Whats­App: fine of EUR 225 mil­li­on for breach of infor­ma­ti­on duty

The Irish Data Pro­tec­tion Com­mis­si­on (DPC) announ­ced on Sep­tem­ber 2, 2021, the con­clu­si­on of an inve­sti­ga­ti­on into Whats­App that lasted more than two and a half years. The sub­ject of the inve­sti­ga­ti­on was, accor­ding to the Media release of the DPCWhats­App vio­la­ted the infor­ma­ti­on obli­ga­ti­ons under the GDPR, inclu­ding the exch­an­ge bet­ween Whats­App and other com­pa­nies in the Face­book group. Howe­ver, Whats­App Busi­ness was not affected.

The DPC sub­mit­ted a draft decis­i­on pur­su­ant to Art. 60 GDPR to the co-invol­ved super­vi­so­ry aut­ho­ri­ties at the end of 2020. Becau­se no con­sen­sus was found in this pro­cess, the Euro­pean Data Pro­tec­tion Board (EDPB) End of June 2021 the DPC ins­truc­tedto increa­se the pro­po­sed fine. As a result, the DPC impo­sed a fine of EUR 225 mil­li­on on Whats­App, and orde­red Whats­App to adjust its data processing.

In its decis­i­on, the EDPB held, inter alia, that. the con­trol­ler must indi­ca­te the pur­po­se of each indi­vi­du­al pro­ce­s­sing acti­vi­ty and, if appli­ca­ble, the legi­ti­ma­te inte­rests pur­sued ther­eby. Inso­far as the legi­ti­ma­te inte­rests of ano­ther com­pa­ny are invol­ved, this must also be sta­ted.. WhatsApp’s pri­va­cy poli­cy and terms and con­di­ti­ons do not meet the­se requi­re­ments and are not clear and spe­ci­fic enough. For exam­p­le, the state­ment “For pro­vi­ding mea­su­re­ment, ana­ly­tics, and other busi­ness ser­vices […] The legi­ti­ma­te inte­rests we rely on for this pro­ce­s­sing are: […] In the inte­rests of busi­nesses and other part­ners to help them under­stand their cus­to­mers and impro­ve their busi­nesses, …”, becau­se it is unclear what “other busi­ness ser­vices” means and no legi­ti­ma­te inte­rest is spe­ci­fi­cal­ly men­tio­ned in rela­ti­on to this pur­po­se. It also remains unclear which “busi­nesses or part­ners” are con­cer­ned. Also “[t]o crea­te, pro­vi­de, sup­port, and main­tain inno­va­ti­ve ser­vices and fea­tures […]” is not defi­ned enough.

This atti­tu­de of the EDPB is not neces­s­a­ri­ly sur­pri­sing when rea­ding its gui­de­lines on trans­pa­ren­cy. Howe­ver, it is very strict. If taken at face value, a gre­at many com­pa­nies will have to revi­se their pri­va­cy state­ments. This will not only lead to gre­at effort, but abo­ve all to the fact that data pro­tec­tion decla­ra­ti­ons will have to be adapt­ed when busi­ness models are adapt­ed, but also ever­y­day pro­ce­s­ses. It will cer­tain­ly take a while for such a prac­ti­ce to beco­me gene­ral­ly accept­ed, but it can be expec­ted in the long term.

Whats­App has appar­ent­ly announ­ced that it will appeal the decision.