Hannah Pettit, Associate in the Technology Sector team at Ashfords looks at the issues surrounding the fine issued at the start of this year by the Irish Data Protection Commission (the “DPC”) to WhatsApp Ireland Limited a €5.5 million fine for:
- incorrectly seeking to rely on performance of a contract with its users in order to process their personal data for the purposes of service improvements and security (the “lawful basis infringement”); and
- infringing the GDPR fairness principle (the “fairness principle infringement”).
This might not seem like a particularly high value fine when you take into account the significant turnover of the Meta group (which owns WhatsApp) and when considering the value of other fines issued by European supervisory authorities in recent years, however this is not the first fine issued by the DPC to WhatsApp. In 2021 WhatsApp received a fine of €225 million from the Irish privacy regulator, which has been taken into account this time round.
So what happened and why was WhatsApp found to be in breach of the GDPR?
The inquiry was complaint-driven. The relevant complaint centred around users being forced to consent to new Terms of Service in order to continue accessing WhatsApp’s services and WhatsApp having no legal basis to utilise user personal data for purposes which are not a core element of the WhatsApp service. This included processing for improving WhatsApp’s products, security purposes, intra-group data sharing and also advertising purposes. Although the DPC’s investigation focussed on WhatsApp’s processing for service improvement and security purposes.
Initially the DPC avoided a restrictive interpretation of Article 6(1)(b) of the GDPR, which states that processing must be necessary for the performance of a contract in order to rely on the “contract” lawful basis. It was of the view that the “necessity test” should not be a question of whether it is impossible to perform the contract without the data processing. It was comfortable that improving the existing service and maintaining security standards were necessary for performance of the user’s contract.
When the DPC’s draft decision was then referred to the European Data Protection Board (the “EDPB”), the EDPB disagreed and opted for a strict interpretation of Article 6(1)(b). It struggled to see how a processing activity could be considered necessary for performance of the contract if the user would still be able to receive the services it was subscribing for, whilst also opting out of the processing activity. It confirmed that service improvements and security were not essential elements of the contract and therefore it was inappropriate to rely on the “contract” lawful basis for these processing activities.
The EDPB also confirmed that WhatsApp had infringed the overarching principle of fairness under Article 5(1)(a) of the GDPR. A key factor in the EDPB concluding this was the imbalance between WhatsApp and its users and the lack of alternative services in the market.
The DPC then revised its decision in line with the EDPB’s binding instructions. It found that there had been both a lawful basis infringement and a fairness principle infringement and issued a €5.5 million fine, together with ordering WhatsApp to rectify the infringements within 6 months.
The DPC is expected to challenge additional directions from the EDPB decision regarding the need for further investigations into WhatsApp’s data processing, including in relation to special category data, behavioural advertising, marketing and the exchange of data with affiliate companies. The proposed challenge is on the basis of lack of jurisdiction, with the DPC confirming that “it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation”.
How relevant is the Irish DPC decision for the UK?
Following the UK’s exit from the EU, the Information Commissioner’s Office (the “ICO”) is no longer bound by decisions of the EDPB. However, this doesn’t mean that they will not be relevant. The ICO has expressed a commitment to continue working closely with European supervisory authorities and therefore, despite not being bound by the decision, we expect the ICO to give careful consideration to the commentary provided within the EDPB and DPC decisions.
The UK GDPR is – at least for now – a near replica of the EU GDPR, and so EU findings will influence the ICO’s interpretation of UK GDPR provisions. That said, we have already seen that the ICO is not afraid to depart from EU positions, one recent example being its alternative approach to transfer risk assessments for international transfers.
What does this mean for UK businesses?
It is not clear whether the ICO will follow suit and declare that it is not possible to rely on the “contract” lawful basis for service improvement and security processing. However, ICO guidance is unequivocal that if a business could reasonably deliver a service that the customer has contracted for by processing less data, or using data in a less intrusive way, the “contract” lawful basis will not be available for the excess or intrusive processing.
With this in mind, the following are a few key things for UK businesses to consider:
- Minimise intrusion. It may be necessary to revise both service development and security strategies, to minimise intrusion for data subjects. Instead of utilising personal data of all users to improve services, could you rely on a group of users who voluntarily consent to the use of their personal data for this purpose? Is it possible to implement service improvement strategies which don’t involve processing personal data?
- Comply with reasonable expectations. Ensure that your data processing is consistent with the reasonable expectations of your customers – the ICO is likely to have regard to these expectations when determining whether the processing is truly necessary for performance of the contract with the customer.
- Ensure transparency. Make sure to provide users with sufficient information, so that they understand what personal data you need to process in order to provide them with the services they have contracted for. This will involve ensuring that privacy notices are clear and up-to-date.