The DPC has fined WhatsApp Ireland Limited €5.5million for breaches of the GDPR.
The Data Protection Commission has announced the conclusion of its inquiry into WhatsApp. The DPC has fined WhatsApp Ireland €5.5 million for breaches of the GDPR. It has also directed WhatsApp Ireland to bring its data processing operations into compliance within a period of six months.
The inquiry concerned a complaint made on 25 May 2018 by a German data subject about the WhatsApp service. WhatsApp had updated its terms of service in advance of the GDPR coming into force, and informed users that if they wished to continue to have access to the WhatsApp service after the introduction of the GDPR, they had to accept the updated terms and were not able to access the services if they did not.
WhatsApp Ireland considered that, when the user accepted the updated terms of service, a contract was entered into between WhatsApp Ireland and the user. It also said that it had to process users' data to perform that contract, including service improvement and security, so the processing was lawful under Article 6(1)(b) of the GDPR (the contract legal basis for processing).
The complainant argued that WhatsApp Ireland was in fact seeking to rely on consent to provide a lawful basis for its processing of users' data and that such consent was "forced" and therefore in breach of the GDPR.
The DPC investigated and prepared a draft decision for review by its peer regulators in the EU/EEA, under Article 60 GDPR. Notably, the DPC found that:
These two parts of the decision were not contentious. The DPC went on to consider whether, in principle, the GDPR precluded WhatsApp Ireland's reliance on the contract legal basis it asserted and concluded it was not precluded. Six regulators disagreed and said that delivery of service improvement and security was not a core element of the contract with the user, The DPC disagreed with this, so referred the case to the EDPB, which adopted its determination on 5 December 2022.
The EDPB largely upheld the DPC's position regarding the breach by WhatsApp Ireland of its transparency obligations, subject to the insertion of an additional breach (of the Article 5(1)(a) "fairness" principle). However, the EDPB took a different view to the DPC on the legal basis question, finding that, as a matter of principle, WhatsApp Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for service improvement and security. The final decision adopted by the DPC reflects the EDPB's binding determination.
Separately, the EDPB has also purported to direct the DPC to conduct a fresh investigation to consider other matters, but the DPC does not consider that it has the competence to instruct and direct an authority to engage in open-ended and speculative investigation.