WhatsApp received a €225 million fine on September 2—the second biggest GDPR penalty on record.

The Irish supervisory authority (SA) found multiple violations of the GDPR’s transparency obligations. 

But after circulating a draft decision with other EU SAs, Ireland was forced to add a further finding—that WhatsApp had not properly described its legitimate interests to data subjects.

The fine was also increased more than fourfold. But that’s another story.

This article will take a look at how the EU’s supervisory authorities—and even employees within the Irish Data Protection Commission itself—disagreed about what information WhatsApp should have provided when describing its legitimate interests.

We’ll also consider what the EDPB’s binding decision and the Irish DPA’s revised enforcement decision tell us about how controllers should be writing this section of their privacy notices.

Consistency mechanism and dispute resolution process

As noted, this WhatsApp penalty is significant for several reasons, including that the fine emerged from a process known as the “consistency mechanism.” 

The consistency mechanism comes from Section 2 of the GDPR, comprising Articles 63-67. 

Essentially, the consistency mechanism attempts to ensure that the GDPR is applied evenly and consistently across the EU. The mechanism includes a dispute resolution process to “ensure the correct and consistent application” of the law. 

This dispute resolution process can lead the EDPB to adopt a “binding decision,” compelling a lead SA (in this case, Ireland) to take specific action(s). 

This process began when the Irish SA circulated its draft WhatsApp decision among other concerned SAs on 24 December 2020 (Merry Christmas!).

Between December 2020 and January 2021, the following SAs issued objections to Ireland’s draft decision:

  • Germany (Federal)
  • Germany (Baden-Württemberg)
  • France
  • Hungary
  • Italy
  • Netherlands
  • Poland
  • Portugal

For this article, the objections of the German (Federal), Italian, and Polish SAs are relevant—these are the SAs that objected to how WhatsApp explained its reliance on legitimate interests in its privacy notice.

Ireland’s draft decision

We’re focusing on one section of the Irish SA’s draft decision, which considered whether WhatsApp properly informed data subjects about its legitimate interests for processing personal data per Article 13 (1) (d) GDPR.

Under Article 13 (1) (d), a controller relying on “legitimate interests” must inform data subjects what legitimate interests it (or a third party) is pursuing when it collects personal data.

As noted, several SAs initially disagreed with Ireland regarding whether WhatsApp had violated this provision. But the first disagreement on this point occurred within the Irish SA itself.

For our purposes, the production of the draft complaint consisted of two stages:

  • First, WhatsApp’s privacy notice was investigated by an “investigator,” who proposed a finding that WhatsApp had committed two relevant violations of the GDPR.
  • Second, taking the investigator’s proposals into account, a “decision-maker” decided which GDPR provisions WhatsApp had violated.

The Irish SA’s draft decision contains excerpts from WhatsApp’s privacy notice in which WhatsApp states that it relies on legitimate interests for the following processing purposes: 

  • Processing the personal data of people under majority age who could not enter into a contract (contract being another of WhatsApps’ legal bases)
  • Providing “measurement, analytics, and other business services”
  • Providing marketing communications
  • Sharing “information with others including law enforcement and to respond to legal requests”
  • Sharing “information with the Facebook Companies to promote safety and security”

The Irish SA had to decide whether this information satisfied Article 13 (1) (d) of the GDPR. The investigator and the decision-maker took different views on this question.


Investigator’s view 

The investigator noted that Article 13 (1) (d) was a “cumulative requirement” that works in tandem with Article 13 (1) (c), which requires the controller to list the purposes for and legal bases on which it processes personal data.

The investigator said that, collectively, these two provisions require the controller to set out its purposes for processing, “along with” its legitimate interests for processing.

Accordingly, the investigator proposed that WhatsApp had violated BOTH Article 13 (1) (c) and Article 13 (1) (d).

Decision-maker’s view

The decision-maker took a different approach. Instead of treating these two provisions as “cumulative,” it assessed whether WhatsApp had complied with each element of Article 13 in turn. 

Having made this assessment, the decision-maker found that WhatsApp had violated Article 13 (1) (c). Broadly speaking, this was because the company had not linked its purposes and legal bases for processing with its processing operations. 

But crucially, the decision-maker found that WhatsApp had not violated Article 13 (1) (d).

The decision-maker—and, therefore, the Irish SA as a whole—found that WhatsApp had conveyed information about its legitimate interests appropriately, in a clear and transparent manner that gave data subjects “a meaningful overview of the legitimate interests being relied upon.”

Objections to the draft decision

Three SAs raised objections to Ireland’s decision to find that WhatsApp was compliant with Article 13 (1) (d).

