On 2nd September 2021, the Irish Data Protection Commission (DPC) announced a decision to fine WhatsApp €225 million. The DPC concluded that WhatsApp failed to: provide required privacy information to WhatsApp users (as required by GDPR Art.13); provide privacy information relevant to contacts of WhatsApp users ("non-users") whose personal data was processed in order to show users which of their contacts were also WhatsApp users (as required by GDPR Art.14); make privacy information available in an "easily accessible form" (as required by GDPR Art.12); and – as a result – also failed to comply with the over-arching transparency principle at GDPR Art.5(1)(a). The DPC also required WhatsApp to provide the required privacy information within the 3 months of the date of the decision (being 20 August 2020) and issued a reprimand.
As WhatsApp’s processing of personal data substantially affects data subjects in more than one Member State and as WhatsApp’s sole establishment in the EU was in Ireland, the co-operation and consistency provisions under GDPR Aat.60 were triggered (the one stop shop provision). To comply with this, the DPC submitted a draft decision to all other supervisory authorities. 6 commented on the decision; 6 submitted relevant and reasoned objections (the CNIL doing both; the Federal German authority objected and the supervisory authorities for two Laender were also involved). It was not possible for the DPC to reach a consensus on a number of points – so these were submitted to the European Data Protection Board (“EDPB”) for it to reach a decision under art.65. In a number of places, the decision incorporates the conclusions of the EDPB.
The decision establishes that privacy notices must be detailed – with far more detail being given than is currently typically the case – and must be easily accessible, without use of multiple linked documents which may be hard to find and assimilate. The decision also incorporates findings of the EDPB on how fines should be calculated
Lastly, the decision also comments on the meaning of personal data and anonymisation – ruling out motivation as a factor in assessing risk of identifiability – and rejects arguments that Facebook was just a processor for its users when processing non-user data.
WhatsApp has stated that it will appeal the decision.
GDPR Art.12(1) provides that information provided to a data subject has to be "easily accessible". Information contained in multiple, linked, documents is not always easily accessible – especially where the documents contain overlapping, but slightly different, information. The decision notes that: "The user should not have to work hard to access the prescribed information; nor should he/ she be left wondering if he/she has exhausted all available sources of information and nor should he/she have to try to reconcile discrepancies between the various pieces of information set out in different locations" [337].
The decision notes that, in the course of the investigation, WhatsApp had taken steps to address some concerns of the investigator over accessibility of information. Design features to note are:
GDPR Arts.13(1) and (2) set out what information has to be included in a privacy notice where personal data is collected from the data subject.
WhatsApp noted that the level of detail included in its privacy notice was consistent with the level of detail provided by its peers. The DPC dismissed this, noting that an industry could not be allowed to set its own level of compliance. At the same time, the DPC commented that there was an abundance of text that communicated very little; warning against long, but uninformative, notices. WhatsApp’s point is, however, well made: the standard set out in the decision goes significantly beyond that of most privacy notices. Indeed, a glance at the privacy notice on the website of the EDPB shows that the EDPB does not meet the (very similar) standard applicable to the EDPB. Nor does the Irish DPC practise what it preaches. A substantial amount of work will be required to provide the level of transparency required.
To assist readers, we have set out the comments in the decision which we consider diverge most from current practice.
Provision in GDPR Art.13 | "Extra" needed (references are to the paragraph number of the DPC decision) |
13(1)c |
Purposes of processing as well as the legal basis for the processing:
|
13(1)(c) |
Legal basis for processing
|
13(1)(d) |
The legitimate interests pursued
|
13(1)(e) |
The recipients or categories of recipients
|
13(1)(f) |
Transfers of data
|
13(2)(a) |
Retention periods
|
13(2)(c) |
Information about data subject rights
|
13(2)e |
Where provision of information is a statutory or contractual requirement
|
The decision held that WhatsApp did not comply with its obligations under GDPR Art.14 (transparency obligations in relation to data obtained otherwise than directly from the data subject). The decision acknowledged that the processing carried out by WhatsApp about non-users was very limited. It stated that the main impact of the processing would be when a non-user signs up to WhatsApp (as this then reveals to other WhatsApp users the fact that this person is now a WhatsApp user). Accordingly, most emphasis should be given to provision of information as this point.
The DPC specifically accepted that WhatsApp would not need to provide information individually to non-users and that it would be undesirable for WhatsApp to do this [165].
WhatsApp must make required privacy notice changes within 3 months; large, international, controllers will be held to high standards
The DPC was instructed by the EDPB to require WhatsApp to make required changes to its privacy notices within 3 months of the date of the order (reduced from the 6 months proposed by the DPC) [688]. WhatsApp argued that compliance would require considerable challenges. The EDPB Opinion rejected this, noting that WhatsApp was of a size and had sufficient means to be able to achieve this [687].
