The Irish Data Protection Commission (DPC) has concluded a GDPR investigation it conducted into WhatsApp Ireland Ltd. The DPC’s investigation examined whether WhatsApp had discharged its GDPR transparency obligations regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
Following its investigation, the DPC submitted a draft decision to all concerned EU supervisory authorities under Article 60 GDPR. The DPC subsequently received objections from eight authorities. The DPC was unable to reach consensus with the authorities on the subject-matter of the objections and triggered the dispute resolution process under Article 65 GDPR.
In July, the European Data Protection Board adopted a dispute resolution decision under Article 65 GDPR which has now been published. In summary, the EDPB required the DPC to reassess and increase its proposed fine based on several factors contained in the EDPB’s decision. Following this reassessment the DPC has imposed a fine of €225 million on WhatsApp. In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.
Following its assessment, the EDPB believed that the DPC should amend its draft decision regarding:
- infringements of transparency;
- the calculation of the fine; and
- the period for the order to comply.
Regarding transparency, the draft decision of the DPC already identified a severe breach of Articles. 12, 13 and 14 GDPR. The EDPB identified additional shortcomings with the information provided, affecting users’ ability to understand the legitimate interests being pursued. Therefore, the EDPB requested that the DPC include a finding of an infringement of Article 13(1)(d) GDPR in its decision.
In addition, the EDPB clarified that, although not every infringement of Articles 12-14 GDPR necessarily involves an infringement of Article. 5 (1) (a) GDPR, in this particular case, in light of the gravity and the overarching nature and impact of the infringements, there was an infringement of the transparency principle in Article 5(1)(a).
Regarding WhatsApp’s collection of data of non-users (when users decide to use the Contact Feature functionality) the EDPB found that the procedure used by WhatsApp did not lead to anonymisation of the collected personal data.
Regarding the imposed fine and the calculation of the fine, the EDPB decided that the turnover of an undertaking is not exclusively relevant to decide the maximum fine amount under Article 83(4)-(6) GDPR. However, it may also be considered for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive under Article 83(1) GDPR. In this case, the EDPB found the consolidated turnover of the parent company (Facebook Inc.) should be included in the turnover calculation.
Further, for the first time, the EDPB clarified the interpretation of Article. 83(3) GDPR. When faced with multiple infringements for the same or linked processing operations, all the infringements should be taken into consideration when calculating the amount of the fine. This is notwithstanding the duty on supervisory authorities to consider the proportionality of the fine and to respect the maximum fine amount under the GDPR.
The DPC’s draft Decision further included an order to bring processing operations into compliance within six months. The EDPB found it of primary importance that compliance with transparency obligations is ensured in the shortest timeframe possible and asked the DPC to reduce the deadline to three months.
The binding decision was addressed to the supervisory authorities concerned, and the DPC as lead supervisory authority has adopted its national decision based on the EDPB decision. WhatsApp has been notified of the DPC decision, with the EDPB decision annexed to it.
The EDPB points out that this decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties.
