Whatsapp privacy policy updated after record fine of €225 million

Whatsapp privacy policy has been updated after the company was hit with a GDPR fine, however, this changes nothing about their service.

 

Whatsapp has amended their privacy policy after being hit with a record fine for an EU GDPR violation. While the company is still appealing the €225 million fine, their privacy policy is being updated, as ordered by the Irish data protection watchdog. The company insists that nothing about its actual service is changing. The changes being made to their privacy policy are for the purpose of providing additional detail on their existing practices. Whatsapp users in Europe are also not expected to take any action regarding these changes. According to this report from BBC, these changes will only be made to the privacy policy for Whatsapp Europe, which already differs from that of the rest of the world.

 

Numerous users complained previously about an update to the company’s terms raising concerns about the safety of their information.

 

Several users in Europe complained about an update to the terms of service which they believed would result in their accounts being blocked if they failed to accept those terms. Many of those users were under the impression that these new terms would result in their information being shared with Whatsapp’s parent company Facebook, which has since become Meta. Whatsapp commented on this matter in particular when addressing the amendments ordered by the Irish DPC. Whatsapp iterated in its statement; “This update does not change how we process, use or share user data with anyone, including Meta, nor does it change how we operate our service.” The company noted that users were not required or expected to agree to anything or take any action, and that messages on their platform continue to be end-to-end encrypted. This means that only the sender and receiver can read those messages.

 

Whatsapp was recently hit with the second highest fine in GDPR history after users complained about this update to the company’s terms.

 

In September, Whatsapp was hit with a record fine after an investigation into the company’s level of transparency with handling user information. The Irish DPC had originally proposed a fine of €30 million – €50 million, but after other EU regulators were consulted on a reassessment of the amount, the fine rose to €225 million. WhatsApp insists that it has always provided the required information to its users and is appealing this fine. The company has however included substantially more information to users about its use of their information, and how the company works with its parent company, Meta.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Binding Decision by the EDPB amends draft decision on WhatsApp

Binding Decision by the EDPB amends draft decision on controversial WhatsApp policy update, citing infringement of the transparency principle and recalculating the fine.

Following the controversial WhatsApp policy update, The Irish Supervisory Authority issued a draft decision. However, the decision invited various objections by other concerned supervisory authorities. According to this report by the European Data Protection Board, the EDPB, under Article 65 of the GDPR, adopted a binding dispute resolution decision wherein the organization recognized the need for amendments in several areas of the Irish Supervisory Authority’s decision regarding WhatsApp. This includes the part of the decision relating to infringements of transparency, the under-calculation of the fine, and the lenient time frame placed on the order to comply. Article 65 of the GDPR allows the EDPB to decide on matters when there may be objections or disagreements between a lead Supervisory Authority and other concerned supervisory authorities.

The EDPB explained that the violation involved an infringement of the transparency principle contained in the GDPR. 

The EDPB found that the information provided did not fully inform users about the legitimate interests being pursued, making this an infringement of Art. 13(1)(d) of the GDPR. Moreover, the EDPB explained that the violation involved an infringement of the transparency principle contained in Article 5(1)(a) of the GDPR. In fact, the procedure used to collect personal data of non-users does not ensure anonymity, as would be in accordance with Article 26 of GDPR.

The binding decision by the EDPB considered the turnover of WhatsApp’s parent company in deciding the amount of the fine. 

The EDPB believes that the turnover of a business is not just relevant for the determination of the maximum fine amount, it is also relevant for determining the recommended amount of the fine, in order to make the fine effective, proportionate and dissuasive. The EDPB also found that the consolidated turnover of the parent company (in this case, Facebook Inc.) is to be considered as well. In addition, the EDPB also interpreted, for the first time, Article 83(3) of the GDPR, where it is illustrated that where there are multiple infringements in one operation, each infringement should be considered for the imposition of a fine. 

The EDPB also suggested that a shorter time limit be imposed on WhatsApp, to bring its operations into compliance. 

The Irish Supervisory Authority had prescribed a timeframe of 6 months for WhatsApp Ireland to bring its operations into compliance. The EDPB however concluded that the compliance requirements with the transparency obligations are to be implemented within the shortest time possible. As a result, the prescribed time period of 6 months should be reduced to 3 months.

