On September 2, 2021, the Irish Data Protection Authority (DPA) has imposed a fine of €225 million on WhatsApp.
This decision is following up on the European Data Protection Board (EDPB) binding decision adopted on July 28, 2021 but only released on September 2, 2021. This decision contained an instruction that required the DPA to increase its proposed fine.
According to the 266 pages investigation report, the scope of the decision is limited to an assessment of the extent to which WhatsApp complies with its transparency obligations under the GDPR (i.e. the content of the information notice to be provided) and not on the legality of the processing operations at stake.
In this regard, the Irish Authority found that Whatsapp :
- did not provide sufficient information to its users; and
- did not provide any information to its non-users whose mobile phone number was processed.
This decision, following the 745 millons euros fine imposed on Amazon by the Authority of Luxemburg, might be the confirmation of a change in the application of the GDPR and may be the first step to an ever-growing control of the EDPB or the major data protection authorities over the more complecent surpervisory authorities.
It also teaches us a lot about the expectations in terms of content and layout of the GDPR information notice.
1. Background information
The Irish Data Protection authority, after receiving numerous complaints, started to conduct investigation into WhatsApp Ireland Ltd. on 10 December 2018.
It examined whether WhatsApp complied with its GDPR transparency obligations with regard to the provision of information to both users and non-users of WhatsApp’s service.
The investigation also covered the information provided to data subjects about the sharing of information between WhatsApp and other Facebook companies.
Following this investigation, the DPC submitted a draft decision to all Concerned Supervisory Authorities (CSAs) as it is usually the case when the processing operations concerned data subject located in more than one EU member state.
Eight of the CSA sent objections to the decisions and as no consensus was reached with the CSAs, they triggered the dispute resolution process (Article 65 GDPR) on 3 June 2021.
On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision requiring the Irish DPA to reassess and increase its proposed fine.
Following this reassessment the DPC has imposed a fine of €225 million on WhatsApp along with a reprimand and an order for WhatsApp to bring its processing into compliance.
2. Main Findings by the Irish DPA
According to the Commissionner, there was four infringements, all were considered serious in nature and due to Whatsapp’s negligence. Indeed, the decision pointed out that Whatsapp only provided 41% of the prescribed information to users and none of the prescribed information to non-users. Such breach was considered severe in gravity, in particular, because of the number of users and potential non-users.
2.1. Lack of transparency regarding the processing of non-users’ mobile phone number (the most serious breach)
Processing operations of non-users data is subject to the GDPR
When users install the Whatsapp application on their mobile phone, they may authorise Whatsapp to access their contacts so that to find out whether these contacts are existing Whatsapp users. If so, they appear within the Whatsapp contact list of the new users; if not, the information may be kept until the non-existing users become a Whatsapp user.
As a result, when a non-user installs the Whatsapp application, it automatically appears on the whatsapp contact list of all his/her contacts using the Whatsapp application.
Despite Whatsapp strongly disagreeing with the DPA position and considering that it either processes anonymous data or is acting as a processor, the DPA considered that Whatsapp was acting as a controller in respect of these processing operations.
Lack of information of non-users
As a controller, Whatsapp should have provided an information notice to these non-users in accordance with article 14 GDPR. By not providing this information, Whatsapp failed to comply with its transparency obligation.
The Authority considered that this breach was the most serious one among the four breaches identified given the estimated number of non-users concerned (126 million) and the fact that they had no control or knowledge whatsoever over the processing of their personal information.
It was not deemed disproportionate to reach out to these non-users (e.g. by way of information provided on whatsapp website etc.).
2.2. Lack of transparency regarding the procssing of Whatsapp’s users’ personal data
Overall, the DPA stressed that with regard to the purposes of processing and their legal basis, the information provided was not clear or detailed enough.
Indeed, it noticed that :
– it was not possible to identify what processing operations were grounded upon each legal basis and what categories of personal data were concerned. These requirements are surprising as article 13 GDPR does not expressly requires to identify the processing operations and the categories of data (unlike article 14).
– the data subject is unable identify which legal basis Whatsapp relied upon to support a particular processing operation as the latter may rely on several legal basis for a same processing purpose.
– the law on which the processing operations were grounded or the public interest pursued was not identified.
3. Details of the fine
The Authority considered the lack of transparency as negligent (as opposed to intentional), serious and, in particular, took into consideration the large number of users and potential non-users to set the amount the fines.
Whatsapp also being a company controlled by Facebook, the Irish Authority took into consideration the worldwide turnover of Facebook group to make its decision.
Therefore it issues :
– a reprimand,
– an order to bring processing operations into compliance within 3 months of the day following the date of service of the order; and
– an administrative fine addressed to WhatsApp, in the amount of €225 million broken down as follows
- As for the infringement of Article 5(1)(a) of the GDPR (i.e. Transparency principle), a fine of €90 million;
- As for the infringement of Article 12 of the GDPR (i.e. the rights of the data subjects), a fine of €30 million;
- As for the infringement of Article 13 of the GDPR (i.e., information of users), a fine of €30 million; and
- As for the infringement of Article 14 of the GDPR, (i.e. information of non-users) a fine of €75 million.
For any question, please contact Arnaud Blanc, French lawyer and privacy expert.