HmbBfDI (Hamburg) - Facebook/WhatsApp

From GDPRhub
HmbBfDI (Hamburg) - Facebook/WhatsApp
LogoDE-HH.png
Authority: HmbBfDI (Hamburg)
Jurisdiction: Germany
Relevant Law: Article 6 GDPR
Type: Other
Outcome: n/a
Started:
Decided: 11.05.2021
Published: 05.06.2021
Fine: None
Parties: n/a
National Case Number/Name: Facebook/WhatsApp
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
English
Original Source: The Hamburg Commissioner for Data Protection and Freedom of Information (in DE)
The Hamburg Commissioner for Data Protection and Freedom of Information (in EN)
Initial Contributor: n/a

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued an order under the GDPR's urgency procedure prohibiting Facebook Ireland Ltd. from processing personal data from WhatsApp for its own purposes. The order is immediately enforceable.

English Summary

Facts

WhatsApp requested its users to agree to the new terms and privacy policy by May 15, which grant WhatsApp far-reaching powers to share data with Facebook. That powers included among others the processing of location information, the transfer of communication data of users to third-party companies explicitly with reference to Facebook, the additional purpose of ensuring the integrity of the services, and the cross-company verification of the account in order to use the service in an "appropriate manner". Data can also be used to connect with products from Facebook companies. A legitimate interest is mentioned to be used as a basis for data processing related to minors, while the previously existing notice that WhatsApp messages are not shared on Facebook for others to see has been removed.

Holding

The Commissioner states that there is no legal basis for processing by Facebook for its own purposes. The provisions on data transfers in the privacy policy are unclear and hard to distinguish while "the contents are misleading and show considerable contradictions" and the consequences of approval for the users are undefined. Furthermore, since WhatsApp demands acceptance of the new provisions as a condition for the continued use of the service's functionalities consent is not freely given. Facebook cannot claim a prevailing legitimate interest in processing the data of WhatsApp users because their interests are overridden by the rights and freedoms of the data subjects, while at the same time the processing is not necessary for Facebook to perform a contract. Moreover, data transfers are non transparent while the policy makes it possible to process data across companies for the purpose of sending direct advertising and marketing communications.

Comment

This summary is based on a press release issued by the Commissioner on 11 May 2021, as the Order itself was not made publicly available.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

                                   PRESS RELEASE

                           The Hamburg Commissioner for

                  Data Protection and Freedom of Information




                                                                                 May 11, 2021


 Order of the HmbBfDI: Ban of further processing of WhatsApp

                              user data by Facebook

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) issued an
order prohibiting Facebook Ireland Ltd. from processing personal data from WhatsApp for its own
purposes. The order is immediately enforceable. This is done under the urgency procedure of the
General Data Protection Regulation (GDPR), which provides for the adoption of provisional measures

with a specified period of validity in the respective territory, in this case Germany.
The background to the proceedings is the request to all WhatsApp users to agree to the new terms
and privacy policy by May 15, which grant WhatsApp far-reaching powers to share data with

Facebook.
The new terms and conditions formally renew the data processing powers and expand their content
for the future. This concerns, among other things, the processing of location information, the transfer

of communication data of users to third-party companies explicitly with reference to Facebook, the
additional purpose of ensuring the integrity of the services, and the cross-company verification of the
account in order to use the service in an "appropriate manner". It also allows for the use of data to
connect with products from Facebook companies. A legitimate interest for the data processing or for
the exchange of the data in relation to minors is also claimed across the board. Furthermore, the
previously existing notice that WhatsApp messages are not shared on Facebook for others to see has

been removed.
On evaluation of the facts and after having heard Facebook Ireland Ltd., there is no legal basis for

processing by Facebook for its own purposes, notwithstanding the approval of the terms of use
currently obtained by WhatsApp. The provisions on data transfers are scattered at different levels of
the privacy policy, they are unclear and hardto distinguish in their European and international versions.
In addition, the contents are misleading and show considerable contradictions. Even after close
analysis, it is not clear what consequences approval has for users. Furthermore, consent is not freely
given, since WhatsApp demands acceptance of the new provisions as a condition for the continued

use of the service's functionalities.
Against this background, there is no basis for processing of personal data of WhatsApp users by
Facebook for their own purpose. In particular, Facebook cannot claim a prevailing legitimate interest

in processing the data of WhatsApp users because their interests are overridden by the rights and
freedoms of the data subjects. Consent is neither given freely nor in an informed manner. This applies
particularly to minors. For these reasons, consent under data protection law cannot be considered as
a legal ground. The processing of WhatsApp users' data is also not necessary for Facebook to perform
a contract.

The investigation of the new provisions has shown that they aim to further expand the close connection
between the two companies in order for Facebook to be able to use the data of WhatsApp users for
their own purposes at any time. For the areas of product improvement and advertising, WhatsApp
reserves the right to pass on data to Facebook companies without requiring any further consent from

data subjects. In other areas, use for the company's own purposes in accordance to the privacy policy



The Hamburg Commissioner for Data Protection and Freedom of Information
Ludwig-Erhard-Str. 22, 20459 Hamburg
Phone: 040/42854-4040 | Fax: 040/42854-4000
E-mail: mailbox@datenschutz.hamburg.de | Internet: www.datenschutz-hamburg.decan already be assumed at present. The privacy policy submitted byWhatsApp and the FAQ describe,

for example, that WhatsApp users' data, such as phone numbers and device identifiers, are already
being exchanged between the companies for joint purposes such as network security and to prevent
spam from being sent. Our request to the lead supervisory authority for an investigation into the actual
practice of data sharing was not honoured so far.

Users are confronted by WhatsApp with non-transparent conditions for far-reaching data transfer. At
the same time, it is claimed that the processing operations described are not actually carried out at all,
only to be implemented step by step at a later date on the basis of the legal framework founded on

user consent. This strategy is currently being carried out in particular with respect to the newly
introduced function of business marketing, which, with the inclusion of Facebook, makes it possible to
process data across companies for the purpose of sending direct advertising and marketing
communications. Overall, the approach does not comply with the requirements of the GDPR, both with
regard to data processing that is already being carried out according to the privacy policy and

additional processing that can be implemented by Facebook at any time.
Johannes Caspar, Hamburg's Commissioner for Data Protection and Freedom of Information,
comments: "The order is intended to safeguard the rights and freedoms of the many millions of users

who approve to the terms of use throughout Germany. The aim is to prevent disadvantages and
damage associated with such a black-box procedure. The data protection scandals of recent years,
from "Cambridge Analytica" to the recently disclosed data leak that affected more than 500 million
Facebook users, show the extent and threats of mass profiling. This concerns fundamental rights and
also the possibility of using profiling to influence voter decisions in order to manipulate democratic

decision making processes. With nearly 60 million users of WhatsApp, the danger is all the more
concrete in view of the upcoming federal elections in Germany in September 2021, which will create
desire to influence voters on the part of Facebook's ad customers. The order now issued relates to
the further processing of WhatsApp user data and is directed at Facebook. The worldwide criticism
against the new terms of service should give reason to fundamentally rethink the consent mechanism

once again. Without user trust, no business model based on data can be successful in the long run."
Due to the limited duration of the order in the emergency procedure of only three months, the HmbBfDI

will bring this case to the European Data Protection Board (EDPB) in order to facilitate a binding
decision at European level.


                                          Press contact:
                                          Martin Schemm

                                    Phone: +49 40 428 54-4044
                               Mail: presse@datenschutz.hamburg.de























                                                 2