Similarly, the DPC rejected arguments by WhatsApp that the DPC should show similar leniency in its approach to that allowed to smaller, national, controllers; the DPC noted that large, international, controllers with significant resources and in-house compliance teams will be held to a higher standard [668].
In setting the level of the fine, the DPC paid particular regard to:
The Commissioner noted that relevant mitigating factors were: the limited nature of data processed about non-users and the changes already made by WhatsApp to the privacy notices – however, she considered that no significant weight should be applied to these factors.
Overall, the Commissioner considered that a fine should be set at €225 million (being the sum of the separate fines proposed for breaches of GDPR Arts. 12, 13, 14 and 5 respectively).
GDPR Art.83(4) and (5) provide for a cap on fines, set at the higher of a specified monetary or turnover-based amount. The EDPB opinion noted that the relevant turnover is that of "all the component companies of the single undertaking" [807], which would be the turnover of the group headed by Facebook Inc [846], [863 – 869; 885 - 886]. The EDPB art.65 decision directed the DPC to consider WhatsApp’s turnover not solely when ensuring that the fine did not breach the cap, but also when setting the level of the fine initially. In other words, larger organisations should – as a matter of principle – be exposed to larger fines, if required to achieve an effective, proportionate and dissuasive result [805].
The EDPB Opinion also instructed the DPC to impose a higher fine for the infringements identified. In considering this, the DPC benchmarked its decision against the €50 million fine imposed by the CNIL against Google.
The DPC calculated the proposed fine by adding together separate fines proposed for breach of GDPR Arts. 12, 13, 14 and 5. GDPR Art. 83(3) provides that "if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement". In the original decision notice, the DPC referred to this provision and interpreted this as meaning that the fine would be limited to the highest of the separate fines proposed for breaches of the various articles of the GDPR. The EDPB Opinion considered this interpretation to be incorrect; it stated that the provision should be interpreted instead as meaning that the total fine – for all the infringements – should not exceed the relevant fine cap as set out in arts. 83(4) or (5). Accordingly, the DPC re-calculated the fine on this basis.
The decision rejected WhatsApp’s arguments that telephone numbers of non-users and lossy-hashes do not amount to personal data. The DPC placed significant emphasis on the CJEU decision in Breyer[1], noting that the test is whether the risk of identification is "insignificant" [86].
In considering whether phone numbers should be regarded as personal data, the DPC outlined all the ways that could be used to identify the individual – including dialling the number and asking the user, or listening to a voicemail message. Readers may be familiar with the "motivated intruder" test, proposed in the UK Information Commissioner’s Anonymisation Code of Practice[2]. Motivation is often taken into account by practitioners when assessing risk of identification and what steps are appropriate to mitigate this risk[3]. The DPC specifically rejected WhatsApp’s arguments on this point, concluding that WhatsApp’s intent was irrelevant; as was the fact that – technically - WhatsApp could not access the raw phone numbers so as to seek to identify the user and would have had to redesign its systems so as to be able to do this. On this point, the DPC noted that WhatsApp had the technical power to do this and that the DPC would not give any significant weight to protective measures which were within the control of WhatsApp itself [33].
The DPC initially accepted WhatsApp’s arguments that the lossy hashes did not amount to personal data. However, the EDPB directed the DPC to conclude that the lossy hashes did amount to personal data. Again, EDPB underlined that the motivation was an irrelevant factor (p.38). The EDPB also concluded that WhatsApp relied too heavily on the argument that the lossy-hashes did not relate to a specific phone number and, instead, indicated 16 phone numbers. The EDPB noted that anonymisation depends on preventing singling out, inference and linking and the technique used by WhatsApp (k-anonymisation) only avoids singling out, but does not prevent inference or linkability. Further the EDPB concluded that WhatsApp overstated the effectiveness of the technique even so far as singling out was concerned, as WhatsApp looked at the total number of possible phone numbers in determining the value of k, whereas it should have looked at the actual number of phone numbers connected to individuals which would be far lower (p.309).
The DPC quoted extensively from the sections of the Article 29 Working Party’s Opinion 1/2010, which emphasize that the role of the controller is to „allocate responsibility“. Unsurprisingly, the DPC concluded that WhatsApp, rather than individual users, should be held responsible as controller. The DPC also noted that WhatsApp’s user facing materials did not suggest to users that WhatsApp regarded them as controllers.
*Most of the content in this article has been previously published on the IAPP website and shared with its members.
[1] Breyer v Bundesrepublik Deutschland (Case C-582/12)
[2] Information Commissioner’s Office 2012, Anonymisation: managing data protection risk code of practice, pp. 22-24
[3] Arbuckle, L & El Emam, K 2020, Building an Anonymization Pipeline, p. 50