The Irish Data Protection Commission (Data Protection CommissionDPC) announced on Thursday (January 19) that it had fined WhatsApp 5.5 million euros, after similar decisions were taken against Facebook and Instagram.
The legal basis used by WhatsApp to process personal data has been found to be contrary to European law. The company now has six months to implement corrective measures, namely to find a new legal basis.
This decision follows a series of similar complaints filed by the NGO NOYB, led by the famous Austrian activist Max Schrems, which challenged the way in which the platforms of the company Meta complied with the General Data Protection Regulation (GDPR). of the EU.
The day before the GDPR came into force, all platforms owned by Meta amended their terms and conditions to clarify that by using the service, users consent to the processing of their personal data for the purpose of improving the service and of security.
“We strongly believe that the way the service operates is both technically and legally compliant. We rely on contractual necessity for service improvement and safety purposes, as we believe that contributing to the safety of people and offering an innovative product is a fundamental responsibility in the operation of our service”a WhatsApp spokesperson told EURACTIV.
Meta has designed this so-called “contract” model as the legal basis for processing personal data in consultation with the Irish Data Protection Commission. It is the primary authority responsible for dealing with most major tech companies — given that they have established their European headquarters in this country.
Schrems believes that this approach is nothing less than a way to circumvent the GDPR, as it does not allow users to exercise their right of refusal.
In his original ruling, the Data Protection Commissioner found that Meta’s platforms failed to meet transparency requirements, but kept his model contract intact.
The GDPR, however, provides that other data protection authorities may intervene in cases that concern them. If no consensus can be reached — as was the case here — the decision is submitted to the dispute resolution mechanism of the European Data Protection Board (EDPB).
The latter issued a binding decision in December, reversing the decision of the Irish authority and declaring that the model contract was contrary to the GDPR. Rulings against Facebook and Instagram therefore followed earlier this month.
The Commission’s WhatsApp decision was forwarded to Dublin a few days late, leading to the subsequent closure of the investigation. However, the penalty is significantly lower than those imposed on Facebook and Instagram, which amounted to 210 and 180 million euros respectively.
This considerable discrepancy between fine amounts is explained by the fact that social networks – unlike messaging services – process personal data with the aim of offering particularly lucrative behavioral advertisements. The extent to which WhatsApp shares data with other Meta-owned services, however, has been the subject of controversy since its acquisition by Facebook.
In his decision, the EDPS called on the Irish authority to carry out a further investigation into the matter and to determine whether WhatsApp is processing data, in particular sensitive categories, for behavioral advertising or other purposes.
The DPC considers, however, that with this request, the EDPS has exceeded his powers, insofar as he does not have the power to entrust new investigations to an independent authority. The Irish watchdog has therefore announced that it will seek the annulment of this part of the EDPS decision before the Court of Justice of the EU.
On the other hand, NOYB considers that by refusing to investigate the sharing of data within Meta, the DPC unjustifiably limited the scope of the case against WhatsApp. Indeed, although the application offers an encrypted messaging service, it collects metadata that sheds light on the behavior of its users in terms of communication.
“We are amazed at how the DPC simply ignores the heart of the case after a 4 and a half year procedure. The DPC also disregards the binding decision of the EDPS. It appears that the DPC has finally severed all ties with EU partner authorities and with the requirements of EU and Irish law”Mr. Schrems said in a statement.
Like the other two affected platforms, namely Facebook and Instagram, WhatsApp has indicated that it will appeal this decision.
[Édité par Anne-Sophie Gayet]
