15.07.2021
•
The European Data Protection Committee (EDSA) has rejected the application of the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) to impose definitive measures to prevent data exchange between WhatsApp and Facebook. He did not consider this question to be urgent. Other forms of regulation, e.g. warning Facebook to process data from WhatsApp users for their own purposes, such as product improvement and security without their consent, were not used. The General Data Protection Regulation (GDPR) provides a warning as a possibility in cases in which intended processing is likely to violate the GDPR.
The EDSA found considerable contradictions between the information with which WhatsApp users are informed about extensive uses of their data by Facebook on the one hand, and the undertakings made by the companies to data protection supervisory authorities that they will not (yet) do this. The EDSA also expressed considerable doubts about the legal basis on which Facebook would like to rely when using WhatsApp data for its own or joint processing. He takes up essential parts of the argumentation of the HmbBfDI.
Despite these findings, the EDPB has only chosen to encourage the Irish lead data protection authority (IDPC) to conduct an audit. This should include the actual processing processes at Facebook with regard to WhatsApp data and the question of the possible legal basis, in particular the overriding legitimate interest within the meaning of Art. 6 Para. 1 f) GDPR. The IDPC was not set a deadline for this.
Ulrich Kühn, Hamburg’s Deputy Commissioner for Data Protection and Freedom of Information: “The decision of the European Data Protection Committee is disappointing. The body, which was created to ensure the uniform application of the GDPR throughout the European Union, is missing the opportunity to clearly stand up for the protection of the rights and freedoms of millions of people in Europe. He continues to leave this to the Irish regulator alone. Despite our repeated request for more than two years to investigate the question of data exchange between WhatsApp and Facebook and, if necessary, to sanction it, it did not act in this regard. The fact that she is now being pushed to an examination is a result of our longstanding efforts. However, this non-binding measure does not do justice to the importance of the issue. There is hardly a case conceivable in which, against the background of the threat of encroachment on the rights and freedoms of a very large number of those affected and their factual powerlessness against monopoly-like providers, the urgent need for action for concrete measures is more obvious. The EDSA is thus depriving itself of a decisive instrument to enforce the GDPR across Europe. This is not good news for those affected and for data protection in Europe as a whole. “
Press contact
| Telephone: | +49 40 428 54-4044 |
| E-mail: |
–
– .
