Is your privacy policy clear enough? Ask WhatsApp
25 April 2022
WhatsApp is perhaps most renowned for the privacy it offers its users through its end-to-end encryption messaging service. However, in a twist of irony, one area where it may have been a bit too private and unclear is in its privacy policy. As a result, WhatsApp was the subject of a €225m fine, the second largest ever of its kind, for being in breach of European data protection law – specifically, for a lack of transparency around the use of the personal data of its users and non-users.
Why was WhatsApp fined?
Following a lengthy investigation, the Irish Data Protection Commission (DPC) concluded that WhatsApp had not met its transparency obligations around the use of its users’ and non-users’ personal data, as required under the EU General Data Protection Regulation (EU GDPR). Transparency is one of the key principles of the EU GDPR (and also the UK GDPR). It stipulates that controllers, such as WhatsApp, should communicate to its users (and sometimes even non-users) what, how and why personal data is being processed, and by whom, and must do so in a clear, concise and easily accessible way.
In particular, questions were raised about the lack of transparency around WhatsApp sharing its users’ personal data with its parent company, Meta (formerly Facebook), and other companies within the company group. Given that WhatsApp’s processing activities extend to individuals in other EU countries, the DPC submitted its initial draft decision to all the other EU GDPR supervisory authorities for review. Due to a lack of consensus, the decision was then submitted to the European Data Protection Board (EDPB) for the final verdict.
The EDPB, together with the DPC, found that WhatsApp’s very lengthy privacy notice actually communicated very little relevant information. It held that controllers, such as WhatsApp, must identify, in its privacy policy, the specific legal basis in granular detail for each and every processing activity it carries out. For example, where the legal basis is “legitimate interests”, i.e. the processing is necessary to carry out business activities, the privacy notice must precisely outline what legitimate interest relates to which specific processing activity. Furthermore, where there is a transfer of personal data within the company group, the privacy policy must outline which group companies are involved with each legitimate interest.
Where there is an overseas transfer of personal data, the EU GDPR requires that appropriate safeguards are put in place; this is usually done through the use of standard contractual clauses or by relying on an EU adequacy decision. In this case, the EDPB held that it was not enough to make a blanket statement that adequacy decisions may be relied on to enable such transfers. The privacy notice must explicitly state which set of standard contractual clauses is being used and/or which adequacy decision is being relied on.
Additionally, the EDPB and the DPC also considered whether WhatsApp had been transparent enough about the processing of the personal data of non-users. This is particularly in the context of non-users who sign up to WhatsApp, as it then shows existing WhatsApp users that this individual is now a user of the app. Although it was held that WhatsApp’s processing of non-user data is “very limited”, the DPC found that there had been a failure to provide the non-users with the relevant information required under the EU GDPR.
What’s next for WhatsApp?
These findings show the importance of putting the data subject at the core of your privacy policy. The data subject must be able to easily, and in sufficient detail, identify exactly how their data is processed. WhatsApp’s failures to do so ended with the finding that it had breached the transparency principle under the EU GDPR. The seriousness and the message the EDPB and DPC want to communicate about the importance of transparency is reflected in the penalty imposed on WhatsApp.
The DPC’s initial fine of between €30-50m was found to be inadequate by the EDPB, which then led to the significant increase in the fine. The EDPB stated that the turnover of WhatsApp’s parent company, Meta, should have been considered in the calculation of the fine, to ensure that such fines are “effective, proportionate and dissuasive”. Moreover, the EDPB gave WhatsApp three months to update its privacy policy (as opposed to the six months suggested by the DPC), citing the need for large, international controllers to be held to a higher standard.
WhatsApp has since updated its privacy policy to comply with the DPC and the EDPB’s findings. Despite this, it insists that it had previously adequately complied with the EU GDPR and is currently in the process of appealing the decision. Whilst we await the outcome of this appeal, it may be worth reviewing your privacy policy to ensure it is sufficiently transparent for your users. Your privacy policy may not be clear, but the consequences certainly are!
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at April 2022.