Facebook Blocked in Germany Over WhatsApp Terms

Data Protection Ban: Hamburg Blocks Facebook's WhatsApp Data Processing

The data protection authority in Hamburg, Germany, has issued a prohibition against Facebook regarding the processing of supplementary user data obtained from WhatsApp. This action stems from a compulsory update to WhatsApp’s terms of service, which grants Facebook access to increased data streams.

Controversial Privacy Policy and User Backlash

Since its announcement, the updated WhatsApp privacy policy has generated considerable confusion globally. Facebook had previously delayed implementation for several months following substantial user opposition, which benefited competing messaging applications experiencing an influx of new users.

Legal Challenges and Investigations

The Indian government has also initiated legal proceedings to contest the changes to WhatsApp’s terms and conditions. Furthermore, the country’s competition authority is currently conducting an investigation into the matter.

Acceptance Deadline and Ongoing Rollout

WhatsApp users worldwide are required to accept the new terms by May 15th. After this date, the acceptance prompt will become persistent, as outlined in a WhatsApp FAQ. Facebook reports that a majority of users presented with the terms have already accepted them, though the exact proportion remains undisclosed.

Hamburg DPA's Urgent Intervention

The intervention by Hamburg’s DPA has the potential to further impede Facebook’s rollout of the updated terms, at least within Germany. The agency has invoked an urgency procedure, permitted under the European Union’s General Data Protection Regulation (GDPR), to temporarily halt data sharing for a period of three months.

WhatsApp Disputes the Order

A spokesperson for WhatsApp contested the legal basis of Hamburg’s order, characterizing it as “a fundamental misunderstanding of the purpose and effect of WhatsApp’s update.” The spokesperson asserted that the order lacks a legitimate foundation and will not hinder the continued rollout of the update.

Facebook's Commitment to Security and Privacy

The spokesperson further stated, “Our recent update explains the options people have to message a business on WhatsApp and provides further transparency about how we collect and use data. We remain fully committed to delivering secure and private communications for everyone,” suggesting Facebook-owned WhatsApp may disregard the order.

Facebook Considers Appeal

It is understood that Facebook is currently evaluating its options, including the possibility of appealing Hamburg’s decision.

Potential for EU-Wide Action

While the emergency powers utilized by Hamburg are limited to three months, the agency is also applying pressure on the European Data Protection Board (EDPB) to intervene and issue a binding decision applicable to all 27 Member States.

EDPB's Role and Limitations

The EDPB typically does not engage in making binding GDPR decisions related to specific complaints, unless EU DPAs are unable to reach a consensus on a draft GDPR decision reviewed by a lead supervisory authority under the one-stop-shop mechanism for cross-border cases.

EDPB Confirmation of Article 66

Update: The EDPB has confirmed that the GDPR allows a supervisory authority, having notified it of a decision to adopt provisional measures under Article 66, to request an urgent opinion or binding decision from the Board. This is particularly relevant if the DPA seeks to extend the measures or render them permanent.

“Art. 66 is a derogation of the GDPR’s One-Stop-Shop mechanism (Art. 60) & the consistency mechanism (Art. 63),” explained an EDPB spokeswoman. “It is a complementary procedure that can be used when a supervisory authority considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects within its territory.”

Criticism of Ireland's Data Protection Commission

The Hamburg DPA’s action also serves as a critique of Ireland’s Data Protection Commission (DPC), which serves as Facebook’s lead data supervisor in the region. The DPA is accused of failing to adequately investigate the widespread concerns surrounding the incoming WhatsApp T&Cs.

DPC Response

Update: A DPC spokeswoman stated: “As Hamburg has initiated this process as a derogation to the One Stop Shop, it is a matter for the Hamburg DPA to respond as to how it meets the threshold to initiate an urgency procedure. The Irish DPA draft decision in relation to WhatsApp will be dealt with through the Art 65 dispute resolution procedure under GDPR, since it was not possible to reach consensus among DPAs. Therefore it is for the Hamburg DPA in that latter context to qualify its own actions under Article 66 as a derogation to the OSS procedure already underway.”

Concerns Over GDPR Enforcement

Ireland’s data watchdog has faced criticism for perceived regulatory inaction in enforcing the GDPR, with accusations of failing to investigate numerous complaints and issuing weak enforcements after prolonged investigations.

Limited Enforcement Actions

To date, the DPC has issued only one GDPR decision against a tech giant (Twitter, regarding a data breach), which was contested by other EU DPAs who advocated for a more substantial penalty than the $550k fine ultimately imposed.

Frustration with the One-Stop-Shop Mechanism

GDPR investigations into Facebook and WhatsApp remain pending on the DPC’s agenda. A draft decision in one WhatsApp data-sharing transparency case was sent to other EU DPAs for review in January, but a resolution remains elusive almost three years after the regulation’s implementation.

This situation has fueled frustration among other EU DPAs regarding the lack of GDPR enforcement against major tech companies, leading some to explore alternative regulatory actions to circumvent the bottleneck created by the one-stop-shop (OSS) mechanism.

Italian DPA's Warning

The Italian DPA also issued a warning regarding the WhatsApp T&Cs change in January, stating it had contacted the EDPB to express concerns about a lack of clarity regarding the modifications.

EDPB's Role in Promoting Cooperation

The EDPB emphasized its role in fostering cooperation between supervisory authorities and its commitment to facilitating exchanges between DPAs to ensure consistent application of data protection law across the EU.

Data Sharing Concerns

The Hamburg DPA asserts that the update to WhatsApp’s terms grants the messaging platform “far-reaching powers to share data with Facebook” for the company’s own purposes, including advertising and marketing. This includes potentially sharing WhatsApp users’ location data with Facebook and transferring communication data to third parties if businesses utilize Facebook’s hosting services.

Legal Basis for Data Sharing

The agency contends that Facebook cannot legitimately rely on “legitimate interests” as a legal basis for the expanded data sharing under EU law.

Consent Requirements

Furthermore, even if Facebook intends to rely on user consent, it is deemed insufficient because the changes are not clearly explained, and users are not provided with a genuine free choice to consent or decline, as required by GDPR.

Expansion of Data Connection

“The investigation of the new provisions has shown that they aim to further expand the close connection between the two companies in order for Facebook to be able to use the data of WhatsApp users for their own purposes at any time,” Hamburg stated. “For the areas of product improvement and advertising, WhatsApp reserves the right to pass on data to Facebook companies without requiring any further consent from data subjects.”

Existing Data Exchange

“In other areas, use for the company’s own purposes in accordance to the privacy policy can already be assumed at present. The privacy policy submitted by WhatsApp and the FAQ describe, for example, that WhatsApp users’ data, such as phone numbers and device identifiers, are already being exchanged between the companies for joint purposes such as network security and to prevent spam from being sent.”

Recent Court Advisor Opinion

DPAs like Hamburg may be emboldened to take independent action on GDPR enforcement due to a recent opinion by an advisor to the EU’s top court. Advocate General Bobek suggested that EU law allows agencies to initiate their own proceedings in certain situations, including adopting “urgent measures” or intervening “following the lead data protection authority having decided not to handle a case.”

A ruling from the CJEU on this case is still pending, but the court typically aligns with the recommendations of its advisors.