It is by far not the first time that Meta and its platforms had to face scrutiny in terms of their privacy policy. This time around, the Irish Data Protection Commission (DPC) sanctioned WhatsApp with a fine of 5.5 million Euros due to the lack of a legitimate legal basis for processing personal data in the EU. Interestingly enough, the DPC initially sided with Meta in this matter, but was eventually overruled by the European Data Protection Board (EDPB), where all EU data protection authorities are represented.
So, what led to the fine against WhatsApp?
In order to use WhatsApp, an individual needs to create an account and accept the terms and conditions, called “Terms of Service”. Upon acceptance, a contract between WhatsApp and the user is formed. In 2018 when the GDPR came into force, WhatsApp updated its Terms of Service in order to comply with the new law. To be able to continue using the app, users had to accept the new terms (and the associated privacy policy). The option to opt out and still use the service was not available.
This resulted in a complaint filed by the NGO noyb, led by Max Schrems. Several issues were raised in this regard, such as the forced consent to the new terms, a lack of transparency regarding WhatsApp’s data processing operations in general and more specifically, its legal basis. According to noyb, WhatsApp simply listed all six legal bases under Article 6 GDPR without stating which specific one was being relied on for each processing operation. Particularly, the reliance on Article 6 (1)(b) GDPR, which refers to processing necessary for the performance of a contract, was considered problematic. According to the complainant, the processing was not strictly necessary for the performance of the contract, but rather imposed by WhatsApp. This lack of information as a result, breached the principle of transparency under the GDPR.
The final decision adopted by the DPC in January 2023 reflects that the contractual basis, i.e. Article 6 (1)(b) GDPR, was in fact, insufficiently founded. The Commissioner quotes the guidelines of the EDPB in this regard. Pursuant to these non-binding recommendations, “the processing in question must be objectively necessary for the performance of a contract with a data subject” in order for Article 6 (1)(b) to be its legitimate legal basis. It further specifies that “a distinction between processing activities necessary for the performance of a contract, and terms making the service conditional on certain processing activities that are not in fact necessary for the performance of the contract” is important. “Necessary for performance” clearly requires more than a mere contractual condition, thus, making Article 6 (1)(b) GDPR not applicable in this case.
Needless to say, Meta appealed, but was nonetheless directed to comply with the DPC’s decision, therefore having to amend its legal basis in the meantime. Consequently, WhatsApp announced a significant change to its privacy policy on 17th July 2023, updating its legal basis to “Legitimate Interest”. This new legal basis, however, seems to be a shaky one at best. Serious concerns were raised promptly regarding its viability. In a recent precedent against Meta for instance, the European Court of Justice stated unequivocally that obtaining consent was the only legitimate legal basis for processing their users’ data.
Outlook
The DPC was directed by the EDPB to also conduct a separate investigation regarding the entirety of WhatsApp’s processing operations to determine e.g., if special categories of personal data are being processed in order to use them for behavioral advertisement. Information such as the various groups an individual is a member of, or which other people they are in contact with, could easily reveal the data subject’s political affiliations, religious views or even their health conditions and more, thus disclosing sensitive personal data, according to noyb. This kind of information however, may never be processed without the individual’s express, sufficiently informed and freely provided consent.
So, this case is not over just yet and it remains to be seen what other interesting finds future investigations of the DPC may reveal. In any case, we will keep you updated!
26. Oktober 2023 @ 17:00
Very good article! A complex topic, presented in a very understandable way!
26. Oktober 2023 @ 15:31
Great article, and very well researched. As an American, I wish that our country placed as much emphasis on user data protection as the EU member countries in holding tech companies as accountable parties. Wish you could do redlines on the user agreement!