The German (Federal) SA, with the support of the German (Baden-Württemberg) SA said that the Irish SA had not properly examined whether WhatsApp’s notice was “clear and transparent enough for the data subject to understand” and was not “abstract.”

The Polish SA said “a nonspecific reference to a widely understood controller’s ‘legitimate interest’” was not sufficient to fulfill the GDPR’s transparency requirements.

The Italian SA said the decision conflated the “purposes of the processing” with “the legitimate interests referred to” without providing any specific information about the processing operation involved. The Italian SA also said the notice would be confusing for people under the age of majority (to whom this section was addressed).

Ireland’s reply to the objections

The Irish SA rejected all of the concerned SAs’ objections, saying that they were not sufficiently reasoned.

Ireland singled out the German SA’s objections as presenting a particular risk that the decision would be successfully challenged in court by WhatsApp. Ireland said that Germany’s objections were “not accurate.” 

Regarding Poland’s objections, the Irish SA said that to reinstate the investigator’s proposal would mean finding that WhatsApp had violated Article 13 twice for the same conduct (conduct that the decision-maker had already deemed to be a violation of Article 13 (1) (c)).

To Italy, the Irish SA simply said it had clearly set out its reasons for finding that WhatsApp had complied with Article 13 (1) (d)—and that the Italian SA had not raised a well-reasoned enough objection to affect a reversal of the decision. 

The Irish SA also provided responses to the objections from WhatsApp itself.


WhatsApp’s responses 

Some of WhatsApp’s responses relate to the finding that it violated Article 13 (1) (c). These are included insofar as they are relevant to the finding that WhatsApp violated Article 13 (1) (d).

In its submission, WhatsApp argued that it did not have to “link its legal bases for processing to specific processing operations, in addition to linking them to purposes for processing (which WhatsApp does), even though the GDPR only provides for the latter.”

WhatsApp noted that “while the term “processing operation” appears in a number of places in the GDPR, it is noticeably absent from the transparency obligations in Articles 12 through 14.”

Regarding Article 13 (1) (d), WhatsApp argued that it had provided “clear and transparent” descriptions of its legitimate interests and had described them in detail. The company argued that it did not have to:

  • Further specify the “third parties” referred to in its privacy notice
  • Explain its “business practices” to data subjects
  • Explain why its legitimate interests prevail over the rights and freedoms of its users

WhatsApp also said its notice was understandable to people over 16.

EDPB’s binding decision

The EDPB considered whether the objections raised by the other SAs were “relevant and reasoned” and found that they were.

The EDPB then considers whether Ireland should have to amend its draft decision to find that WhatsApp had violated Article 13 (1) (d) of the GDPR.

The EDPB considers whether WhatsApp should have provided further information about its legitimate interests in respect of each purpose for which it was relying on that legal basis.

The EPDB concludes that providing “full information on each and every processing operation respectively” is the “only approach” that will enable data subjects to exercise their data subject rights. 

As such, the EDPB concludes that WhatsApp’s privacy notice should have detailed: 

  • What legitimate interests relate to each processing operation
  • Which entity pursues each legitimate interest

With reference to its own Transparency Guidelines, the EDPB effectively says that the following sections of WhatsApp’s privacy notice are too vague:

  • “Providing measurement, analytics, and other business services” — Such as…?
  • “To create, provide, support, and maintain innovative Services and features” — What data is used for what services?
  • “Businesses and other partners” — Which ones? 

Taking all the above into account, the EDPB instructed the Irish SA to find that WhatsApp had infringed Article 13 (1) (d).


Conclusions

When describing its legitimate interests to data subjects, a controller must:

  • Set out the purposes for which it processes personal data
  • Describe the processing operation accompanying each processing purpose
  • Identify the legitimate interests it pursues in relation to each processing operation
  • Explain what personal data is used for each processing operation
  • When referencing the legitimate interests of third parties, describe which third party pursues which legitimate interest 

If implemented by WhatsApp, these requirements might result in the company’s already-quite-long privacy notice becoming even longer. But as the Irish SA notes in its final complaint:

“…while WhatsApp has chosen to provide its transparency information by way of pieces of text, there are other options available, such as the possible incorporation of tables, which might enable WhatsApp to provide the information required in a clear and concise manner.”

To present this information clearly and concisely, using a table is probably the best approach.

Trust and Transparency at PrivSec Global

The WhatsApp decision underlines the importance of trust and transparency under the GDPR. 

At PrivSec Global, the world’s biggest data protection, privacy, and security conference, we’re running a session on how to maintain trust when processing personal data. 

Register for PrivSec Global September: A Global Live Stream Experience | 22 - 23 September 2021