A Groundbreaking Whatsapp Decision by the Irish Supervisory Authority
Introduction
On 2 September 2021, the Irish Data Protection Commission, the supervisory authority in Ireland (“IE SA”), announced its decision (“National Decision”) regarding the investigation (“Investigation”) it had performed to establish whether WhatsApp Ireland Ltd (“WhatsApp IE”) had violated its transparency obligations set under General Data Protection Regulation (“GDPR”).[1] As the investigation was of a cross-border nature, the IE SA carried the investigation as the lead supervisory authority and rendered its final and binding decision after the dispute resolution decision of the European Data Protection Board (“EDPB”) dated 28 July 2021 (“EDPB Decision”). Soon after, the EDPB itself announced the decision in a press release on 2 September 2021. This press release also elaborated on the material recommendations in the EDPB Decision and the findings of the IE SA in its Draft Decision.[2]
Considering the binding recommendations under the EDPB Decision, the IE SA increased the fine that was proposed with its draft decision and imposed a fine of €225 million on WhatsApp IE. The National Decision, as well as the EDPB Decision, deserve careful study as it is the second highest administrative fine imposed under the GDPR by a European authority. This Newsletter will focus on the details of the investigation and the assessments of the EDPB.
Background Information on the Investigation
The IE SA commenced a thorough investigation on WhatsApp IE on 10 December 2018. The investigation focused on whether WhatsApp IE had complied its obligations pursuant to Articles 12, 13, and 14 of the GDPR, both for users and non-users of the service offered by WhatsApp IE. Despite the fact that data processing activities by WhatsApp IE concerned data subjects from various EU member states, IE SA conducted the investigation as the Lead Supervisory Authority since WhatsApp IE’s single establishment was located in Dublin, Ireland. Consequently, the cross-border processing by WhatsApp IE triggered the mechanism referred as the “one-stop-shop” established under the Cooperation and consistency chapter of the GDPR.
First, the Draft Decision by the IE SA was served to the concerned supervisory authorities (“CSA”) on 24 December 2020 and a number of objections were raised pursuant to Article 60(4) of the GDPR. The IE SA evaluated the objections and comments, then invited WhatsApp IE to respond to the objections concerning the effectiveness of the anonymization process. Then, the IE SA reassessed its decision and served the CSAs. After receiving the comments on the revised decision again, the IE SA concluded that the authorities were unable to reach a consensus. Based on this conclusion, the IE SA invited WhatsApp IE to exercise its right to be heard on 23 April 2021 and proposed to submit the case before the EDPB. Finally, the IE SA commenced the dispute resolution process on 3 June 2021 and submitted the dispute before the EDPB.[3]
The EDPB adopted a binding dispute resolution decision as set forth in Article 65(1)(a) of the GDPR on 28 July 2021. The relevant article suggests that the EDPB shall adopt a binding decision in a case where a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall address all matters of a relevant and reasoned objection.
Following its assessment, the EDPB was of the opinion that the IE SA should amend its Draft Decision regarding the infringement of transparency obligations, the calculation of the fine, and the corrective measures. Based on the EDPB’s instructions to reassess and amend, the IE SA imposed a fine of €225 million on WhatsApp IE, as noted above. The IE AS also decided to exercise a reprimand pursuant to Article 58(2)(b) and issued an order for WhatsApp IE to bring its processing into compliance.[4]
Evaluation by the EDPB
With its Draft Decision, the IE SA concluded that WhatsApp IE had breached its transparency obligations and had failed to comply with Articles 12, 13 and 14 of the GDPR. First, The EDPB noted that the SA IE made a finding of non-compliance with Article 13(1)(c) but did not find an infringement of Article 13(1)(d) of the GDPR. In this respect, the EDPB agreed with the objections which suggested that in order for data subjects to properly exercise their rights under the GDPR, they needed specific information about what legitimate interests were related to each processing operation, and which entity pursued each legitimate interest.[5] The EDPB concluded that the Legal Basis Notice issued by WhatsApp IE did not contain specific information regarding the processing operations involved and therefore lacked clarity and intelligibility.[6]
Another material finding by the SA IE concerned the “Contact Feature” which allowed WhatsApp IE to process the phone numbers in the address books of the users who enabled the feature. The EDPB noted that WhatsApp IE could also collect data of non-users with the Contact Feature and examined the Lossy Hashing procedure used for the anonymization of personal data. In its Draft Decision, the SA IE concluded that the result did not constitute personal data when assessing the Lossy Hashing procedure. Despite this assessment, the SA IE concluded that WhatsApp IE failed to comply with its obligation under Article 14 and therefore, decided on a fine from a range between €30 million and €50 million.[7] The analysis done by the SA IE received diverse objections by the CSAs. While assessing the objections, the EDPB highlighted the comment raised by the Polish supervisory authority that “the finding that the Lossy Hashing procedure does not guarantee the anonymization of data would lead to a different conclusion as regards both the scope of the obligations under Articles 12 and 14 GDPR and the corrective measures”.[8] For this reason, the EDPB concluded that there was a need to amend the Draft Decision, since it posed a risk that non-user data subjects might not be able to enforce their rights under the GDPR and requested IE SA to include a finding of an infringement of Article 13(1)(d).[9]
Additionally, the EDPB pointed out further infringements under Article 5(1)(a) of the GDPR. The EDPB stated that the principle of transparency is not limited to the obligations established under Articles 12, 13, and 14 of the GDPR, and suggested that transparency is an overarching principle which both reinforces and stems from other principles.[10] In the view of the (i) gravity, (ii) “overarching nature” and (iii) effect of the infringements, the EDPB concluded that the infringement of transparency obligations also amounted to a breach of Article 5(1)(a).[11] In other words, the EDPB concluded that WhatsApp IE violated its obligation to process personal data lawfully, fairly and in a transparent manner.
