Concerns regarding an adjustment to the terms and conditions of WhatsApp, the messaging application owned by Facebook, have prompted action from Italy’s data protection authority.

The Italian GPDP announced today that it has contacted the European Data Protection Board (EDPB) to express worries about a lack of transparency concerning the modifications included in the upcoming terms and conditions.

Over the past several weeks, WhatsApp has been notifying users that acceptance of the new terms and conditions is required to continue utilizing the service after February 8.

A comparable notification regarding revised terms has also generated apprehension in India—where a legal petition was submitted today to the Delhi High Court, asserting that the new terms infringe upon users’ fundamental privacy rights and potentially jeopardize national security.

In a statement published on its website, the Italian agency indicated that it believes WhatsApp users are unable to fully comprehend the changes being implemented under the new terms, nor to “clearly understand what data processing will actually be conducted by the messaging service following February 8.”

The Italian agency further stated that it reserves the right to intervene “with urgency” to safeguard users and uphold EU regulations concerning the protection of personal data.

We contacted the EDPB to inquire about the GPDP’s intervention. The steering body generally functions as a point of contact between EU DPAs. It also issues guidance on interpreting EU law and can make definitive rulings in cases involving disagreements in cross-border EU investigations.

The EDPB informed us that “an exchange of views” on the subject occurred during yesterday’s plenary meeting.

“The issue will likely be discussed further at a subsequent date,” it added. “Please note that supervisory authorities regularly share information on cases within the framework of the one-Stop-Shop.”

“The EDPB has fulfilled its role in promoting cooperation among supervisory authorities and will continue to facilitate such exchanges between authorities to ensure consistent application of data protection law throughout the EU, in accordance with its mandate.”

Earlier this week, Turkish competition authorities also announced an investigation into WhatsApp’s updated terms and conditions—objecting to what they characterized as discrepancies in the amount of data that will be shared with Facebook under the new terms in Europe versus elsewhere.

Meanwhile, on Monday, Ireland’s Data Protection Commission—which serves as WhatsApp’s primary data regulator in the EU—informed us that the messaging app has assured them that EU users will not be affected by any expanded data-sharing practices. Therefore, Facebook’s lead regulator in the EU has not expressed any objections to the new WhatsApp terms and conditions.

WhatsApp has also asserted that there are no alterations to its data sharing practices anywhere in the world as a result of this update.

It is evident that a communication breakdown has occurred somewhere in the process—which makes the Italian objection to a lack of clarity in the wording of the new terms and conditions appear justified.

When asked for comment regarding the GPDP’s intervention, a WhatsApp spokesperson stated:

The manner in which the Italian agency could intervene concerning the WhatsApp terms and conditions presents an interesting question. (And, indeed, we have reached out to the GPDP for further clarification.)

The GDPR’s one-stop-shop mechanism directs cross-border complaints to the lead data supervisor in the region where a company has its main base (Ireland in WhatsApp’s case). However, as previously noted, Ireland has—to date—indicated that it does not foresee any issues with WhatsApp’s updated terms and conditions.

Nevertheless, under the GDPR, other DPAs do possess the authority to take action independently when they believe there is an immediate risk to users’ data.

For example, in 2019, the Hamburg DPA instructed Google to cease manual reviews of excerpts from Google Assistant users’ audio recordings (which had been reviewed as part of a quality assessment program).

In that instance, Hamburg notified Google of its intention to utilize the GDPR’s Article 66 powers—which permits a national agency to halt data processing if it believes there is “an urgent need to act in order to protect the rights and freedoms of data subjects”—which immediately prompted Google to suspend human reviews across Europe.

The technology company subsequently modified the program’s operation. The Hamburg DPA did not even need to invoke Article 66—the mere threat of a processing cessation order was sufficient.

Approximately 1.5 years later, there are indications that numerous EU data protection agencies—outside of a few key jurisdictions that oversee the majority of large technology companies—are becoming frustrated by what they perceive as a lack of regulatory action against major tech firms.

Consequently, there may be a growing willingness among these agencies to employ innovative procedures to protect citizens’ data. (And it is noteworthy that France’s CNIL recently imposed substantial fines on Amazon and Google regarding cookie consents—acting under the ePrivacy Directive, which does not include a GDPR-style one-stop-shop mechanism.)

In related news this week, an opinion issued by an advisor to the EU’s highest court also appears to address concerns about GDPR enforcement delays.

In the opinion, Advocate General Bobek argues that the law allows national DPAs to initiate their own legal proceedings in certain circumstances—including to adopt “urgent measures” or to intervene “following the lead data protection authority having decided not to handle a case.”

A ruling from the CJEU on that case is still pending, but the court generally aligns with the recommendations of its advisors, suggesting that we are likely to see increased data protection enforcement activity from EU DPAs in the coming years, rather than relying on a few DPAs to make all the significant decisions.

This report was updated with comment from the EDPB