Facebook and WhatsApp data sharing

Facebook and WhatsApp data sharing requires further investigation, says EDPB

Further investigations are  required by the Irish Supervisory Authority before making a final decision regarding Facebook processing WhatsApp user data. 


The EDPB had adopted an urgent binding decision pursuant to Article 66 of the GDPR, requiring the Irish Supervisory Authority to carry out an investigation, rather than taking final measures, following a recent change in WhatsApp’s Terms of Service and Privacy Policy. The Supervisory Authority has adopted provisional measures towards Facebook Ireland, ordering a ban on the company processing user data from WhatsApp for their own purposes. However, the EDPB believes that further investigations are required to gain clarity on the processing activities in question. 


The EDPB concluded that the situation does not require any final measures as the conditions to demonstrate the existence of an infringement or an urgency have not been met. 


 The conclusion from the EDPB based on the evidence presented was that no final measures needed to be taken by the Supervisory Authority at this time. For one, the EDPB believes that there is a high likelihood that WhatsApp user data is already being processed by Facebook Ireland on the basis of joint controllership. The data is likely being processed in this way for the purpose of safety, security and integrity of all Facebook Companies including WhatsApp. Nonetheless, the EDPB is unable to determine with certainty what processing operations are indeed being carried out and in what capacity they are being carried out. This is due to various uncertainties and ambiguities in information provided to WhatsApp users. That being established, further investigations are required into those conditions before making any final decisions, especially considering the absence of any indication of a clear infringement or a need for urgency in this matter. 


The EDPB says further investigations are required by the Supervisory Authority to determine whether Facebook Ireland acts as a processor or joint controller with WhatsApp Ireland. 


While it is likely that Facebook is operating as a joint controller with respect to the processing of WhatsApp user data, the EDPB considers this to be unclear at this time and would like the Irish Supervisory Authority to further investigate and clarify whether Facebook Ireland is indeed acting as a joint controller or a processor. Currently, there is a lack of sufficient information regarding how data is processed for marketing purposes among the various Facebook Companies. Further investigations are required to also determine whether there is proper legal basis for those processing activities under the GDPR. 


The official binding decision will be published on the EDPB’s website once it has been properly assessed to ensure that any confidential information is redacted. However all relevant Supervisory Authorities, as well as Facebook Ireland and WhatsApp Ireland have been informed of the EDPB’s decision. 


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

WhatsApp conversations as contract

WhatsApp conversations may be deemed valid contract in Spain

Using WhatsApp blue tick to sign contracts? WhatsApp chats have been considered a verbal contract between the parties by a Court in Vigo (Galicia, Spain).

WhatsApp conversations may be a legally binding contract for the parties. An unpaid rent was the origin of this ruling. The landlords sued the tenant and the Court accepted the WhatsApp messages as the valid contract that governed the legal relationship between them. The Court took into account the fact that WhatsApp was the means used by the parties to agree on all the terms of the rent and to share the relevant documents in order to formalise it.

WhatsApp messages as contract and evidence in Court

Article 1278 of Spanish Civil Code states that “contracts will be legally binding for the parties regardless of their verbal or written nature, as long as the essential elements for their validity are met [namely: consent, object and cause].

As for the use of WhatsApp messages as a valid evidence in Court, there are, however, some requirements that apply, like the need of experts reports to verify the origin of the communication, the parties identities and the content integrity. Providing the password in order to let the Court access the relevant accounts, allowing access to the device as such or gathering recognition of the existence and truthfulness of the conversation from each of the parties have been accepted by some Courts as evidence enough.

WhatsApp, smart contracts and blockchain

In the light of this ruling, one may wonder if WhatsApp conversations may become one of the “blocks” of blockchain technology and be part of the smart contracts in the future. In order to achieve this, all the messages would need to be sorted and be accessible, maybe with no time limit, for verification purposes. This hypothetical but possible scenario would involve several privacy concerns, because WhatsApp messages may be deemed personal data, thus RGPD and other pieces of legislation, like the one concerning AI, may apply.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.