The Draft Decision by the SA IE also included a corrective measure which obliged WhatsApp IE to bring its operations into compliance within six months pursuant to Article 58(2)(d) of the GDPR. Moreover, the SA IE proposed seven actions to be applied by WhatsApp IE to provide information in compliance with Articles 12, 13 and 14 of the GDPR.[12] Given the organization, size and means of WhatsApp IE, the EDPB found that it was of primary importance to comply with transparency obligation immediately. For this reason, the EDPB found it proportionate to reduce six months to three.[13]
Moreover, concerning the simultaneous breaches of Articles 12, 13, and 14 of the GDPR, the IE SA in its Draft Decision considered that “the amount of any consequent fine cannot exceed the amount specified for the gravest infringement” with a reference to Article 83(3) of the GDPR. Accordingly, the IE SA found the infringement of Article 14 regarding non-users was the gravest and propose to impose a fine only in this regard with a reference to the Article 83(3) of the GDPR.[14] First, the EDPB elaborated more on how to interpret the Article 83(3) of the GDPR and stated that the object of Article 83 is to ensure an effective, proportionate and dissuasive fine even to the largest undertakings,[15] and a fine should also address the circumstances of the relevant case.[16] The EDPB added that if only single infringement will be taken into consideration, it would not matter if a data controller committed single or multiple violations.[17] For the first time, the EDPB clarified the wording “the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement” under Article 83(3) of the GDPR. The EDPB stated that while an undertaking may be found guilty for breaching multiple provisions, all infringements should be considered when deciding the amount of the fine to be imposed. Therefore, while the gravest infringement constitutes a legal maximum for the fine pertaining to multiple infringements for the same or linked processing operations, other infringements cannot be ignored.[18] For this reason, the EDPB found that all infringements should be regarded when calculating the amount of the fine in the concrete case.[19]
For the calculation of the fine, the EDPB noted that the IE SA considered the “nature, gravity and duration of the infringement” and “the potential number of data subjects affected.” The EDPB also noted that in order to determine an effective fine, the circumstances of a case , as well as the financial state of a data controller should be assessed.[20] When the nature, gravity and duration of the infringements under Article 83(2) are considered, administrative fine based on the turnover of an undertaking does not respond to the seriousness and severity of the infringements and failed to offer a dissuasive effect on WhatsApp IE.[21] Therefore the EDPB made a reference to the SA IE’s assessment in its draft decision that qualified Facebook Inc. and WhatsApp IE as a single undertaking[22] and suggested that the SA IE should consider the total turnover of all the component companies of this single undertaking to fulfill the purpose of Article 83. Based on the binding suggesting of the EDPB, the SA IE imposed a fine based on total worldwide annual turnover of the parent company, meaning the consolidated turnover of the group headed by Facebook Inc.[23]
Conclusion
The EDPB Decision is of special importance for the assessment of fines and determination of the maximum fine amount. First, the EDPB’s suggestion to include the consolidated turnover of the parent company when calculating the administrative fine is striking. The guidance on how to interpret Article 83(3) in case of multiple infringements for same or linked operations is also useful. Instead of taking the amount for the gravest infringement, all infringements should be taken into consideration when calculating the amount of the fine in such cases. In summary, the EDPB Decision (and subsequently SA IE’s decision) deserves attention since its assessments shed light on future investigations that discuss the relationship between the parent company and its subsidiaries.
[1] For the announcement, please see. https://dataprotection.ie/en/news-media/press-releases/data-protection-commission-announces-decision-whatsapp-inquiry. (Date of access: 13.11.2021)
[2] For the announcement, please see. https://edpb.europa.eu/news/news/2021/edpb-requests-irish-sa-amends-whatsapp-decision-clarifications-transparency-and_en. (Date of access: 13.11.2021)
[3] EDPB Decision, para. 4.
