A long-running investigation in the European Union focused on the transparency of data-sharing between Facebook and WhatsApp has taken the first major step towards a resolution. Ireland’s Data Protection Commission (DPC) confirmed Saturday it sent a draft decision to fellow EU DPAs towards the back end of last year.
This will trigger a review process of the draft by other DPAs. Majority backing for Facebook’s lead EU data supervisor’s proposed settlement is required under the bloc’s General Data Protection Regulation (GDPR) before a decision can be finalized.
The DPC’s draft WhatsApp decision, which it told us was sent to the other supervisors for review on December 24, is only the second such draft the Irish watchdog has issued to-date in cross-border GDPR cases.
The first case to go through the process was an investigation into a Twitter security breach — which led to the company being issued with a $550,000 fine last month.
The WhatsApp case may look very timely, given the recent backlash over an update to its T&Cs, but it actually dates back to 2018, the year GDPR begun being applied — and relates to WhatsApp Ireland’s compliance with Articles 12-14 of the GDPR (which set out how information must be provided to data subjects whose information is being processed in order that they are able to exercise their rights).
In a statement, the DPC said:
“As you are aware, the DPC has been conducting an investigation into WhatsApp Ireland’s compliance with Articles 12-14 of the GDPR in terms of transparency, including in relation to transparency around what information is shared with Facebook, since 2018. The DPC has provisionally concluded this investigation and we sent a draft decision to our fellow EU Data Protection Authorities on December 24, 2020 (in accordance with Article 60 of the GDPR in order to commence the co-decision-making process) and we are waiting to receive their comments on this draft decision.
“When the process is completed and a final decision issues, it will make clear the standard of transparency to which WhatsApp is expected to adhere as articulated by EU Data Protection Authorities,” it added.
Ireland has additional ongoing GDPR investigations into other aspects of the tech giant’s business, including related to complaints filed back in May 2018 by the EU privacy rights not-for-profit, noyb (over so called ‘forced consent’). In May 2020 the DPC said that separate investigation was at the decision-making phase — but so far it has not confirmed sending a draft decision for review.
It’s also notably that the time between the DPC’s Twitter draft and the final decision being issued — after gaining majority backing from other EU DPAs — was almost seven months.
The Twitter case was relatively straightforward (a data breach) vs the more complex business of assessing ‘transparency’. So a final decision on WhatsApp seems unlikely to come to a swifter resolution. There are clearly substantial differences of opinion between DPAs on how the GDPR should be enforced across the bloc. (In the Twitter case, for example, German DPAs suggested a fine of up to $22M vs Ireland’s initial proposal of a maximum of $300k). Although there is some hope that GDPR enforcement of cross border cases will speed up as DPAs gain experience of the various processes involved in making these co-decisions.
Returning to WhatsApp, the messaging platform has had plenty of problems with transparency in recent weeks — garnering lots of unwelcome attention and concern over the privacy implications of a confusing mandatory update to its T&Cs which has contributed to a major migration of users to alternative chat platforms, such as Signal and Telegram.
The backlash led WhatsApp to announced last week that it was delaying enforcement of the new terms by three months. Last week Italy’s data protection agency also issued a warning over a lack of clarity in the T&Cs — saying it could intervene using an emergency process allowed for by EU law (which would be in addition to the ongoing DPC procedure).
On the WhatsApp T&Cs controversy, the DPC’s deputy commissioner Graham Doyle told us the regulator had received “numerous queries” from confused and concerned stakeholders which he said led it to re-engage with the company. The regulator previously obtained a commitment from WhatsApp that there is “no change to data-sharing practices either in the European Region or the rest of the world”. But it subsequently confirmed it would delay enforcement of the new terms.
“The updates made by WhatsApp last week are about providing clearer, more detailed information to users on how and why they use data. WhatsApp have confirmed to us that there is no change to data-sharing practices either in the European Region or the rest of the world arising from these updates. However, the DPC has received numerous queries from stakeholders who are confused and concerned about these updates,” Doyle said.
“We engaged with WhatsApp on the matter and they confirmed to us that they will delay the date by which people will be asked to review and accept the terms from February 8th to May 15th. In the meantime, WhatsApp will launch information campaigns to provide further clarity about how privacy and security works on the platform. We will continue to engage with WhatsApp on these updates.”
While there’s no doubt Europe’s record of enforcement of its much vaunted data protection laws against tech giants remains a major weak point of the regulation, there are signs that increased user awareness of rights and, more broadly, concern for privacy, is causing a shift in the balance of power in favor of users.
Proper privacy enforcement is still sorely lacking but Facebook being forced to put a T&Cs update on ice for three months — as its business is subject to ongoing regulatory scrutiny — suggests the days of platform giants being able to move fast and break things are firmly on the wain.
Similarly, for example, Facebook recently had to delay the launch of a dating feature in Europe while it consulted with the DPC. It also remains limited in the data it can share between WhatsApp and Facebook because of the existence of the GDPR — so still can’t share data for ad targeting and product enhancement purposes, even under the new terms.
Europe, meanwhile, is coming with ex ante rules for platform giants that will place further obligations on how they can operate with the aim of counteracting abusive behaviors and bolstering competition in digital markets.