So, what led to the fine against WhatsApp?
This resulted in a complaint filed by the NGO noyb, led by Max Schrems. Several issues were raised in this regard, such as the forced consent to the new terms, a lack of transparency regarding WhatsApp’s data processing operations in general and more specifically, its legal basis. According to noyb, WhatsApp simply listed all six legal bases under Article 6 GDPR without stating which specific one was being relied on for each processing operation. Particularly, the reliance on Article 6 (1)(b) GDPR, which refers to processing necessary for the performance of a contract, was considered problematic. According to the complainant, the processing was not strictly necessary for the performance of the contract, but rather imposed by WhatsApp. This lack of information as a result, breached the principle of transparency under the GDPR.
The final decision adopted by the DPC in January 2023 reflects that the contractual basis, i.e. Article 6 (1)(b) GDPR, was in fact, insufficiently founded. The Commissioner quotes the guidelines of the EDPB in this regard. Pursuant to these non-binding recommendations, “the processing in question must be objectively necessary for the performance of a contract with a data subject” in order for Article 6 (1)(b) to be its legitimate legal basis. It further specifies that “a distinction between processing activities necessary for the performance of a contract, and terms making the service conditional on certain processing activities that are not in fact necessary for the performance of the contract” is important. “Necessary for performance” clearly requires more than a mere contractual condition, thus, making Article 6 (1)(b) GDPR not applicable in this case.
The DPC was directed by the EDPB to also conduct a separate investigation regarding the entirety of WhatsApp’s processing operations to determine e.g., if special categories of personal data are being processed in order to use them for behavioral advertisement. Information such as the various groups an individual is a member of, or which other people they are in contact with, could easily reveal the data subject’s political affiliations, religious views or even their health conditions and more, thus disclosing sensitive personal data, according to noyb. This kind of information however, may never be processed without the individual’s express, sufficiently informed and freely provided consent.
So, this case is not over just yet and it remains to be seen what other interesting finds future investigations of the DPC may reveal. In any case, we will keep you updated!