Ireland Urged to Investigate Facebook-WhatsApp Data Sharing | EDPB

EU Regulator Orders Investigation into WhatsApp Data Sharing

An investigation into the legality of data sharing practices linked to a contentious WhatsApp policy update has been mandated by the European Data Protection Board (EDPB) to Facebook’s primary EU regulator.

A request for comment has been directed to the Irish Data Protection Commission (DPC). (Update: Their official statement is included below.)

Background on the Policy Update

Initially slated for implementation earlier this year, updated terms of service for the Facebook-owned messaging application were postponed to May following substantial user privacy concerns and ambiguity surrounding data processing details.

Despite the policy update proceeding, the terms of service have continued to attract scrutiny from regulatory bodies and advocacy groups globally.

For instance, the Indian government has repeatedly requested Facebook to retract the new terms.

Within Europe, privacy regulators and consumer advocacy organizations have voiced objections regarding the lack of transparency in how these terms are presented to users.

A temporary blocking order was issued by a German data protection authority in May, applying nationally.

EDPB's Urgent Binding Decision

This current development is noteworthy as it represents the first urgent, legally binding decision made by the EDPB under the General Data Protection Regulation (GDPR).

While the Board did not concur with ordering definitive measures against Facebook-WhatsApp, as initially requested by the Hamburg DPA, it determined that the prerequisites for establishing an infringement and urgency were not fulfilled.

The Board’s involvement stems from the utilization of Article 66 powers within GDPR by Hamburg’s data protection authority.

Hamburg DPA's Initial Actions

In May, the Hamburg authority instructed Facebook to refrain from applying the updated terms to German users.

Their analysis revealed that the policy granted WhatsApp extensive authority to share data with Facebook, without a clearly defined legal justification for processing user data.

Hamburg also asserted that the Irish DPC had not adequately investigated the data sharing between Facebook and WhatsApp when concerns were initially raised, prompting the Article 66 intervention.

As part of this process, the Hamburg DPA requested a binding decision from the EDPB.

This request aimed to circumvent the Irish regulator’s perceived slow pace by seeking a Board order for enforcement measures applicable across the entire EU, effectively blocking data sharing between WhatsApp and Facebook.

EDPB's Assessment and Findings

However, the Board’s evaluation concluded that Hamburg did not meet the criteria for demonstrating that the Irish DPC had failed to provide information in response to a formal request for mutual assistance under Article 61 GDPR.

Furthermore, the Board ruled that the adoption of the updated terms by WhatsApp – which it acknowledges “contain similar problematic elements as the previous version” – does not, in itself, establish the urgency required for the EDPB to mandate the lead supervisor to adopt final measures under Article 66(2) GDPR.

Consequently, as stated by the Hamburg DPA, data exchange between WhatsApp and Facebook remains “unregulated at the European level”.

Update from the Irish DPC: The DPC has acknowledged receipt of the EDPB’s decision and will now proceed with a thorough investigation into the matter.

Article 66 Powers and GDPR Enforcement

Article 66 of the General Data Protection Regulation (GDPR) holds significant importance as it permits EU data protection authorities to deviate from the regulation's one-stop-shop system.

Typically, cross-border complaints, particularly those directed at large technology companies, are channeled through a leading supervisory authority – often the Irish Data Protection Commission (DPC). This process is frequently perceived as a hindrance to effective data protection enforcement, especially when dealing with tech giants.

The Mechanism of Article 66

An urgency proceeding under Article 66 empowers any data supervisor within the EU to implement provisional measures immediately. This is contingent upon the situation fulfilling the requirements for such emergency intervention.

This provides a means to circumvent bottlenecks, albeit for a limited duration. The power allows for swift action when necessary.

Recent Applications and Impact

Since the GDPR’s implementation in 2018, several EU data protection authorities have utilized, or indicated their intention to utilize, the powers granted by Article 66.

The provision is demonstrating increasing value in modifying the practices of major technology companies. For instance, Italy’s DPA recently invoked Article 66 to compel TikTok to remove a substantial number of accounts suspected of belonging to underage users.