The Irish SA has adopted a new national decision based on EDPB landmark findings. WhatsApp Ireland has been notified of this national decision along with a copy of the EDPB decision.

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Facebook and WhatsApp data sharing

Facebook and WhatsApp data sharing requires further investigation, says EDPB

Further investigations are  required by the Irish Supervisory Authority before making a final decision regarding Facebook processing WhatsApp user data. 

 

The EDPB had adopted an urgent binding decision pursuant to Article 66 of the GDPR, requiring the Irish Supervisory Authority to carry out an investigation, rather than taking final measures, following a recent change in WhatsApp’s Terms of Service and Privacy Policy. The Supervisory Authority has adopted provisional measures towards Facebook Ireland, ordering a ban on the company processing user data from WhatsApp for their own purposes. However, the EDPB believes that further investigations are required to gain clarity on the processing activities in question. 

 

The EDPB concluded that the situation does not require any final measures as the conditions to demonstrate the existence of an infringement or an urgency have not been met. 

 

 The conclusion from the EDPB based on the evidence presented was that no final measures needed to be taken by the Supervisory Authority at this time. For one, the EDPB believes that there is a high likelihood that WhatsApp user data is already being processed by Facebook Ireland on the basis of joint controllership. The data is likely being processed in this way for the purpose of safety, security and integrity of all Facebook Companies including WhatsApp. Nonetheless, the EDPB is unable to determine with certainty what processing operations are indeed being carried out and in what capacity they are being carried out. This is due to various uncertainties and ambiguities in information provided to WhatsApp users. That being established, further investigations are required into those conditions before making any final decisions, especially considering the absence of any indication of a clear infringement or a need for urgency in this matter. 

 

The EDPB says further investigations are required by the Supervisory Authority to determine whether Facebook Ireland acts as a processor or joint controller with WhatsApp Ireland. 

 

While it is likely that Facebook is operating as a joint controller with respect to the processing of WhatsApp user data, the EDPB considers this to be unclear at this time and would like the Irish Supervisory Authority to further investigate and clarify whether Facebook Ireland is indeed acting as a joint controller or a processor. Currently, there is a lack of sufficient information regarding how data is processed for marketing purposes among the various Facebook Companies. Further investigations are required to also determine whether there is proper legal basis for those processing activities under the GDPR. 

 

The official binding decision will be published on the EDPB’s website once it has been properly assessed to ensure that any confidential information is redacted. However all relevant Supervisory Authorities, as well as Facebook Ireland and WhatsApp Ireland have been informed of the EDPB’s decision. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

WhatsApp conversations as contract

WhatsApp conversations may be deemed valid contract in Spain

Using WhatsApp blue tick to sign contracts? WhatsApp chats have been considered a verbal contract between the parties by a Court in Vigo (Galicia, Spain).

WhatsApp conversations may be a legally binding contract for the parties. An unpaid rent was the origin of this ruling. The landlords sued the tenant and the Court accepted the WhatsApp messages as the valid contract that governed the legal relationship between them. The Court took into account the fact that WhatsApp was the means used by the parties to agree on all the terms of the rent and to share the relevant documents in order to formalise it.

WhatsApp messages as contract and evidence in Court

Article 1278 of Spanish Civil Code states that “contracts will be legally binding for the parties regardless of their verbal or written nature, as long as the essential elements for their validity are met [namely: consent, object and cause].

As for the use of WhatsApp messages as a valid evidence in Court, there are, however, some requirements that apply, like the need of experts reports to verify the origin of the communication, the parties identities and the content integrity. Providing the password in order to let the Court access the relevant accounts, allowing access to the device as such or gathering recognition of the existence and truthfulness of the conversation from each of the parties have been accepted by some Courts as evidence enough.

WhatsApp, smart contracts and blockchain

In the light of this ruling, one may wonder if WhatsApp conversations may become one of the “blocks” of blockchain technology and be part of the smart contracts in the future. In order to achieve this, all the messages would need to be sorted and be accessible, maybe with no time limit, for verification purposes. This hypothetical but possible scenario would involve several privacy concerns, because WhatsApp messages may be deemed personal data, thus RGPD and other pieces of legislation, like the one concerning AI, may apply.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.