We first wrote this alert on 2 September 2021 and we’ve updated it to reflect recent developments including the appeal and judicial review.
We’ve talked before in our alerts about the rise in transparency cases under GDPR. Recent cases on transparency include the record fine to date from the Luxembourg DPA who fined Amazon €746m (see https://bit.ly/amazonfine). In early September we saw another transparency case with the Irish Data Protection Commission (DPC) fining WhatsApp €225m relating to WhatsApp’s transparency obligations. This is the second highest GDPR fine to date (after Amazon). The case went through the EDPB’s harmonisation process and suggests more high fines might be on the way.
The case brings the total value of transparency fines under GDPR to over €1bn.
Some technical terms are used in this note which are defined at www.bit.ly/gdprwords
What is the WhatsApp case about?
The DPC started its investigation into WhatsApp in December 2018. It looked into whether WhatsApp has discharged its GDPR transparency obligations for the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This included information provided to individuals about the processing of information between WhatsApp and other Facebook companies (Facebook bought WhatsApp in 2014).
Since this case fell under the so-called GDPR one-stop-shop the DPC consulted with other DPAs across the EU. It received objections to its proposed action from 8. As the DPC and some of the other DPAs were unable to reach consensus a special dispute resolution process commenced between these authorities.
On 28 July 2021 the EDPB adopted a binding decision and notified the DPC. This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision. Following this reassessment the DPC has imposed a fine of €225m.
The EDPB decision also asked the DPC to look again at the reasons for the fine including additionally looking at WhatsApp’s incorrect interpretation of legitimate interests under GDPR. Legitimate interests from our experience is often poorly understood. This seems to be another hot topic for regulators – for example the Spanish DPA fined CaixaBank €6m earlier this year for failing to apply legitimate interests correctly (see https://www.corderycompliance.com/aepd-fines-caixabank/).
When did the DPC reach its decision?
The DPC made its decision on 20 August 2021 but has only published its decision in early September. It’s a long decision (266 pages in its pdf format).
Is this just a fine?
No. In addition to the fine, the DPC has also imposed a formal reprimand (under GDPR Art. 58(2)(b)) along with an order (under GDPR Art. 58(2)(d)) for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions. There are 8 remedial actions in the order and WhatsApp has 3 months to comply. The DPC had initially intended to allow 6 months but this was reduced by the EDPB process to 3.
One of the remedial actions is an obligation to remind users of their GDPR rights which may lead to a significant increase in users exercising those rights and consequently substantially more work for WhatsApp in meeting these requests.
We’re finding it increasingly common that DPAs are focused on remedial actions in addition to a fine. As we’ve said before sometimes the remedial action – such as an order to stop processing or stop data transfer – can be more costly than the fine.
WhatsApp has said however that it plans to appeal both the fine and the remedial actions which it views as too detailed and unworkable. As we’ve said before there’s a good track record of appeals being granted under GDPR.
One area where WhatsApp may well appeal is the EDPB’s decisions that the fine should be based on group turnover (revenue) and not just the turnover of this entity. In this case, the EDPB decided that the consolidated turnover of the parent company (Facebook Inc.) was to be included in the turnover calculation. Facebook is clearly a substantial entity although the Irish WhatsApp entity fined seemed to have turnover of just $102m in its last accounts – less than half the fine levied.
Does Ireland have a track record for GDPR enforcement?
The simple answer is no. Ireland has had only 5 public cases under GDPR. The previous highest was a €450,000 fine for Twitter in December 2020. You can read more about that case here https://www.corderycompliance.com/irish-dpc-fines-twitter-2/. The fine in this case after the EDPB procedure is substantially higher than the fine Ireland proposed. It is likely however that the EDPB process may be repeated to raise the level of fines – the EU mechanism also increased the fine in the Twitter case. Any increase in fining levels is likely to have a significant effect for US corporations in particular since the DPC has a number of large ongoing investigations currently including (it is rumoured) into Apple, Facebook, Google and LinkedIn.
Will there be similar cases?
Yes – transparency seems to be high on the agenda for most DPAs.
What happens next?
WhatsApp has now issued judicial review proceedings against the DPC. Those proceedings were issued on 15 September 2021. Separately it has also issued appeal proceedings in Ireland against the decision. Those proceedings could be referred to the EU courts on points of EU law (in the same way the earlier Schrems cases were referred). There could additionally be a third set of proceedings in the EU looking principally at the EDPB’s involvement although moves in connection with that third option have not currently been confirmed. EU law allows a longer period to decide whether to appeal or not than Irish law does.
What are the lessons learned?
Transparency continues to be a key focus for DPAs across Europe. Organisations need to be clear over how they process data and they need to be honest about their data processing practices. Sometimes the transparency obligations under GDPR can be difficult to meet – especially in cases like this where WhatsApp was also processing data on non-users with whom it did not have a direct relationship. Just because this is hard however it doesn’t mean the obligations can simply be ignored.
We can expect many more cases on transparency. Organisations should take their obligations seriously. This may include:
- Conducting a solid DPIA and an investigation into how data is processed
- Reviewing privacy policies and other documentation to make sure it is still accurate
- Make sure privacy policies and other relevant documents remind people of their data subject rights under GDPR
- Training those in the organisation on GDPR’s 6 principles – often transparency obligations are breached when data is used for a different purpose and there’s mission creep
- Reviewing on-site or in-service messages to remind users where they can access privacy policies and other information
For more information
You can keep up to date with data protection news by joining Cordery GDPR Navigator. A subscription includes a call each month to go through the highlights of enforcement for that month. There are more details at www.bit.ly/gdprnav. GDPR Navigator also includes short films, straightforward guidance and checklists to help you comply. More details are at www.bit.ly/gdprnav.
You can listen to Jonathan Armstrong talking about the Amazon fine and transparency in GDPR with Richard Levick here https://bit.ly/levickransom2.
You can see a summary of the DPC decision here https://bit.ly/3zzHDYl and the full decision here https://edpb.europa.eu/system/files/2021-09/dpc_final_decision_redacted_for_issue_to_edpb_01-09-21_en.pdf. The EDPB’s decision can be downloaded here https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-decisions_en.
For more information please contact Jonathan Armstrong who is a lawyer with Cordery in London where his focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House,
30 Farringdon Street, London EC4A 4HH
T: +44 (0)20 7075 1784