WhatsApp Slapped with €5.5 Fine for GDPR Violation
WhatsApp is the latest big tech firm to receive a financial penalty for violations of the General Data Protection Regulation (GDPR) and must pay €5.5 million ($5.95) to resolve a GDPR violation due to the legal basis for processing user data. The Irish Data Protection Commission (DPC) says that in addition to the fine, the Meta-owned company, WhatsApp Ireland, must also ensure that its data processing operations are fully compliant with GDPR regulations within 6 months or the company will face further financial penalties. The decision was announced just a few days after Facebook and Instagram were fined a total of €390 million ($414 million) for consent-related GDPR violations – both Meta companies plan to appeal the decisions.
Under the one-stop-shop mechanism, complaints about GDPR violations are investigated by the data protection agency in the country where a company has its EU base, which for many of the big U.S. tech firms is Ireland. The DPC launched an investigation into WhatsApp on the date the GDPR took effect in response to a complaint from a German data subject. As was the case with Facebook and Instagram, the complainant alleged GDPR violations related to how consent to process data was obtained.
At midnight on May 25, 2018, when the GDPR took effect, WhatsApp’s terms and services were updated and all users in the EU were prompted to accept the changes by clicking a button in the app. By doing so they gave WhatsApp consent to process their data. The terms and conditions had been changed to make acceptance of those terms a requirement of using the app, with the terms and conditions including the use of users’ personal data. WhatsApp considered the acceptance of the terms and conditions to be a requirement of the contract with the company and its users, and that the processing of users’ data was necessary to perform its duties under that contract. As such, WhatsApp believed it met its obligations under Article 6(1)(b) of the GDPR, which requires there to be a legal basis for processing the personal data of EU data subjects.
The GDPR requires individuals to freely give consent to companies before their personal data can be used, and when obtaining consent it must be made clear to individuals what they are consenting to. Data subjects must be informed of the specific uses of their data in an unambiguous way, and consent must be obtained without pressure, influence, or in any other way causing an imbalance that is likely to affect the users’ decision. The complainant alleged that WhatsApp was relying on consent to provide a legal basis to process users’ data, and by making consent to process data one of the terms and conditions of using the service, WhatsApp was in fact forcing users to consent to the use of their data.
The DPC found that WhatsApp Ireland breached its obligations for transparency under the GDPR, as information about the legal basis for processing data was not outlined to users, which meant they “had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR,“ and that the lack of transparency contravened Articles 12 and 13(1)(c) of the GDPR. While there was a GDPR violation that warranted a financial penalty, the DPC had previously fined WhatsApp €225 million for GDPR violations also related to transparency, so no further fines or corrective measures were determined to be necessary.
The DPC found that in cases where WhatsApp relied upon user consent for the lawful basis for processing user data, the forced consent element of the complaint could not be sustained, as WhatsApp was not required to rely on consent to process user data in connection with the delivery of the service. The DPC also considered whether, in principle, the GDPR precluded WhatsApp Ireland’s reliance on the contract legal basis it asserted, and concluded it was not precluded and there had been no GDPR violation.
“The WhatsApp service includes, and indeed appears to be premised on, the provision of a service that includes service improvement and security. In the view of the DPC, this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service,” said the DPC in its decision. However, 6 of the 47 Concerned Supervisory Authorities (CSAs) disagreed with that view, and a consensus could not be reached. The case was then referred to the European Data Protection Board (“the EDPB”).
The EDPB concurred with the DPC with respect to the transparency violation and similarly determined no further financial penalty should be imposed, but disagreed with the DPC on the legal basis for processing data, and concluded that “as a matter of principle, WhatsApp Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.” Therefore, the DPC decided to impose a fine of $5.5 million.
The EDPB has also directed the DPC to conduct a new investigation into WhatsApp to determine the extent to which special category data has been processed and whether special category data have been processed for behavioral advertising and marketing purposes, and into the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements to determine if the company is in compliance with its obligations under Article 9 of the GDPR.
A spokesperson for WhatsApp has confirmed that the company plans to appeal the decision, as there is a strong belief that the company operates in a way that is technically and legally compliant. The spokesperson also said WhatsApp relies upon “the contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service.”