Facebook’s lead regulator within the European Union must “swiftly” investigate the legality of data-sharing associated to a controversial WhatsApp coverage replace, following an order by the European Data Protection Board (EDPB).
We’ve reached out to the Irish Data Protection Commission (DPC) for a response.
Updated phrases had been set to be imposed upon customers of the Facebook-owned messaging app early this yr — however in January Facebook delayed the WhatsApp phrases replace till May after a significant privateness backlash and ongoing confusion over the small print of its consumer knowledge processing.
Despite WhatsApp going forward with the coverage replace, the ToS has continued to face scrutiny from regulators and rights organizations around the globe.
The Indian authorities, for instance, has repeatedly ordered Facebook to withdraw the brand new phrases. While, in Europe, privacy regulators and consumer protection organizations have raised objections about how opaque phrases are being pushed on customers — and in May a German knowledge safety authority issued a brief (nationwide) blocking order.
Today’s growth follows that and is critical because it’s the primary pressing binding resolution adopted by the EDPB beneath the bloc’s General Data Protection Regulation (GDPR).
Although the Board has not agreed to order the adoption of closing measures in opposition to Facebook-WhatsApp because the requesting knowledge supervisor, the Hamburg DPA, had requested — saying that “conditions to demonstrate the existence of an infringement and an urgency are not met”.
The Board’s intervention within the complicated mess across the WhatsApp coverage replace follows the use of GDPR Article 66 powers by Hamburg’s knowledge safety authority.
In May the latter ordered Facebook to not apply the brand new phrases to customers in Germany — saying its evaluation discovered the coverage granted “far-reaching powers” to WhatsApp to share knowledge with Facebook, with out it being clear what authorized foundation the tech big was relying upon to have the opportunity course of customers’ knowledge.
Hamburg additionally accused the Irish DPC of failing to investigate the Facebook-WhatsApp knowledge sharing when it raised considerations — therefore looking for to take issues into its personal palms by making an Article 66 intervention.
As half of the method it requested the EDPB to take a binding resolution — asking it to take definitive steps to dam data-sharing between WhatsApp and Facebook — in a bid to avoid the Irish regulator’s glacial procedures by getting the Board to order enforcement measures that could possibly be utilized stat throughout the entire bloc.
However the Board’s evaluation discovered that Hamburg had not met the bar for demonstrating the Irish DPC “failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR”, because it places it.
It additionally determined that the adoption of up to date phrases by WhatsApp — which it nonetheless says “contain similar problematic elements as the previous version” — can not “on its own” justify the urgency for the EDPB to order the lead supervisor to undertake closing measures beneath Article 66(2) GDPR.
The upshot — because the Hamburg DPA places it — is that knowledge change between WhatsApp and Facebook stays “unregulated at the European level”.
Article 66 powers
The significance of Article 66 of the GDPR is that it permits EU knowledge safety authorities to derogate from the regulation’s one-stop-shop mechanism — which in any other case funnels cross border complaints (reminiscent of these in opposition to Big Tech) through a lead knowledge supervisor (oftentimes the Irish DPC), and is thus extensively seen as a bottleneck to efficient enforcement of knowledge safety (particularly in opposition to tech giants).
An Article 66 urgency continuing permits any knowledge supervisor throughout the EU to instantly undertake provisional measures — offered a state of affairs meets the factors for this type of emergency intervention. Which is one approach to get round a bottleneck, even when just for a time-limited interval.
A quantity of EU knowledge safety authorities have used (or threatened to use) Article 66 powers in recent times, since GDPR got here into software in 2018, and the facility is more and more proving its price in reconfiguring sure Big Tech practices — with, for instance, Italy’s DPA using it recently to force TikTok to take away a whole bunch of 1000’s of suspected underage accounts.
Just the risk of Article 66’s use back in 2019 (additionally by Hamburg) was sufficient to encourage Google to droop handbook opinions of audio opinions of recordings captured by its voice AI, Google Assistant. (And later led to a quantity of main coverage modifications by a number of tech giants who had equally been manually reviewing customers’ interactions with their voice AIs.)
