The Data Protection Commission (DPC) has fined WhatsApp Ireland €5.5 million for breaches of GDPR data-privacy rules relating to its service.
WhatsApp Ireland, which is owned by Meta, has also been told to bring its data-processing operations into compliance within six months.
WhatsApp said that it disagreed with the decision and that it intended to appeal.
The inquiry followed a complaint made in 2018 from a German user of the service.
Legal challenge
The DPC has again, however, rejected a call from the European Data Protection Board (EDPB) to carry out a fresh, wide-ranging investigation into how WhatsApp processes users’ personal data.
The European body made a similar call in a case earlier this month involving two other Meta-owned social-media platforms, Facebook and Instagram.
The Irish watchdog has now stated that it will mount legal challenges to both determinations by the EDPB.
The direction from the EDPB came after it stepped in to resolve a dispute between the DPC and other European regulators over aspects of the Irish regulator’s findings in the WhatsApp case.
‘Contract’ legal basis
WhatsApp had changed its terms of service ahead of the introduction of GDPR in 2018.
Having previously relied on the consent of users to the processing of their personal information, WhatsApp sought to rely on the ‘contract’ legal basis for most of its processing operations.
The complainant had argued that, by asking users to accept updated terms of service – and making the services unavailable if users declined to accept – WhatsApp was “forcing” users to consent to the processing of their personal data for service improvement and security, in breach of GDPR.
WhatsApp had argued that processing users’ data was necessary for the performance of the contract entered into when users accepted the revised terms.
Dispute referred to EDPB
The DPC’s draft decision found that WhatsApp was in breach of its transparency obligations, as information on the legal basis relied on by the tech giant to process data was not clearly outlined to users.
The regulator also decided, however, that GDPR rules did not preclude WhatsApp’s reliance on the ‘contract’ legal basis.
Six of the 47 CSAs, however, took a different view on the issue of the legal basis for processing data, and the dispute was referred to the European Data Protection Board (EDPB).
The board, while upholding the DPC’s position on WhatsApp’s transparency obligations, found that the company was not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of service improvement and security.
The EDPB determination is reflected in the DPC’s final decisions and fines.
‘Problematic’ call
The board also, however, asked the Irish watchdog to carry out a fresh probe in order to determine if WhatsApp processed data for the purposes of behavioural advertising, for marketing purposes, or for the provision of statistics to third parties, and the exchange of data with affiliated companies
“It is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation,” the commission said, adding that the board’s call was “problematic in jurisdictional terms”.
The DPC is to bring an action for annulment before the Court of Justice of the EU, in order to seek the setting aside of the EDPB’s directions.