A lengthy investigation conducted by authorities in the European Union regarding the clarity of data exchange between Facebook and WhatsApp is progressing toward a potential outcome. Ireland’s Data Protection Commission (DPC) announced on Saturday that it submitted a preliminary decision to other EU Data Protection Authorities (DPAs) late in the previous year.

This action initiates a review period where other DPAs will examine the proposed decision. To finalize a ruling, a majority of the Facebook’s lead EU data supervisor’s suggested agreement must be approved, as stipulated by the bloc’s General Data Protection Regulation (GDPR).

The DPC’s draft decision concerning WhatsApp, which was communicated to the other supervisory bodies for assessment on December 24th, represents only the second such draft the Irish regulator has released in cross-border GDPR investigations to date.

The initial case to undergo this process involved an inquiry into a security incident at Twitter, resulting in a $550,000 penalty for the company last month.

The WhatsApp investigation is particularly relevant considering the recent criticism surrounding an update to its Terms & Conditions, although it actually began in 2018, coinciding with the initial application of GDPR. It centers on WhatsApp Ireland’s adherence to Articles 12-14 of the GDPR, which outline the requirements for providing information to individuals regarding the processing of their data, enabling them to exercise their rights.

In a formal statement, the DPC explained:

“Upon completion of the process and the issuance of a final decision, it will clearly define the level of transparency expected from WhatsApp, as determined by EU Data Protection Authorities,” the statement added.

A representative from WhatsApp stated: “We are continuing to work with the IDPC and are awaiting their final determination.”

The DPC currently has additional GDPR investigations underway concerning other facets of the tech company’s operations, including those stemming from complaints lodged in May 2018 by the EU privacy advocacy group, noyb, regarding “forced consent.” In May 2020, the DPC indicated that this separate investigation was nearing the decision-making stage, but has not yet confirmed the submission of a draft decision for review.

It is worth noting that the timeframe between the DPC’s initial draft regarding Twitter and the final decision, following endorsement from a majority of EU DPAs, was nearly seven months.

The Twitter case was comparatively uncomplicated—dealing with a data breach—whereas evaluating “transparency” is a more intricate undertaking. Therefore, a conclusive decision on WhatsApp is unlikely to be reached quickly. Significant disagreements exist among DPAs regarding the implementation of the GDPR across the EU. (For instance, in the Twitter case, German DPAs proposed a fine of up to $22 million, while Ireland initially suggested a maximum of $300,000). Despite these differences, there is optimism that GDPR enforcement in cross-border cases will become more efficient as DPAs gain experience with the associated mechanisms and procedures, even if fundamental ideological disparities persist.

Regarding WhatsApp, the messaging service has recently faced challenges concerning transparency, attracting considerable negative attention and raising privacy concerns due to a confusing mandatory update to its T&Cs, which prompted a substantial shift of users to alternative platforms like Signal and Telegram.

In response to the criticism, WhatsApp announced last week that it would postpone the implementation of the new terms for three months. Additionally, Italy’s data protection authority issued a warning regarding a lack of clarity in the T&Cs, indicating its potential to intervene using emergency procedures permitted under EU law, in addition to the ongoing DPC process.

Concerning the controversy surrounding WhatsApp’s T&Cs, the DPC’s deputy commissioner, Graham Doyle, informed us that the regulator had received “numerous inquiries” from stakeholders who were perplexed and worried, leading to renewed engagement with the company. The regulator had previously secured a commitment from WhatsApp that there would be “no alteration to data-sharing practices either within the European Region or elsewhere.” However, it subsequently confirmed a delay in enforcing the new terms.

“The recent updates from WhatsApp are intended to provide users with clearer, more comprehensive information about how and why their data is used. WhatsApp has assured us that these updates do not change data-sharing practices within the European Region or globally. Nevertheless, the DPC has received numerous questions from stakeholders who are confused and concerned about these updates,” Doyle stated.

“We have discussed the matter with WhatsApp, and they have agreed to postpone the date for users to review and accept the terms from February 8 to May 15. In the meantime, WhatsApp will launch information campaigns to provide further clarification about privacy and security on the platform. We will continue to engage with WhatsApp regarding these updates.”

While Europe’s track record of enforcing its data protection laws against major technology companies remains a significant weakness of the regulation, there are indications that increased user awareness of their rights and a growing concern for privacy are shifting the balance of power in favor of individuals.

Effective privacy enforcement remains critically needed, but Facebook being compelled to postpone a T&C update for three months—while its business is subject to ongoing regulatory oversight—suggests that the era of platform giants operating rapidly and disregarding consequences is coming to an end.

Similarly, Facebook recently delayed the launch of a dating feature in Europe while consulting with the DPC. It also continues to face limitations on the data it can share between WhatsApp and Facebook due to the GDPR—preventing it from using data for advertising targeting and product improvement, even under the revised terms.

Europe is also developing new regulations for large platforms that will impose further obligations on their operations, aiming to address unfair business practices and promote competition in digital markets.

This report has been updated to include a statement from WhatsApp.