At the identical time, Article 66 provisional measures can solely final three months — and solely apply nationally, not throughout the entire EU. So it’s a bounded energy. (Perhaps particularly on this WhatsApp-Facebook case, the place the goal is a ToS replace, and Facebook might simply wait out the three months and apply the coverage anyway in Germany after the suspension order lapses.)
This is why Hamburg wished the EDPB to make a binding resolution. And it’s actually a blow to privateness watchers anticipating GDPR enforcement to fall on tech giants like Facebook that the Board has declined to take action on this case.
Responding to the Board’s resolution to not impose definitive measures to forestall knowledge sharing between WhatsApp and Facebook, the Hamburg authority expressed disappointment — see under for its full assertion — and likewise lamented that the EDPB has not set a deadline for the Irish DPC to conduct the investigation into the authorized foundation of the data-sharing.
Ireland’s knowledge safety authority has solely issued one closing GDPR resolution in opposition to a tech big so far (Twitter) — so there may be lots of trigger to be involved that with out a concrete deadline the ordered probe could possibly be kicked down the street for years.
Nonetheless, the EDPB’s order to the Irish DPC to “swiftly” investigate the finer-grained element of the Facebook-WhatsApp data-sharing does appear like a major intervention by a pan-EU physique — because it very publicly pokes a regulator with a now notorious repute for reluctance to really do the job of rigorously investigating privateness considerations.
Demonstrably it has failed to take action on this WhatsApp case. Despite main considerations being raised in regards to the coverage replace — inside Europe and globally — Facebook’s lead EU knowledge supervisor didn’t open a proper investigation and has not raised any public objections to the replace.
Back in January after we requested about considerations over the replace, the DPC informed TechCrunch it had obtained a ‘confirmation’ from Facebook-owned WhatsApp that there was no change to data-sharing practices that may have an effect on EU customers — reiterating Facebook’s line that the replace didn’t change something, ergo ‘nothing to see here’.
“The updates made by WhatsApp last week are about providing clearer, more detailed information to users on how and why they use data. WhatsApp have confirmed to us that there is no change to data-sharing practices either in the European Region or the rest of the world arising from these updates,” the DPC informed us then, though it additionally famous that it had acquired “numerous queries” from stakeholders who it described as “confused and concerned about these updates”, mirroring Facebook’s personal characterization of complaints.
“We engaged with WhatsApp on the matter and they confirmed to us that they will delay the date by which people will be asked to review and accept the terms from February 8th to May 15th,” the DPC went on, referring to a pause within the ToS software deadline which Facebook enacted after a public backlash that noticed scores of customers signing as much as different messaging apps, earlier than including: “In the meantime, WhatsApp will launch information campaigns to provide further clarity about how privacy and security works on the platform. We will continue to engage with WhatsApp on these updates.”
The EDPB’s evaluation of the knotty WhatsApp-Facebook data-sharing phrases seems to be somewhat completely different — with the Board calling out WhatsApp’s consumer communications as complicated and concurrently elevating considerations in regards to the authorized foundation for the information change.
In a press launch, the EDPB writes that there’s a “high likelihood of infringements” — highlighting functions contained within the up to date ToS within the areas of “safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies” as being of explicit concern.
From the Board’s PR [emphasis its]:
“Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB considered that this matter requires swift further investigations. In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s [Ireland] user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers. For this reason, the EDPB requests the IE SA [Irish supervisory authority] to carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if this is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.”
NB: It’s price recalling that WhatsApp customers have been initially informed they must settle for the up to date coverage or else the app would cease working. (Although Facebook later modified its method — after the general public backlash.) While WhatsApp customers who nonetheless haven’t accepted the phrases proceed to be nagged to take action through common pop-ups, though the tech big doesn’t seem like taking steps to degrade the consumer expertise additional as but (i.e. past annoying, recurring pop-ups).
The EDPB’s considerations over the WhatsApp-Facebook data-sharing lengthen to what it says is “a lack of information around how data is processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API” — therefore its order to Ireland to completely investigate.
The Board additionally primarily confirms the view that WhatsApp customers themselves haven’t any hope of understanding what Facebook is doing with their knowledge by studying the comms materials it has offered them with — with the Board writing [emphasis ours]:
“Based on the evidence provided, the EDPB concluded that there is a high likelihood that Facebook IE [Ireland] already processes WhatsApp IE [Ireland] user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. However, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, some written commitments adopted by Facebook IE [Ireland] and WhatsApp IE’s [Ireland] written submissions, the EDPB concluded that it is not in a position to determine with certainty which processing operations are actually being carried out and in which capacity.”
