of WhatsApp’s users in
the context of the WhatsApp Business API, and argues that the implementation of this processing is
imminent.167 The DE-HH SA stated that Facebook IE intends to use WhatsApp's user data, which it
receives as a so-called ‘vendor’168, also for its own purposes, by offering companies the publication of
personalised advertisements based on the chat messages they exchange with their customers via the
WhatsApp Business API. In addition to the large amount of metadata WhatsApp IE transfers to
Facebook IE, Facebook IE now also has access to message content and is thus able to create a
comprehensive profile of WhatsApp’s users.
188. The DE-HH SA further states that “[e]ven though WhatsApp declares on behalf of Facebook that the
messages are not automatically used for advertisements that users then see on Facebook, users of both
services do not learn how extensively their data is ultimately shared by both services.”
169 According to
the DE-HH SA, this means that “[...] users will be able to be addressed individually and directly with
messages from companies, NGOs and political parties, associations and societies on WhatsApp and
Facebook”
170
. The DE-HH SA considered that “[t]he use of these newly gained possibilities has so far
been unmanageable, neither for the persons concerned nor for supervisory authorities. The data pool
created by the transmission enables granular profiling, the depth of which is probably unparalleled so
far. The mere fact that Facebook receives information about which persons communicate with each
other via the metadata and can link this with the information already available at Facebook represents
a new, unique quality of intervention.”
171
189. The DE-HH SA is of the opinion that “[t]he receipt of personal data in the context of the exchange of
messages between users and companies therefore leads, in the overall view, to a considerably
increased quality of intervention in data processing with unforeseeable risks.”
172
190. The DE-HH SA also refers to data protection scandals in the recent past in which Facebook was
involved, such as Cambridge Analytica173, and considers that this shows the extent of the danger for
the rights and freedoms of data subjects. It further considers this danger to be all the more concrete
in view of the upcoming federal elections in Germany in September 2021, and is of the view that “[...]
these elections will arouse desires to influence opinion-forming on the part of Facebook's
advertisers.”
174
167 DE-Hamburg SA, Letter to the EDPB Chair requesting a binding decision of the EDPB according to Art. 66 (2)
GDPR, 3 June 2021, p. 6. 168 The appropriate GDPR terminology would be “processor”. 169 DE-HH SA Order, section II, 1)b), p. 10; DE-HH SA, letter to Facebook IE - Hearing before issuing an order in
accordance with Article 58(2)(f) GDPR in conjunction with Article 66(1) GDPR, 12 April 2021, p. 11; DE-HH SA,
letter to the EDPB Chair requesting an urgent binding decision of the EDPB according to Article 66(2) GDPR, 3
June 2021, p. 8. 170 DE-HH SA Order, section II, 1)b), p. 10. 171 DE-HH SA Order, section II, 1)b), pp. 10-11. 172 DE-HH SA Order, section II, 1)b), p. 11. 173 The DE-HH SA quoted the following references in this context: UK SA (ICO)'s findings on the Brexit referendum:
https://ico.org.uk/about-the-ico/news-andevents/news-and-blogs/2018/07/findings-recommendations-and- actions-from-ico-investigation-into-data-analytics-in-political-campaigns/; EDPB Opinion 2/2019 on the use of
personal data in political campaigns: https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-03-13- statement-on-elections_en.pdf; Opinion of
the Icelandic SA on the use of social media by political parties before general elections - guidance and
proposals: https://www.personuvernd.is/information-in-english/greinar/nr/2880. 174 DE-HH SA Order, section II, 1)b), p. 11. In this context, the DE-HH SA quoted the following references: Former
NATO Secretary General Anders Fogh Rasmussen on election interference: "Germany is more vulnerable than
Adopted 46
191. The DE-HH SA states that Facebook IE and WhatsApp IE’s assertion that “[n]o Alleged Processing is
taking place, or will take place, as a consequence of the WhatsApp Update, in line with the present
Commitments” does not influence the necessity of the DE-HH SA Order. In DE-HH SA’s view, this
assertion only indicates that such processing will not take place as a consequence of the Updated
Terms, and that Facebook IE and WhatsApp IE do not deny that such processing is planned to take
place in the near future.175
192. The DE-HH SA further states that, from the considerations above, it becomes clear that Facebook IE
and WhatsApp IE are of the opinion that users’ consents to another (further) update of WhatsApp’s
user-facing information are not necessary for processing WhatsApp’s users data of by Facebook IE for
its own purposes listed in the DE-HH SA Order176. Moreover, the DE-HH SA considers that any actual
data transfer is linked to the prerequisite of accepting WhatsApp’s terms of service and privacy
policy.177
193. Based on its analysis of WhatsApp IE’s public-facing information, the DE-HH SA considers that data
exchanges between WhatsApp and Facebook are currently taking place, or will take place imminently, and that it also implies the sharing of WhatsApp’s user data for Facebook IE’s own purposes.178
4.2.2.2 Analysis of the EDPB