Influence Through Threat of Use

Even the mere possibility of Article 66 being employed, as seen in Hamburg in 2019, prompted Google to halt manual reviews of audio recordings captured by Google Assistant.

This ultimately resulted in significant policy adjustments from multiple tech companies that had been conducting similar manual reviews of user interactions with their voice AI systems.

Limitations of Article 66

However, provisional measures enacted under Article 66 are restricted to a three-month timeframe and are applicable only at the national level, not EU-wide.

This represents a constrained authority. In scenarios like the WhatsApp-Facebook case, where a Terms of Service (ToS) update is the issue, Facebook could potentially wait out the three-month period and then implement the policy in Germany once the suspension order expires.

EDPB Decision and Implications

Consequently, Hamburg sought a binding decision from the European Data Protection Board (EDPB). The Board’s decision not to intervene in this specific case represents a setback for those advocating for stronger GDPR enforcement against technology companies such as Facebook.

Data Sharing Between WhatsApp and Facebook: Regulatory Concerns

The Hamburg data protection authority voiced its dissatisfaction with the Board’s decision to refrain from implementing definitive measures to curtail data sharing between WhatsApp and Facebook. A complete statement from the authority is included below. Concerns were also expressed regarding the lack of a set timeframe for the Irish DPC to investigate the legal justification for this data exchange.

To date, Ireland’s data protection authority has finalized only one GDPR decision against a major technology company – that being Twitter. This fact fuels apprehension that, without a firm deadline, the mandated investigation could be indefinitely postponed.

EDPB Intervention and Regulator Scrutiny

Despite this, the EDPB’s directive to the Irish DPC to thoroughly examine the specifics of the Facebook-WhatsApp data sharing represents a significant intervention by a pan-European body. It publicly challenges a regulator with a well-known history of hesitating to conduct rigorous privacy investigations.

This reluctance has been demonstrably evident in the WhatsApp case. Despite substantial concerns raised regarding the policy update – both within Europe and internationally – Facebook’s primary EU data supervisor did not initiate a formal investigation, nor did it publicly object to the changes.

Initial Responses from the DPC

In January, when questioned about these concerns, the DPC informed TechCrunch that it had received “confirmation” from WhatsApp, owned by Facebook, that there were no alterations to data-sharing practices impacting EU users. This echoed Facebook’s assertion that the update introduced no changes, implying “nothing to be concerned about.”

The DPC stated at the time: “WhatsApp’s recent updates aim to provide users with clearer, more detailed information regarding data usage. They have assured us that these updates do not alter data-sharing practices, either within Europe or globally.” However, the DPC also acknowledged receiving “numerous queries” from stakeholders who were “confused and concerned” about the updates, mirroring Facebook’s own description of the complaints.

Temporary Pause and Ongoing Engagement

“We engaged with WhatsApp on this matter, and they confirmed a delay in the acceptance deadline for the terms, moving it from February 8th to May 15th,” the DPC continued, referencing a pause implemented by Facebook following public backlash and a surge in users migrating to alternative messaging platforms. The DPC added: “WhatsApp will also launch information campaigns to enhance clarity regarding privacy and security features. We will continue to engage with WhatsApp on these updates.”

EDPB Assessment: A Different Perspective

The EDPB’s evaluation of the WhatsApp-Facebook data-sharing terms presents a contrasting view. The Board criticized WhatsApp’s user communications as confusing and raised concerns about the legal basis for the data exchange.

In a press release, the EDPB indicated a “high likelihood of infringements,” specifically highlighting concerns related to “safety, security, and integrity of WhatsApp IE [Ireland] and the other Facebook Companies,” as well as “improvement of the products of the Facebook Companies.”

Initial User Communication and Continued Prompts

It is important to remember that WhatsApp users were initially informed that acceptance of the updated policy was mandatory, or the app would cease to function. (Facebook later revised this approach after the public outcry.) While users who have not yet accepted the terms continue to receive regular prompts, the company has not yet taken further steps to degrade the user experience beyond these recurring notifications.

