Irish Data Protection Commission WhatsApp decision: what do you need to know?

On 2nd September 2021, the Irish Data Protection Commission (DPC) announced a decision to fine WhatsApp €225 million. The DPC concluded that WhatsApp failed to: provide required privacy information to WhatsApp users (as required by GDPR Art.13); provide privacy information relevant to contacts of WhatsApp users ("non-users") whose personal data was processed in order to show users which of their contacts were also WhatsApp users (as required by GDPR Art.14); make privacy information available in an "easily accessible form" (as required by GDPR Art.12); and – as a result – also failed to comply with the over-arching transparency principle at GDPR Art.5(1)(a). The DPC also required WhatsApp to provide the required privacy information within the 3 months of the date of the decision (being 20 August 2020) and issued a reprimand.

As WhatsApp’s processing of personal data substantially affects data subjects in more than one Member State and as WhatsApp’s sole establishment in the EU was in Ireland, the co-operation and consistency provisions under GDPR Aat.60 were triggered (the one stop shop provision). To comply with this, the DPC submitted a draft decision to all other supervisory authorities. 6 commented on the decision; 6 submitted relevant and reasoned objections (the CNIL doing both; the Federal German authority objected and the supervisory authorities for two Laender were also involved). It was not possible for the DPC to reach a consensus on a number of points – so these were submitted to the European Data Protection Board (“EDPB”) for it to reach a decision under art.65. In a number of places, the decision incorporates the conclusions of the EDPB.

The decision establishes that privacy notices must be detailed – with far more detail being given than is currently typically the case – and must be easily accessible, without use of multiple linked documents which may be hard to find and assimilate. The decision also incorporates findings of the EDPB on how fines should be calculated

Lastly, the decision also comments on the meaning of personal data and anonymisation – ruling out motivation as a factor in assessing risk of identifiability – and rejects arguments that Facebook was just a processor for its users when processing non-user data.

WhatsApp has stated that it will appeal the decision.

Easily accessible privacy information – take care with multiple linked documents

GDPR Art.12(1) provides that information provided to a data subject has to be "easily accessible". Information contained in multiple, linked, documents is not always easily accessible – especially where the documents contain overlapping, but slightly different, information. The decision notes that: "The user should not have to work hard to access the prescribed information; nor should he/ she be left wondering if he/she has exhausted all available sources of information and nor should he/she have to try to reconcile discrepancies between the various pieces of information set out in different locations" [337].

  • The decision does not stop use of linked documents. In some circumstances, we think there may be good reasons for using this technique. However, controllers must ensure that there is an easy way for a data subject to know they have seen all relevant information (such as also having a composite notice) and must avoid inconsistencies between documents.

The decision notes that, in the course of the investigation, WhatsApp had taken steps to address some concerns of the investigator over accessibility of information. Design features to note are:

  • Avoid a continuous scroll of information, with no way for the user to see short-cut options after the home page [190];
  • Avoid embedding a privacy notice within legal terms, which could have the effect of putting-off readers, because of the length of the overall document [201].

Privacy notices need to convey detailed information

GDPR Arts.13(1) and (2) set out what information has to be included in a privacy notice where personal data is collected from the data subject.

WhatsApp noted that the level of detail included in its privacy notice was consistent with the level of detail provided by its peers. The DPC dismissed this, noting that an industry could not be allowed to set its own level of compliance. At the same time, the DPC commented that there was an abundance of text that communicated very little; warning against long, but uninformative, notices. WhatsApp’s point is, however, well made: the standard set out in the decision goes significantly beyond that of most privacy notices. Indeed, a glance at the privacy notice on the website of the EDPB shows that the EDPB does not meet the (very similar) standard applicable to the EDPB. Nor does the Irish DPC practise what it preaches. A substantial amount of work will be required to provide the level of transparency required.

To assist readers, we have set out the comments in the decision which we consider diverge most from current practice.

