Binding Decision by the EDPB amends draft decision on controversial WhatsApp policy update, citing infringement of the transparency principle and recalculating the fine.
Following the controversial WhatsApp policy update, The Irish Supervisory Authority issued a draft decision. However, the decision invited various objections by other concerned supervisory authorities. According to this report by the European Data Protection Board, the EDPB, under Article 65 of the GDPR, adopted a binding dispute resolution decision wherein the organization recognized the need for amendments in several areas of the Irish Supervisory Authority’s decision regarding WhatsApp. This includes the part of the decision relating to infringements of transparency, the under-calculation of the fine, and the lenient time frame placed on the order to comply. Article 65 of the GDPR allows the EDPB to decide on matters when there may be objections or disagreements between a lead Supervisory Authority and other concerned supervisory authorities.
The EDPB explained that the violation involved an infringement of the transparency principle contained in the GDPR.
The EDPB found that the information provided did not fully inform users about the legitimate interests being pursued, making this an infringement of Art. 13(1)(d) of the GDPR. Moreover, the EDPB explained that the violation involved an infringement of the transparency principle contained in Article 5(1)(a) of the GDPR. In fact, the procedure used to collect personal data of non-users does not ensure anonymity, as would be in accordance with Article 26 of GDPR.
The binding decision by the EDPB considered the turnover of WhatsApp’s parent company in deciding the amount of the fine.
The EDPB believes that the turnover of a business is not just relevant for the determination of the maximum fine amount, it is also relevant for determining the recommended amount of the fine, in order to make the fine effective, proportionate and dissuasive. The EDPB also found that the consolidated turnover of the parent company (in this case, Facebook Inc.) is to be considered as well. In addition, the EDPB also interpreted, for the first time, Article 83(3) of the GDPR, where it is illustrated that where there are multiple infringements in one operation, each infringement should be considered for the imposition of a fine.
The EDPB also suggested that a shorter time limit be imposed on WhatsApp, to bring its operations into compliance.
The Irish Supervisory Authority had prescribed a timeframe of 6 months for WhatsApp Ireland to bring its operations into compliance. The EDPB however concluded that the compliance requirements with the transparency obligations are to be implemented within the shortest time possible. As a result, the prescribed time period of 6 months should be reduced to 3 months.
The Irish SA has adopted a new national decision based on EDPB landmark findings. WhatsApp Ireland has been notified of this national decision along with a copy of the EDPB decision.