The Irish Data Protection Commission (DPC) has imposed a fine of €225 million on WhatsApp’s European headquarters, following an investigation that took many years to complete. In addition to the fine, WhatsApp has received a compliance order, which it needs to fulfill within 3 months. The sanctions are imposed for violations of the transparency principle and requirements under the European Union’s General Data Protection Regulation (GDPR). This in itself is noteworthy, but the case becomes more interesting, because the sanctions are a result of a Binding Decision by the European Data Protection Board (EDPB) following objections against the draft findings and sanctions proposed by the Irish DPC. The full report of the EDPB on the dispute resolution procedure sheds light on the considerations of the various regulators, as well as on some novel and updated interpretations of the GDPR by the EDPB. In this blog, we’ll discuss three elements of the decision that might also be relevant for other companies.
Processing personal data on the basis of a legitimate (business) interest has been possible in Europe for a long time already. Under the former 1995 Data Protection Directive, the Article 29 Working Party (WP29, the predecessor of the EDPB), issued an opinion on how the legitimate interest should be used. In any case, a legitimate interest should be “sufficiently clearly articulated” and “represent a real and present interest” in order to be valid. If that is not the case, the required balancing test could not be completed. Furthermore, where legitimate interest is used, information needs to be provided to the individual on the basis of Article 13(1)(d) GDPR.
In the WhatsApp Binding Decision, the EDPB writes that it “considers that the purpose of these duties of the controller is to enable data subjects to exercise their rights under the GDPR, such as the right to object pursuant to Article 21 GDPR, which requires the data subject to state the grounds for the objection relating to his or her particular situation.” Therefore, “full information on each and every processing operation” needs to be provided to the individual. One of the concerns raised against the way WhatsApp provided notice on their use of legitimate interests, was that several purposes for data processing and several legitimate interests were listed, without making clear how each of these relate to each other. Also the use of words like “other business services” or “maintaining innovative services and features” cannot meet the approval of the data protection authorities, because they “do not meet the necessary threshold of clarity and intelligibility.”
Recommendation: When relying upon legitimate interest(s) for your data processing operations, ensure each legitimate interest is made clear in your privacy notice, with a clear link to the types of data used for each data subject category and the intended purpose(s).
Matching Address Books
The second contentious issue is the question whether phone numbers of non-users, collected when matching an address book with WhatsApp’s current user list to facilitate connections, remain personal data, even after so-called lossy hashing. Lossy Hashing is an encryption technique which basically ‘translates’ the phone number of a non-user into a code that at first glance does not have any meaning.
The EDPB discusses the objections of multiple data protection authorities. In short, all argue that the original Irish DPC finding that lossy hashed data does not constitute personal data is incorrect, since re-identification is possible and does not require a lot of effort. This is due to the way the technique is implemented by WhatsApp, for example, by only using up to 16 phone numbers, instead of the full available 16, and by “linking a lossy hash to mobile phone numbers of those users who uploaded numbers via the Contact Features that fall into the group of different phone numbers that would have generated that same lossy hash.” Furthermore, if these data are regarded as personal data, additional violations of the GDPR should be noted, both in terms of the legal basis to process these data and the information provided to individuals.
Recommendation: The EDPB does not raise principled objections against the possibility to match user lists against a database, while using a lossy hash on non-users to limit the amounts of available data. However, a “table of lossy hashes together with the associated users’ phone numbers [retained] as Non-User List constitutes personal data.” As such, this processing activity requires its own legal basis and proper information to be provided to individuals.
The final learning point in the EDPB Binding Decision relates to the calculation of the administrative fine. In their draft decision, the Irish DPC set a proposed range for the fine amount, with a cap that was calculated on the basis of the annual combined global turnover for Facebook Inc and WhatsApp Ireland, given they should be regarded as a group of undertakings under the GDPR. The question raised however, was “whether turnover is relevant only to determine the maximum fine that can be lawfully imposed, or whether it is potentially also relevant in the calculation of the fine amount”.
The EDPB considers a “conclusion that turnover may be considered exclusively to calculate the maximum fine amount is unsustainable”, because a fine needs to be effective, proportionate and dissuasive. Furthermore, GDPR explicitly provides for dynamic fines, which should allow for taking into account turnover as well as other considerations, like intent or negligence and others mentioned in Article 83(2) GDPR. This is also considered in line with case law from the Court of Justice, especially when it comes to the dissuasiveness of the fine.