 Provision in GDPR Art.13  "Extra" needed (references are to the paragraph number of the DPC decision)

 Purposes of processing as well as the legal basis for the processing:

  • The legal basis for processing and the purpose of processing must be given by reference to the specific category(ies) of personal data and the specified processing operations [325]
  • The EDPB Opinion suggests that this extends to providing „full information on each and every processing operation respectively“ [[413]

 Legal basis for processing

  • The data subject must be able to identify the legal basis relied on for each processing operation (i.e. collection, recording, storage, use etc…) [363]
  • if the legal basis is compliance with law, the privacy notice should identify the EU or Member State law which gives rise to the obligation [369]
  • if a controller states that there could be multiple legal bases for undertaking a processing activity (for example, preventing harmful content could be justified on the basis of contractual necessity; legitimate interests or compliance with law), the notice must be sufficiently granular as to allow the data subject to identify when a particular legal basis will be relied on. Examples could be used to show this [382]

 The legitimate interests pursued

  • specific information about what legitimate interest relates to each processing operation and which entity pursues each legitimate interest must be given; the categories of personal data processed for each processing operation must also be given [413]

 The recipients or categories of recipients

  • if a category is specified, rather than a particular recipient, this should be „as specific as possible“ and the information should relate to the specific service received by the user and the specific categories of data disclosed to that recipient [427]
  • The data subject must be able to identify what categories of data are transferred to any identified recipient and why [428]

 Transfers of data

  • The notice must provide details of the actual adequacy decision relied on, not just a link to all adequacy decisions, and provide details of the specific set of standard contractual clauses used [452]. (We do not think this means the actual signed clauses – rather whether the set is controller to controller or controller to processor etc).

 Retention periods

  • The DPC focused on non-obvious retention – after termination of a service. WhatsApp argued that this would depend on the nature of the data and the particular legal or operational need that was at issue – the DPC stated that this was insufficient and that meaningful information about the criteria should be included [474]

 Information about data subject rights

  • Information about the right to withdraw consent should be included in the section addressing data subject rights. Including it in a section on consent would not be what data subjects would expect Must explain that withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal [491, 492]

 Where provision of information is a statutory or contractual requirement

  • Must clearly set out the minimum information required and the consequences of not providing the specific information [515]

Notice to non-users

The decision held that WhatsApp did not comply with its obligations under GDPR Art.14 (transparency obligations in relation to data obtained otherwise than directly from the data subject). The decision acknowledged that the processing carried out by WhatsApp about non-users was very limited. It stated that the main impact of the processing would be when a non-user signs up to WhatsApp (as this then reveals to other WhatsApp users the fact that this person is now a WhatsApp user). Accordingly, most emphasis should be given to provision of information as this point.

The DPC specifically accepted that WhatsApp would not need to provide information individually to non-users and that it would be undesirable for WhatsApp to do this [165].

Approach to sanctions

WhatsApp must make required privacy notice changes within 3 months; large, international, controllers will be held to high standards

The DPC was instructed by the EDPB to require WhatsApp to make required changes to its privacy notices within 3 months of the date of the order (reduced from the 6 months proposed by the DPC) [688]. WhatsApp argued that compliance would require considerable challenges. The EDPB Opinion rejected this, noting that WhatsApp was of a size and had sufficient means to be able to achieve this [687].

Similarly, the DPC rejected arguments by WhatsApp that the DPC should show similar leniency in its approach to that allowed to smaller, national, controllers; the DPC noted that large, international, controllers with significant resources and in-house compliance teams will be held to a higher standard [668].

Quantum of fine

In setting the level of the fine, the DPC paid particular regard to:

  • the nature and gravity of the breach: the Commissioner noted that privacy information enables data subjects to exercise other rights and so is the "cornerstone of rights of data subjects" – accordingly she regarded this as a serious breach [701], [800]
  • the duration of the breach: considered to be ongoing since 25 May 2018 and
  • the very large number of data subjects potentially affected.

The Commissioner noted that relevant mitigating factors were: the limited nature of data processed about non-users and the changes already made by WhatsApp to the privacy notices – however, she considered that no significant weight should be applied to these factors.

Overall, the Commissioner considered that a fine should be set at €225 million (being the sum of the separate fines proposed for breaches of GDPR Arts. 12, 13, 14 and 5 respectively).

