Facebook – Whatsapp: The EDPB requires the Irish SA  to carry out statutory investigation on Facebook
On July 15, 2021, the European Data Protection Baord (EDPB) adopted its first urgent binding decision in application of Art. 66(2) GDPR following a request from the Hamburg supervisory authority. 
In this case, the Hambourg Authority ordered a ban on processing WhatsApp users’ data by Facebook Ireland for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd.
However, under article 66 GDPR, as the Irish supervisory authority is the the lead supervisory authority in this matter, the Hamburg Authority needed the validation of the EDPB for these  provisional measures to become final.

The EDPB rejected the Hamburg Auhtority’s request but requires further investigations to be carried out on Facebook and Whatsapp Ireland.

Background information
Article 66 GDPR provides for an urgency procedure under which a data protection authority of a Member States can take provisional measures toward an organisation processing personal data without going through the cooperation mechanism. 
The consistency mechanism is applicable when an organisation processes personal data across more than one Member state. Indeed, as more than one data protection authority in the EU is competent, they cooperate with each other and follow a lead supervisory authority. This mechanism is also called the one-stop-shop mechanism (see here for more information about).
However, the provisional measures taken by a data protection authority under this urgency mechanism can last not more than 3 months and if the authority taking the measures wants them to be final, it must obtain the EDPB approval and prove that there is an urgency to apply these measures.
In this case, the Hamburg authority took provisional measures toward Whatsapp/Facebook Ireland and sought the EDPB approval to extend the application of these measures.
The EDPB rejects the Hamburg Auhtority’s request but requires further investigations
EDPB decided that the requirements for urgency were not met but requires the Irish Authority to carry out further investigations.
The implementation of final measures is not yet warranted by the certainty of the alleged infrigments and urgency

The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the Irish data protection authority against Facebook Ireland in this case.

Indeed, if founds that there was  “only” a high likelihood that Facebook Ireland already process Whatsapp’s user data as a (joint) controller for :

  • the common purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies;
  • for the improvement of the products of the Facebook Companies;
  • for marketing communications;
  • for its own purpose in relation to WhatsApp Business API.

Indeed, the EDPB could not determine with certainty whether or not these processing operations were currently carried out and in which capacity (i.e. Controller, joint controller or processor).

Besides, the EDPB ruled that article 61 (8) GDPR could not apply as the Hamburg authority could not demonstrate that the Irish authority failed to respond to his request within one month (FYI, under this article, the urgency is presumed if an authority fails to cooperate).

The adoption of the Updated Terms by Whatsapp, which is as problematic as the previous version, do not justify the urgency for the EDPB to order the Irish Authority to adopt final measures under Article 66(2) GDPR.

The EDPB requires the Irish Authority to carry out investigation against Facebook Ireland and Whatsapp Ireland

Considering the high likelihood of the infringements, the EDPB considered that this matter requires swift further investigations.

In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers.

For this reason, the EDPB requests the IE SA to carry out, as a matter of priority, a statutory  investigation to determine :

  • whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR;
  • the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to the processing operations for marketing purposes and cooperation with the other Facebook coppanies as well as regarding the Whatsapp business API.

For the EDPB it is not urgent to take final measures to prevent the processing operations from being carried out mainly because  the reality of these processing operations is not certain. However,  it considers urgent to carry out investigations.

This delay shows, in some way, the limit of the GDPR efficiency as if the investigations are urgent,  one may expect that the Irish Authority carry out an investigation months ago when Whatsapp  updated its terms and conditions.

For any question, do not hesitate, to contact Arnaud Blanc, French lawyer and privacy expert.

Facebook – Whatsapp: The EDPB requires the Irish SA  to carry out statutory investigation on Facebook
Tagged on: