The WhatsApp case and a landmark decision

A few days ago, WhatsApp was fined €225,000,000 by the Irish Supervisory Authority, the second largest fine ever imposed under the GDPR, for a combination of violations of Articles 12, 13, 14 and 5 (1) lit. a, which the authority assessed as very serious.

The final decision of the Irish supervisory authority was issued on 20.08.2021, after the European Data Protection Board (EDPB) had previously issued a binding decision under Art. 65 of Regulation 679/2018 (Binding Decision 1/2021) on 28.07.2021 . It was therefore necessary to go through a procedure to resolve the objections raised by several supervisory authorities to the findings that the Irish authority had initially made in a more favorable manner to WhatsApp.

We summarize below the reasons why we say that this decision is a landmark decision in clarifying some of the concepts and the impact it will have in the approach of national supervisors in similar cases:

The breaches of the transparency principle have been re-characterized by the EDPB as more serious than originally determined by the Irish national supervisory authority. To reach this conclusion, breaches of the transparency principle for lack of information about the legitimate interest pursued by the controller or a third party were re-assessed, and several data that had previously been excluded were reclassified as personal data (PII). For example, data of individuals who are not registered as users of WhatsaApp and who are processed by WhatsApp as a result of WhatsApp users accessing the Contact Feature option were considered personal data. It was considered that the information provided to users has several shortcomings, which affect their ability to understand the legitimate interest pursued by the controller, thus also violating the provisions of Article 13(1)(d) of the Regulation, which were not initially retained.

From a legal perspective, it is important to note that the EDPB also considered that the provisions of Article 5(1) of the Regulation, which had not been previously considered infringed, were also infringed. 1 lit. a of the Regulation (which establishes the principle of lawful, fair and transparent processing), even if, considered individually, the breaches of Articles 12, 13, 14 do not necessarily imply a breach that could fall within the scope of Article 5 (1) lit. a. The gravity increased by the multiple breaches led the EDPB to hold that in this case, in particular, the principle of transparency provided for by Article 5 was breached. Proof of the importance that the EDPB attaches to compliance with the principle of transparency, considered in this case in close connection with compliance with the obligation to provide accurate and complete information to data subjects where personal data are not collected directly from them (obligation under Article 14) is the amount allocated to the infringement of Article 5(1)(a) – €90,000,000 followed by €75,000,000 for the infringement of Article 14 mentioned above, out of a total fine of €225,000,000.

The EDPB also clarified how to determine the amount of the fine imposed and ruled that a fine, in order to be effective, proportionate and dissuasive/deterrent, as required by Article 83(1) of the Regulation, must be set not only by reference to the turnover of the penalized operator (in this case WhatsApp), but also in relation to the combined turnover of the operator and its parent company, Facebook.

The binding decision adopted in July also marks the first time in EDPB case law that the EDPB has interpreted Article 83(3) of the Regulation as meaning that „where several infringements occur in relation to the same processing operation or in relation to related processing operations, all infringements must be taken into account when determining the amount of the fine„, and the supervisory authorities will apply this interpretation when setting fines in compliance with the other two principles – that of proportionality of the fine and the maximum amount of the fine set by the Regulation.

With regard to the time limit for compliance, the EDPB considered that the six-month time limit initially set by the Irish authority was far too short in view of the seriousness of the infringements and the need to comply with the obligation to ensure transparency as soon as possible.

The final decision issued by the Irish supervisory authority can be found here:(https://edpb.europa.eu/our-work-tools/consistency-findings/register-for-decisions_en)

The binding EDPB decision can be found here: https://edpb.europa.eu/system/files/2021-09/edpb_bindingdecision_202101_ie_sa_whatsapp_redacted_en.pdf .