194. As regards the processing relating to WhatsApp Business API data, the previous version of the Updated
Terms already informed WhatsApp’s users that “businesses may use another company to assist it in
storing, reading and responding to your message on behalf and in support of that business”. The new
version of the Privacy Policy made it clear that the other Facebook Companies can become one of
those service providers. However, as the Board concluded that, at this stage, there are not enough
elements allowing to establish with certainty that Facebook IE already started or will soon start
ever to disinformation", https://www.spiegel.de/politik/deutschland/bundestagswahl-deutschland-ist- gefaehrdeter-denn-je-was-desinformation-angeht-a-f9565251-773d-47d3-9986-b1808dcabf94; Germany is
more targeted by Russian disinformation campaigns than any other country in the European Union, according to
an EU investigation: https://www.rnd.de/politik/russland-deutschland-laut-eu-im-fokus-russischer- desinformation-LF6PGVYYVKDANH346E5WA7WQG4.html. 175 Joint letter from Facebook IE and WhatsApp IE to the EDPB Chair, dated 14 May 2021, p. 1, quoted by DE-HH
SA, letter to the EDPB Chair requesting a binding decision of the EDPB according to Article 66(2) GDPR, 3 June
2021, p. 5. 176 In the view of Facebook IE, the DE-HH SA mistakenly assumes that, by asking users to accept updated Terms
of Service as part of the update foreseen in May 2021, WhatsApp IE is seeking to obtain consent in order to be
able to rely on Article 6(1)(a) GDPR for an alleged new form of processing. According to Facebook IE, the request
to accept new Terms of Service as part of the update is merely a means for WhatsApp IE to obtain contractual
acceptance to the latest version of its contractual terms. Facebook IE states that it is not an attempt to obtain
consent to data processing pursuant to Article 6(1)(a) GDPR, and is not relied upon as such (Facebook IE’s written
submissions to the DE-HH SA, section 1.1 (C), pp. 2-3; and joint letter from Facebook IE and WhatsApp IE to the
EDPB, 14 May 2021, p. 2). Facebook IE further states that according to its understanding, WhatsApp IE intends
to achieve the following two goals with the update foreseen for May 2021: (1) to improve transparency for data
subjects about how WhatsApp IE currently processes their data, specifically in light of the IE SA’s comments and
preliminary findings in its ongoing cross-border statutory inquiry on WhatsApp’s public-facing information; and
(2) to provide additional information about how messaging a business works on the WhatsApp service (Facebook
IE’s written submissions to the DE-HH SA, section 2, 2.15, p. 10; and joint letter from Facebook IE and WhatsApp
IE to the EDPB, 14 May 2021, p. 2; as well as WhatsApp IE’s letter to the IE SA, 5 February 2021, pp. 1-2). 177 DE-HH SA, letter to the EDPB Chair requesting an urgent binding decision of the EDPB according to Article
66(2) GDPR, 3 June 2021, p. 6. 178 DE-HH SA, letter to the EDPB Chair requesting an urgent binding decision of the EDPB according to Article
66(2) GDPR, 3 June 2021, p. 8.
Adopted 47
processing WhatsApp’ user data in the context of the WhatsApp Business API service as a controller, the EDPB cannot establish an urgency to intervene under Article 66(2) GDPR.
195. As regards the processing made for the four other purposes identified by the DE-HH SA, including
safety, security and integrity, as well as product improvement, the EDPB considers that the elements
contained in WhatsApp’s public-facing information, on the basis of which the EDPB considers the
existence of a likelihood that Facebook IE is processing WhatsApp’s user data as controller, were
already included in the previous version of WhatsApp’s public-facing information179
. 196. In the view of the EDPB, the occasion of the adoption of the Updated Terms that contain similar
problematic elements as in the previous version cannot, on its own, justify the urgency for the EDPB
to order the LSA to adopt final measures under Article 66(2) GDPR. The EDPB therefore considers that
there is no urgency for the LSA to adopt final measures in this case.
197. However, EDPB would like to underline the high likelihood that the processing by Facebook IE as
controller for both the purpose of safety, security and integrity and the purpose of product
improvement is taking place. This important matter requires swift actions to carry out a statutory
investigation, in particular for verifying if, in practice, the processing made by the Facebook Companies
implying the combination or comparison of WhatsApp IE’s user data with other data sets processed by
other Facebook Companies in the context of other apps or services offered by the Facebook
Companies, facilitated inter alia by the use of unique identifiers, is currently taking place. Considering
the existence of references to such processing within WhatsApp’s public-facing information, and the
amount of time which has elapsed since 2018, the EDPB is of the view that the IE SA needs to swiftly
take action. For this reason, the EDPB, taking note of proceedings and actions already under way by
the LSA to investigate matters relating to Facebook IE and WhatsApp IE, requests the LSA to carry out,
as a priority matter, an investigation to determine whether such processing activities are taking place
or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1)
GDPR.
