WhatsApp faces € 5.5 million fine, as DPC limits the scope of the case against WhatsApp and rejects the EDPB request to investigate matters like data sharing within Meta.
As confirmed by the Irish DPC today, the European Data Protection Board (EDPB) has decided that Meta cannot force WhatsApp users to agree to the use of their data for "service improvements" and "security". The core matter of data use for "the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies " were not dealt with by the Irish DPC - despite a binding decision of the EDPB that these matters must be investigated. The decision comes 4,5 years after the original complaints were filed by noyb, on Meta's bypass of the GDPR via a clause in the terms and conditions.
- Explainer video on Meta's bypass (from December 2022)
- Blogpost on decisions on Facebook and Instagram
- Original complaints by noyb from 2018
- Final Decision by the DPC (PDF)
- Decision by the EDPB (PDF)
Key Facts:
- On May 25th 2018, noyb filed three complaints against Facebook, Instagram and WhatsApp on the basis of forced consent.
- Two complaints filed against Facebook and Instragram on behalf of an Austrian and a Belgian user were decided in the first week of January leading to a combined fine of €390 million.
- The third decision on WhatsApp on behalf of a German user was published today.
- Meta tried to "bypass" the consent requirement in the GDPR by adding a clause to the terms and conditions for advertising.
- In December 2022, the EDPB overturned a previous draft decision by the Irish DPC that took the view that Meta's bypass of the GDPR was legal and the EDPB requested changes in the decision on WhatsApp, as well as further investigations into the core violations of WhatsApp.
- The DPC has now adapted its limited decision, but refuses to investigate other matters, as ordered by the EDPB. The DPC threatens to bring a lawsuit against its European partners.
- The decision likely requires WhatsApp to implement an "opt-in" for the use of personal data for "product improvement", while the use of personal data for security could largely be shifted to another legal basis.
Meta wanted to "bypass" GDPR. The GDPR allows for six legal bases to process data, one of which is consent under Article 6(1)(a). Meta tried to bypass the consent requirement for tracking and online advertisement by arguing that ads are a part of the "service" that it contractually owes the users. The alleged switch of legal basis happened exactly on 25 May 2018 at midnight when the GDPR came into force. So-called "contractual necessity" under Article 6(1)(b) is usually understood narrowly and would e.g. allow an online shop to forward the address to a postal service, as this is strictly necessary to deliver an order. Meta, however, took the view that it could add random elements to the contract (such as personalized advertisement), to avoid a yes/no consent option for its users.
DPC limits case to "security" and "improvement of services". The DPC has now limited the 4.5 year procedure to the minor issues of the legal basis for using data for security purposes and for service improvement. The DPC thereby ignores the major issues of sharing WhatsApp data with Meta's other companies (Facebook and Instagram) for advertisement as well as other purposes. While users should be asked for the use of their data for improving products via an opt-in, it seems clear that the use of data for security remains legal under the GDPR, even if this is not included in a contract anymore.
Max Schrems: "We are astonished how the DPC simply ignores the core of the case after a 4.5 year procedure. The DPC also clearly ignores the binding decision of the EDPB. It seems the DPC finally cuts loose all ties with EU partner authorities and with the requirements of EU and Irish law."
WhatsApp "metadata" further used for personalized ads? While WhatsApp doesn't provide personalized ads, it does provide so-called "metadata" to Facebook and Instagram, which in turn is used for personalized advertising on the two social media platforms. This metadata reveals lots of information on the communication behaviour of users: who communicates with whom and when, who uses the app when, for how long and how often. While the communication itself is encrypted, the phone numbers and associated Facebook or Instagram accounts of people are collected. Such information can then be used to personalize ads for users on other Meta platforms like Facebook and Instagram. The DPC seems to have refused to investigate this core matter of the complaints.
Max Schrems: "WhatsApp says it's encrypted, but this is only true for the content of chats - not the metadata. WhatsApp still knows who you chat with most and at what time. This allows Meta to get a very close understanding of the social fabric around you. Meta uses this information to, for example, target ads that friends were already interested in. It seems the DPC has now simply refused to decide on this matter, despite 4.5 years of investigations."
DPC and Meta cooperated and got overruled by EDPB. During the course of the procedure, Meta has relied on ten confidential meetings with the Irish DPC, in which the DPC has allowed Meta to use this "bypass". It was later revealed that the DPC has even tried to influence relevant EDPB Guidelines in the interest of Meta. Nonetheless, the other European DPAs rejected the DPC's view internally in 2018, in Guidelines in 2019 and again in the final EDPB decision in December 2022. The case escalated to 4.5 years with hundreds of pages of reports and submissions, despite the case being about a rather simple legal question.
Max Schrems: "This case is about a simple legal question. Meta claims that the 'bypass' happened with the blessing of the DPC. For years, the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC was overruled."