Binding Decision by the EDPB amends draft decision on WhatsApp

Binding Decision by the EDPB amends draft decision on controversial WhatsApp policy update, citing infringement of the transparency principle and recalculating the fine.

Following the controversial WhatsApp policy update, The Irish Supervisory Authority issued a draft decision. However, the decision invited various objections by other concerned supervisory authorities. According to this report by the European Data Protection Board, the EDPB, under Article 65 of the GDPR, adopted a binding dispute resolution decision wherein the organization recognized the need for amendments in several areas of the Irish Supervisory Authority’s decision regarding WhatsApp. This includes the part of the decision relating to infringements of transparency, the under-calculation of the fine, and the lenient time frame placed on the order to comply. Article 65 of the GDPR allows the EDPB to decide on matters when there may be objections or disagreements between a lead Supervisory Authority and other concerned supervisory authorities.

The EDPB explained that the violation involved an infringement of the transparency principle contained in the GDPR. 

The EDPB found that the information provided did not fully inform users about the legitimate interests being pursued, making this an infringement of Art. 13(1)(d) of the GDPR. Moreover, the EDPB explained that the violation involved an infringement of the transparency principle contained in Article 5(1)(a) of the GDPR. In fact, the procedure used to collect personal data of non-users does not ensure anonymity, as would be in accordance with Article 26 of GDPR.

The binding decision by the EDPB considered the turnover of WhatsApp’s parent company in deciding the amount of the fine. 

The EDPB believes that the turnover of a business is not just relevant for the determination of the maximum fine amount, it is also relevant for determining the recommended amount of the fine, in order to make the fine effective, proportionate and dissuasive. The EDPB also found that the consolidated turnover of the parent company (in this case, Facebook Inc.) is to be considered as well. In addition, the EDPB also interpreted, for the first time, Article 83(3) of the GDPR, where it is illustrated that where there are multiple infringements in one operation, each infringement should be considered for the imposition of a fine. 

The EDPB also suggested that a shorter time limit be imposed on WhatsApp, to bring its operations into compliance. 

The Irish Supervisory Authority had prescribed a timeframe of 6 months for WhatsApp Ireland to bring its operations into compliance. The EDPB however concluded that the compliance requirements with the transparency obligations are to be implemented within the shortest time possible. As a result, the prescribed time period of 6 months should be reduced to 3 months.

The Irish SA has adopted a new national decision based on EDPB landmark findings. WhatsApp Ireland has been notified of this national decision along with a copy of the EDPB decision.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Guidance on cookie consent requirements from Malta DPA

The guidance on cookie consent requirements from the Malta DPA gives insight on the applicable legal framework for their use.

 

The Data Protection Authority of Malta has just published guidance cookie consent requirements to aid businesses and organizations in setting them up correctly on their web pages and apps. Cookies are alphanumeric files which are stored on a user’s device for later use. These later uses may include memorising preferences, storing session information or identifying a data subject through a unique identifier. Some cookies, known as tracking cookies, are used for the purpose of behavioral advertising. 

 

The guidance on cookie consent requirements from the Malta DPA heavily emphasizes the notion of consent. 

 

The application of cookieson a website or app is allowed under the applicable laws once they meet certain requirements. The guidance from the Malta DPA focuses on tracking cookies, understood as those used for commercial purposes to deliver behavioural advertising. According to the guidance, for tracking cookies to be lawfully installed on a user’s device, a valid consent mechanism which allows users to take affirmative action giving prior informed consent to the cookies must be implemented. Originally under the ePrivacy Directive, and now also under the GDPR, the notion of consent is very relevant to lawfully obtaining and storing information on data subjects. 

 

The notion of consent in the ePrivacy Directive is linked to that of the GDPR. As a result, in order for stakeholders to obtain valid consent within the scope of the ePrivacy Directive provisions, the elements of valid consent as upheld by Article 4(11) GDPRare applicable in a cumulative manner. This means that consent must  be freely given, specific, informed, and must result from an “unambiguous indication of the data subject’s wishes, by a statement or by a clear affirmative action” and this is what  would signify agreement to the processing of personal data relating to them. This consent must also be withdrawable.

 

According to Regulation 5(1) of the “Processing of Personal Data (Electronic Communications Sector) Regulations” (Subsidiary Legislation 586.01), which transposes article 5(3) of the ePrivacy Directive, the “storing of information or the gaining of access to information stored in the terminal equipment of a subscriber or user shall only be allowed on condition that the subscriber or user concerned has given his consent”.

 

Transparency is necessary in all matters to ensure that the rights and freedoms of data subjects remain protected. 

 

The GDPR maintains that data subjects must be informed, and have at the very least, a basic understanding of the state of play, allowing them to decide whether or not to give consent and how to exercise the right to withdraw consent. Pursuant to article 7(3) of the GDPR, data subjects should be able to withdraw their consent at any time and it should be as easy to withdraw their consent as it is to give it. With regards to cookies, transparency refers to the provision of adequate information regarding the processing operation, including how data subjects can exercise their rights. Accordingly, the GDPR stipulates that individuals must also be informed on how to withdraw their consent before it is given. The failure to provide data subjects with a permanent withdrawal option, including the relevant information on withdrawal, infringes several articles of the GDPR.

 

According to the guidance on cookie consent, cookie walls, pre-ticked boxes and scrolling infringe on the regulations governing cookie consent. 

 

In order to fairly and transparently obtain informed consent from users, there are some features which must be avoided as they compromise the rights and freedoms of users. The Malta DPA, in their non-exhaustive list of practices deemed non-compliant, makes mention of cookie walls, pre-ticked boxes and necessary scrolling. 

 

Cookie Walls

 

Cookie walls are banners linked with a website or a mobile app which only allow users to access the site or app after the user grants consent to the use of all cookies and to the purposes for which they are processed. In these cases, access to the website or mobile app is not possible by other means. Indiscriminately collecting personal data through this approach, essentially denies users a  genuine choice, falls foul of the consent requirements as set out in the applicable laws and it is considered to be an unlawful practice. In these cases, consent is in fact not “freely given”. For consent to be freely given, access to services and functionalities should not be made conditional upon the user’s consent for storing information, or gaining access to information already stored, in the device. 

 

Pre-ticked Boxes

In some cases, users’ consent for installing exempt cookies on their devices is sought by using pre-ticked opt-in boxes. According to  recital 32 of the GDPR, “silence, pre-ticked boxes or inactivity should not […] constitute consent”.  As a result, pre-ticked boxes are not a valid tool to obtain consent under the GDPR, specifically with regard to cookies. The approach of using pre-ticked boxes is considered unlawful. 

 

Scrolling  

 

The practice of obtaining consent through a user’s action, such as scrolling or swiping through a web page or pages, does not count as “clear and affirmative”, in terms of the requirements of article 7 of the GDPR and as well as recital 32. As a result, this approach does not satisfy one of the core requirements of valid consent. In addition, this practice makes it extremely difficult to inform, as well as provide the user with his right to withdraw their consent, as easily as it was initially obtained.

 

Does your company want to collect cookies through a website or app? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today