The EDPB rejected the Hamburg Auhtority’s request but requires further investigations to be carried out on Facebook and Whatsapp Ireland.
The EDPB rejects the Hamburg Auhtority’s request but requires further investigations
The implementation of final measures is not yet warranted by the certainty of the alleged infrigments and urgency
The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the Irish data protection authority against Facebook Ireland in this case.
Indeed, if founds that there was “only” a high likelihood that Facebook Ireland already process Whatsapp’s user data as a (joint) controller for :
- the common purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies;
- for the improvement of the products of the Facebook Companies;
- for marketing communications;
- for its own purpose in relation to WhatsApp Business API.
Indeed, the EDPB could not determine with certainty whether or not these processing operations were currently carried out and in which capacity (i.e. Controller, joint controller or processor).
Besides, the EDPB ruled that article 61 (8) GDPR could not apply as the Hamburg authority could not demonstrate that the Irish authority failed to respond to his request within one month (FYI, under this article, the urgency is presumed if an authority fails to cooperate).
The adoption of the Updated Terms by Whatsapp, which is as problematic as the previous version, do not justify the urgency for the EDPB to order the Irish Authority to adopt final measures under Article 66(2) GDPR.
The EDPB requires the Irish Authority to carry out investigation against Facebook Ireland and Whatsapp Ireland
Considering the high likelihood of the infringements, the EDPB considered that this matter requires swift further investigations.
In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers.
For this reason, the EDPB requests the IE SA to carry out, as a matter of priority, a statutory investigation to determine :
- whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR;
- the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to the processing operations for marketing purposes and cooperation with the other Facebook coppanies as well as regarding the Whatsapp business API.
For the EDPB it is not urgent to take final measures to prevent the processing operations from being carried out mainly because the reality of these processing operations is not certain. However, it considers urgent to carry out investigations.
This delay shows, in some way, the limit of the GDPR efficiency as if the investigations are urgent, one may expect that the Irish Authority carry out an investigation months ago when Whatsapp updated its terms and conditions.
For any question, do not hesitate, to contact Arnaud Blanc, French lawyer and privacy expert.