The Irish Data Protection Commission (DPC) announced on September 2, 2021, the conclusion of an investigation into WhatsApp that lasted more than two and a half years. The subject of the investigation was, according to the Media release of the DPCWhatsApp violated the information obligations under the GDPR, including the exchange between WhatsApp and other companies in the Facebook group. However, WhatsApp Business was not affected.
The DPC submitted a draft decision pursuant to Art. 60 GDPR to the co-involved supervisory authorities at the end of 2020. Because no consensus was found in this process, the European Data Protection Board (EDPB) End of June 2021 the DPC instructedto increase the proposed fine. As a result, the DPC imposed a fine of EUR 225 million on WhatsApp, and ordered WhatsApp to adjust its data processing.
In its decision, the EDPB held, inter alia, that. the controller must indicate the purpose of each individual processing activity and, if applicable, the legitimate interests pursued thereby. Insofar as the legitimate interests of another company are involved, this must also be stated.. WhatsApp’s privacy policy and terms and conditions do not meet these requirements and are not clear and specific enough. For example, the statement “For providing measurement, analytics, and other business services […] The legitimate interests we rely on for this processing are: […] In the interests of businesses and other partners to help them understand their customers and improve their businesses, …”, because it is unclear what “other business services” means and no legitimate interest is specifically mentioned in relation to this purpose. It also remains unclear which “businesses or partners” are concerned. Also “[t]o create, provide, support, and maintain innovative services and features […]” is not defined enough.
This attitude of the EDPB is not necessarily surprising when reading its guidelines on transparency. However, it is very strict. If taken at face value, a great many companies will have to revise their privacy statements. This will not only lead to great effort, but above all to the fact that data protection declarations will have to be adapted when business models are adapted, but also everyday processes. It will certainly take a while for such a practice to become generally accepted, but it can be expected in the long term.
WhatsApp has apparently announced that it will appeal the decision.