Binding Decision by the EDPB amends draft decision on controversial WhatsApp policy update, citing infringement of the transparency principle and recalculating the fine.
Following the controversial WhatsApp policy update, The Irish Supervisory Authority issued a draft decision. However, the decision invited various objections by other concerned supervisory authorities. According to this report by the European Data Protection Board, the EDPB, under Article 65 of the GDPR, adopted a binding dispute resolution decision wherein the organization recognized the need for amendments in several areas of the Irish Supervisory Authority’s decision regarding WhatsApp. This includes the part of the decision relating to infringements of transparency, the under-calculation of the fine, and the lenient time frame placed on the order to comply. Article 65 of the GDPR allows the EDPB to decide on matters when there may be objections or disagreements between a lead Supervisory Authority and other concerned supervisory authorities.
The EDPB explained that the violation involved an infringement of the transparency principle contained in the GDPR.
The EDPB found that the information provided did not fully inform users about the legitimate interests being pursued, making this an infringement of Art. 13(1)(d) of the GDPR. Moreover, the EDPB explained that the violation involved an infringement of the transparency principle contained in Article 5(1)(a) of the GDPR. In fact, the procedure used to collect personal data of non-users does not ensure anonymity, as would be in accordance with Article 26 of GDPR.
The binding decision by the EDPB considered the turnover of WhatsApp’s parent company in deciding the amount of the fine.
The EDPB believes that the turnover of a business is not just relevant for the determination of the maximum fine amount, it is also relevant for determining the recommended amount of the fine, in order to make the fine effective, proportionate and dissuasive. The EDPB also found that the consolidated turnover of the parent company (in this case, Facebook Inc.) is to be considered as well. In addition, the EDPB also interpreted, for the first time, Article 83(3) of the GDPR, where it is illustrated that where there are multiple infringements in one operation, each infringement should be considered for the imposition of a fine.
The EDPB also suggested that a shorter time limit be imposed on WhatsApp, to bring its operations into compliance.
The Irish Supervisory Authority had prescribed a timeframe of 6 months for WhatsApp Ireland to bring its operations into compliance. The EDPB however concluded that the compliance requirements with the transparency obligations are to be implemented within the shortest time possible. As a result, the prescribed time period of 6 months should be reduced to 3 months.
The Irish SA has adopted a new national decision based on EDPB landmark findings. WhatsApp Ireland has been notified of this national decision along with a copy of the EDPB decision.
Further investigations are required by the Irish Supervisory Authority before making a final decision regarding Facebook processing WhatsApp user data.
The EDPB concluded that the situation does not require any final measures as the conditions to demonstrate the existence of an infringement or an urgency have not been met.
The conclusion from the EDPB based on the evidence presented was that no final measures needed to be taken by the Supervisory Authority at this time. For one, the EDPB believes that there is a high likelihood that WhatsApp user data is already being processed by Facebook Ireland on the basis of joint controllership. The data is likely being processed in this way for the purpose of safety, security and integrity of all Facebook Companies including WhatsApp. Nonetheless, the EDPB is unable to determine with certainty what processing operations are indeed being carried out and in what capacity they are being carried out. This is due to various uncertainties and ambiguities in information provided to WhatsApp users. That being established, further investigations are required into those conditions before making any final decisions, especially considering the absence of any indication of a clear infringement or a need for urgency in this matter.
The EDPB says further investigations are required by the Supervisory Authority to determine whether Facebook Ireland acts as a processor or joint controller with WhatsApp Ireland.
While it is likely that Facebook is operating as a joint controller with respect to the processing of WhatsApp user data, the EDPB considers this to be unclear at this time and would like the Irish Supervisory Authority to further investigate and clarify whether Facebook Ireland is indeed acting as a joint controller or a processor. Currently, there is a lack of sufficient information regarding how data is processed for marketing purposes among the various Facebook Companies. Further investigations are required to also determine whether there is proper legal basis for those processing activities under the GDPR.
The official binding decision will be published on the EDPB’s website once it has been properly assessed to ensure that any confidential information is redacted. However all relevant Supervisory Authorities, as well as Facebook Ireland and WhatsApp Ireland have been informed of the EDPB’s decision.
Using WhatsApp blue tick to sign contracts? WhatsApp chats have been considered a verbal contract between the parties by a Court in Vigo (Galicia, Spain).
WhatsApp conversations may be a legally binding contract for the parties. An unpaid rent was the origin of this ruling. The landlords sued the tenant and the Court accepted the WhatsApp messages as the valid contract that governed the legal relationship between them. The Court took into account the fact that WhatsApp was the means used by the parties to agree on all the terms of the rent and to share the relevant documents in order to formalise it.
WhatsApp messages as contract and evidence in Court
Article 1278 of Spanish Civil Code states that “contracts will be legally binding for the parties regardless of their verbal or written nature, as long as the essential elements for their validity are met [namely: consent, object and cause]”.
As for the use of WhatsApp messages as a valid evidence in Court, there are, however, some requirements that apply, like the need of experts reports to verify the origin of the communication, the parties identities and the content integrity. Providing the password in order to let the Court access the relevant accounts, allowing access to the device as such or gathering recognition of the existence and truthfulness of the conversation from each of the parties have been accepted by some Courts as evidence enough.
WhatsApp, smart contracts and blockchain
In the light of this ruling, one may wonder if WhatsApp conversations may become one of the “blocks” of blockchain technology and be part of the smart contracts in the future. In order to achieve this, all the messages would need to be sorted and be accessible, maybe with no time limit, for verification purposes. This hypothetical but possible scenario would involve several privacy concerns, because WhatsApp messages may be deemed personal data, thus RGPD and other pieces of legislation, like the one concerning AI, may apply.