Concerns Regarding Marketing and Business API

The EDPB’s concerns regarding the WhatsApp-Facebook data sharing also encompass what it describes as “a lack of information around how data is processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API.” This led to the order for Ireland to conduct a comprehensive investigation.

The Board also effectively confirmed that WhatsApp users are unlikely to comprehend how Facebook utilizes their data based on the information provided, stating:

Facebook’s Response

We reached out to Facebook for a statement regarding the EDPB’s order, and received the following response from a WhatsApp spokesperson:

Facebook also asserted that it has controls in place governing “controller to processor data sharing” (between WhatsApp and Facebook), which it claims prevent the use of WhatsApp user data for Facebook’s own purposes.

The company reiterated its position that the update does not broaden WhatsApp’s capacity to share data with Facebook.

A Stalemate in GDPR Enforcement

A crucial aspect of this ongoing situation is the protracted investigation by the Irish DPC into complaints regarding WhatsApp’s adherence to GDPR transparency standards. A definitive ruling on this matter remains outstanding after several years.

Therefore, when the EDPB indicates a high probability that certain data processing activities between WhatsApp and Facebook are already occurring, it does not absolve Facebook of responsibility. This is because the DPC has not yet determined whether WhatsApp has adequately informed its users.

In short, the regulatory review process is still in progress.

The DPC initially concluded its investigation into WhatsApp’s transparency practices last year. In January, it announced that a draft decision had been submitted to other EU data protection authorities for review and potential objection on December 24, 2020, as mandated by GDPR’s collaborative decision-making framework.

Alongside this announcement, the DPC stated it was awaiting feedback on the draft decision and would subsequently clarify the expected standard of transparency for WhatsApp, as defined by EU Data Protection Authorities.

More than six months have passed, and EU WhatsApp users are still awaiting clarification on whether the company’s communications meet the legally required transparency standards. Data continues to be exchanged between Facebook and WhatsApp during this period.

The Irish DPC was contacted for a statement regarding the EDPB’s recent order and for an update on the status of the WhatsApp transparency investigation.

A response is expected later today, and this report will be updated accordingly.

Update: Graham Doyle, the DPC’s deputy commissioner, emphasized the following:

The Irish Times reported in November that WhatsApp Ireland had allocated €77.5 million to cover “potential administrative fines resulting from ongoing regulatory compliance investigations.” However, no fines have yet been levied against Facebook.

Notably, the DPC has not yet issued a final GDPR decision against Facebook or any of its subsidiaries, despite over three years since the regulation’s implementation.

Numerous GDPR complaints concerning Facebook’s data processing practices – including a May 2018 complaint targeting Facebook, Instagram, and WhatsApp’s use of “forced consent” – remain unresolved due to a lack of decisions or investigations from Ireland.

This situation casts a significant shadow over the EU’s leading data protection regulation. The Board’s current reluctance to intervene more decisively represents a lost opportunity to address a critical enforcement bottleneck within GDPR.

However, any deviation from strict legal procedure could invite legal challenges that could invalidate any progress made. Therefore, swift resolutions in the complex process of GDPR enforcement are unlikely.

Consequently, the primary beneficiaries of this stalemate are the technology companies, who can continue processing user data as they see fit, with ample time to adjust their legal, operational, and systemic structures to mitigate any eventual enforcement actions.

Ulrich Kühn, Hamburg’s deputy commissioner for data protection, echoes this sentiment in a statement responding to the EDPB’s decision:

The Hamburg authority further highlights that the Board observed “significant discrepancies between the information provided to WhatsApp users regarding the extensive use of their data by Facebook and the commitments made by the company to data protection authorities not (yet) to engage in such practices.” It also expressed “substantial doubts about the legal basis Facebook intends to rely upon when utilizing WhatsApp data for its own or shared processing,” affirming agreement with the “core arguments” against WhatsApp-Facebook data sharing.

Despite the weight of these arguments, the responsibility for action once again rests with the Irish authorities.