GDPR Art.83(4) and (5) provide for a cap on fines, set at the higher of a specified monetary or turnover-based amount. The EDPB opinion noted that the relevant turnover is that of "all the component companies of the single undertaking" [807], which would be the turnover of the group headed by Facebook Inc [846], [863 – 869; 885 - 886]. The EDPB art.65 decision directed the DPC to consider WhatsApp’s turnover not solely when ensuring that the fine did not breach the cap, but also when setting the level of the fine initially. In other words, larger organisations should – as a matter of principle – be exposed to larger fines, if required to achieve an effective, proportionate and dissuasive result [805].

The EDPB Opinion also instructed the DPC to impose a higher fine for the infringements identified. In considering this, the DPC benchmarked its decision against the €50 million fine imposed by the CNIL against Google.

The DPC calculated the proposed fine by adding together separate fines proposed for breach of GDPR Arts. 12, 13, 14 and 5. GDPR Art. 83(3) provides that "if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement". In the original decision notice, the DPC referred to this provision and interpreted this as meaning that the fine would be limited to the highest of the separate fines proposed for breaches of the various articles of the GDPR. The EDPB Opinion considered this interpretation to be incorrect; it stated that the provision should be interpreted instead as meaning that the total fine – for all the infringements – should not exceed the relevant fine cap as set out in arts. 83(4) or (5). Accordingly, the DPC re-calculated the fine on this basis.

Impact of the decision on the meaning of personal data and anonymisation techniques

The decision rejected WhatsApp’s arguments that telephone numbers of non-users and lossy-hashes do not amount to personal data. The DPC placed significant emphasis on the CJEU decision in Breyer[1], noting that the test is whether the risk of identification is "insignificant" [86].

In considering whether phone numbers should be regarded as personal data, the DPC outlined all the ways that could be used to identify the individual – including dialling the number and asking the user, or listening to a voicemail message. Readers may be familiar with the "motivated intruder" test, proposed in the UK Information Commissioner’s Anonymisation Code of Practice[2]. Motivation is often taken into account by practitioners when assessing risk of identification and what steps are appropriate to mitigate this risk[3]. The DPC specifically rejected WhatsApp’s arguments on this point, concluding that WhatsApp’s intent was irrelevant; as was the fact that – technically - WhatsApp could not access the raw phone numbers so as to seek to identify the user and would have had to redesign its systems so as to be able to do this. On this point, the DPC noted that WhatsApp had the technical power to do this and that the DPC would not give any significant weight to protective measures which were within the control of WhatsApp itself [33].

The DPC initially accepted WhatsApp’s arguments that the lossy hashes did not amount to personal data. However, the EDPB directed the DPC to conclude that the lossy hashes did amount to personal data. Again, EDPB underlined that the motivation was an irrelevant factor (p.38). The EDPB also concluded that WhatsApp relied too heavily on the argument that the lossy-hashes did not relate to a specific phone number and, instead, indicated 16 phone numbers. The EDPB noted that anonymisation depends on preventing singling out, inference and linking and the technique used by WhatsApp (k-anonymisation) only avoids singling out, but does not prevent inference or linkability. Further the EDPB concluded that WhatsApp overstated the effectiveness of the technique even so far as singling out was concerned, as WhatsApp looked at the total number of possible phone numbers in determining the value of k, whereas it should have looked at the actual number of phone numbers connected to individuals which would be far lower (p.309).

Argument that WhatsApp is just a processor for the user rejected

The DPC quoted extensively from the sections of the Article 29 Working Party’s Opinion 1/2010, which emphasize that the role of the controller is to „allocate responsibility“. Unsurprisingly, the DPC concluded that WhatsApp, rather than individual users, should be held responsible as controller. The DPC also noted that WhatsApp’s user facing materials did not suggest to users that WhatsApp regarded them as controllers.

*Most of the content in this article has been previously published on the IAPP website and shared with its members.

[1] Breyer v Bundesrepublik Deutschland (Case C-582/12)

[2] Information Commissioner’s Office 2012, Anonymisation: managing data protection risk code of practice, pp. 22-24

[3] Arbuckle, L & El Emam, K 2020, Building an Anonymization Pipeline, p. 50

Latest insights

More Insights

The Road to MiCAR continues – French view added

Apr 12 2024

Read More

Women in Tech: At the forefront of innovation - Key takeaways from Dr. Sonja Stuchtey, The Landbanking Group

Apr 12 2024

Read More

The first six months of the UPC

Apr 12 2024

Read More