[4] National Decision, para. 888. Please see. https://edpb.europa.eu/system/files/2021-09/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf. (Date of access: 13.11.2021)
[5] EDPB Decision, para. 57-9.
[6] EDPB Decision, para. 60-6.
[7] EDPB Decision, para. 68.
[8] EDPB Decision, para. 136.
[9] EDPB Decision, para. 66.
[10] EDPB Decision, para 192.
[11] EDPB Decision, para. 201.
[12] EDPB Decision, para. 241.
[13] EDPB Decision, para. 263.
[14] EDPB Decision, para. 299.
[15] EDPB Decision, para. 321.
[16] EDPB Decision, para. 414.
[17] EDPB Decision, para. 323.
[18] EDPB Decision, para. 326.
[19] EDPB Decision, para. 325.
[20] EDPB Decision, para. 414.
[21] EDPB Decision, para. 422.
[22] EDPB Decision, para. 292.
[23] National Decision, para. 887.
All rights of this article are reserved. This article may not be used, reproduced, copied, published, distributed, or otherwise disseminated without quotation or Erdem & Erdem Law Firm's written consent. Any content created without citing the resource or Erdem & Erdem Law Firm’s written consent is regularly tracked, and legal action will be taken in case of violation.
Other Contents
The first “Artificial Intelligence Act” of all time, which includes rules and regulations that directly affect tools such as ChatGPT, Bard and Midjourney adopted by the European Parliament with a majority of votes. Thus, the European Parliament has officially taken the steps of a regulation that could be a turning point for...
In its decision regarding Case-300/21 and dated May 4, 2023, the Court of Justice of the European Union (“CJEU”) evaluates the right to compensation for an infringement of the European Union General Data Protection Regulation (“GDPR”) regulated in Article 82 of the GDPR. The CJEU decided that a mere...
ChatGPT, a large language model (LLM) developed by OpenAI, is an artificial intelligence (AI) system based on deep learning techniques and neural networks for natural language processing. ChatGPT can process and generate human-like text, chat, analyse and answer follow-up questions, and acknowledge errors...
The Personal Data Protection Law numbered 6698 (“PDPL”) introduces definitions for many concepts such as personal data, data controller, data processor and data subject. In terms of understanding and interpreting these concepts, secondary legislation, Personal Data Protection Authority (“Authority”) guidelines...
The Covid-19 pandemic and recent technological developments have significantly accelerated the digital transformation of all sectors. However, this rapid change especially in the financial sector (mobile banking, e-commerce, contactless payments, etc.) has brought some risks along with making life extremely...
Smartwatches have undeniably revolutionized our lives in the past decade. Apart from their core function as a timepiece, these wearable computers packaged in the form of a watch enable us to answer incoming calls, reply to messages and skim through social media notifications in seconds. Their steady rechargeable...
The Personal Data Protection Authority (“DPA”), on 16.06.2022, published the Draft Guidelines on Examination of Loyalty Programs within the Scope of Personal Data Protection Legislation (“Draft Guidelines”). The public has until 16.07.2022 to submit comments on them, and after these are evaluated...
The German Competition Authority (“Bundeskartellamt”) had previously found Meta (formerly Facebook) responsible for abusing its dominant position in the social network market by collecting and processing the personal data of its users without their consent and imposed measures on Meta and its associated...
Banks process large volumes of personal data in their daily operations. In order to deal with this sensitive information, the Turkish Personal Data Protection Authority, in cooperation with the Banks Association of Turkey, published Good Practice Guidelines on Personal Data Protection in the Banking...
The procedural rules on mass claims within European Union (“EU”) Member States is not uniform. To improve the position of consumers who might wish to make such claims, the European Parliament passed the Collective Redress Directive (“Directive”). The impact of the Directive is expected to...
In February 2020, the European Commission (“Commission”) published “A European Strategy for Data” as part of a wider drive concerning digital transformation and policy. Through this communication, the European Union (“EU”), defining itself as having a leading role in the data economy...
The Regulation on Protection and Processing of Personal Data by the Social Security Institution (the “Regulation”), the purpose of which is to determine the procedures and principles for processing data obtained within the scope of the duties and authority of...
The Personal Information Protection Law of the People’s Republic of China (“PIPL”) passed at the 30th meeting of the Standing Committee of the 13th National People’s Congress on 20 August 2021 and entered into force on 1 November 2021 as per Article 74...
In today's world, there is no doubt that data has become one of the most valuable assets and resources for some companies. The ability to collect, store, process, and analyze data on a large scale has dramatically changed...