4.2.3 Conclusion
198. The EDPB considers that there is no urgency for the LSA to adopt final measures.
5 ON THE APPROPRIATE FINAL MEASURES
199. Considering the fact that the conditions relating to the demonstration of the existence of an
infringement and urgency are not met (see above points 4.1.7. and 4.2.3), the EDPB concludes that it
sees no reason to request the adoption of final measures against Facebook IE.
179 The DE-HH SA already sent a letter to the IE SA on 3 January 2019 underlining the language showing supporting
the view that Facebook IE is processing data as data controller and asking the IE SA to request Facebook IE and
WhatsApp IE proof of compliance. The DE-HH SA offered to carry out a joint action.
Adopted 48
6 URGENT BINDING DECISION
200. In light of the above and in accordance with the tasks of the EDPB under Article 70(1)(t) GDPR to issue
urgent binding decisions pursuant to Article 66 GDPR, the Board issues the following binding decision
in accordance with Article 66(2) GDPR:
201. As regards the existence of infringement, based on the evidence provided, there is a high likelihood
that Facebook IE already processes WhatsApp’s user data as a (joint) controller for the common
purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, and for
the common purpose of improvement of the products of the Facebook Companies. However, the EDPB
is not in a position to determine whether such processing takes place in practice.
202. There is also not sufficient information in the present procedure to establish with certainty that
Facebook IE already started to process WhatsApp’s user data as a (joint) controller for its own purposes
of marketing communications and direct marketing, and cooperation with the other Facebook
Companies, and that Facebook IE already started and that it or will soon start processing WhatsApp’s
user data as a (joint) controller for its own purpose in relation to WhatsApp Business API.
203. The EDPB considers that it does not have sufficient information in the present procedure to conclude
whether infringements are taking place.
204. On the existence of urgency, the EDPB considers that Article 61(8) GDPR is not applicable in this
specific case, hence that the urgent nature of the DE-HH SA’s Article 66(2) GDPR request needs to be
demonstrated.
205. The EDPB considers that the occasion of the adoption of the Updated Terms that contain similar
problematic elements as the previous version cannot, on its own, justify the urgency for the EDPB to
order the LSA to adopt final measures under Article 66(2) GDPR. The EDPB therefore considers that
there is no urgency for the LSA to adopt final measures in this case.
206. Taking this into consideration, the EDPB decides that no final measures need to be adopted against
Facebook IE.
207. The EDPB considers that the high likelihood of infringements and the lack of information relating to
the five purposes identified above justifies the decision to request the IE SA to carry out a statutory
investigation, in particular for verifying if, in practice:
- the processing made by the Facebook Companies for the purposes of safety, security and integrity,
as well as product improvement, implying the combination or comparison of WhatsApp IE’s user data
with other data sets processed by other Facebook Companies in the context of other apps or services
offered by the Facebook Companies, facilitated for instance by the use of unique identifiers in relation
to the purpose of product improvement, are currently taking place, and what are the roles of the
Facebook Companies involved;
- Facebook IE has already started to process WhatsApp’s user data as a (joint) controller for its own
purposes of marketing communications and direct marketing, as well as cooperation with the other
Facebook Companies, and what are the roles of the Facebook Companies involved;
- Facebook IE has already started or will soon start to process WhatsApp’s user data as a (joint)
controller for its own purpose in relation to WhatsApp Business API, and what are the roles of the
Facebook Companies involved, as well as the role of the businesses, in particular where businesses
decide to rely on Facebook for advertisements.
Adopted 49
- Facebook IE, when using the content of messages sent via WhatsApp to businesses, would be acting
as (joint) controller.
Considering the high likelihood of infringements for the purpose of safety, security and integrity of
WhatsApp IE and the other Facebook Companies, as well as for the purpose of improvement of the
products of the Facebook Companies, the EDPB decides that the IE SA shall carry out, as a priority
matter, an investigation to determine whether such processing activities are taking place or not, and
if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR
7 FINAL REMARKS
208. This urgent binding decision is addressed to the IE SA, the DE-HH SA and the other CSAs.
209. The IE SA shall notify this urgent binding decision to Facebook IE and WhatsApp IE without delay. 210.Once such communication is done by the IE SA, this urgent binding decision will be made public on the
EDPB’s website without delay after the notification to Facebook IE. 211. The EDPB considers that its current decision is without any prejudice to any assessments the EDPB may
be called upon to make in other cases, including with the same parties.
For the European Data Protection Board
The Chair