We contacted Facebook for a response to the EDPB’s order, and the corporate despatched us this assertion — attributed to a WhatsApp spokesperson:
“We welcome the EDPB’s decision not to extend the Hamburg DPA’s order, which was based on fundamental misunderstandings as to the purpose and effect of the update to our terms of service. We remain fully committed to delivering secure and private communications for everyone and will work with the Irish Data Protection Commission as our lead regulator in the region in order to fully address the questions raised by the EDPB.”
Facebook additionally claimed it has controls in place for ‘controller to processor data sharing’ (i.e. between WhatsApp and Facebook) — which it mentioned prohibit it (Facebook) from utilizing WhatsApp consumer knowledge for its personal functions.
The tech big went on to reiterate its line that the replace doesn’t develop WhatsApp’s skill to share knowledge with Facebook.
GDPR enforcement stalemate
An extra important part to this saga is the very fact the Irish DPC has, for years, been investigating long-standing complaints in opposition to WhatsApp’s compliance with GDPR’s transparency necessities — and nonetheless hasn’t issued a closing resolution.
So when the EDPB says it’s extremely possible that some of the WhatsApp-Facebook data-processing being objected to is already occurring it doesn’t imply Facebook will get a move for that — as a result of the DPC hasn’t issued a verdict on whether or not or not WhatsApp has been up entrance sufficient with customers.
tl;dr: The regulatory oversight course of is nonetheless ongoing.
The DPC provisionally concluded its WhatsApp transparency investigation final yr — saying in January that it despatched a draft resolution to the opposite EU knowledge safety authorities for assessment (and the prospect to object) on December 24, 2020; a step that’s required beneath the GDPR’s co-decision-making course of.
In January, when it mentioned it was nonetheless ready to obtain feedback on the draft resolution, it additionally mentioned: “When the process is completed and a final decision issues, it will make clear the standard of transparency to which WhatsApp is expected to adhere as articulated by EU Data Protection Authorities.”
Over a half a yr later and WhatsApp customers within the EU are nonetheless ready to seek out out whether or not the corporate’s comms lives as much as the required authorized commonplace of transparency or not — with their knowledge persevering with to move between Facebook and WhatsApp in the intervening time.
The Irish DPC was contacted for touch upon the EDPB’s order right this moment and with questions on the present standing of the WhatsApp transparency investigation.
It informed us it might have a response later right this moment — we’ll replace this report after we get it.
Back in November the Irish Times reported that WhatsApp Ireland had put aside €77.5M for “possible administrative fines arising from regulatory compliance matters presently under investigation”. No fines in opposition to Facebook have but been forthcoming, although.
Indeed, the DPC has but to difficulty a single closing GDPR resolution in opposition to Facebook (or a Facebook-owned firm) — regardless of greater than three years having handed because the regulation began being utilized.
Scores of GDPR complaints in opposition to the Facebook’s data-processing empire — reminiscent of this May 2018 complaint against Facebook, Instagram and WhatsApp’s use of so-called ‘forced consent’ — proceed to languish with out regulatory enforcement within the EU as a result of there’s been no selections from Ireland (and generally no investigations both).
The state of affairs is a large black mark in opposition to the EU’s flagship knowledge safety regulation. So the Board’s failure to step in additional firmly now — to course-correct — does appear like a missed alternative to sort out a problematic GDPR enforcement bottleneck.
That mentioned, any failure to observe the procedural letter of the regulation might invite a authorized problem that unpicked any progress. So it’s arduous to see any fast wins within the glacial recreation of GDPR enforcement.
In the in the meantime, the winners of the stalemate are of course the tech giants who get to proceed processing individuals’s knowledge how they select, with lots of time to work on reconfiguring their authorized, enterprise and system constructions to route round any enforcement injury that does ultimately come.
Hamburg’s deputy commissioner for knowledge safety, Ulrich Kühn, primarily warns as a lot in an announcement responding to the EDPB’s resolution in an announcement — wherein he writes:
“The resolution of the European Data Protection Board is disappointing. The physique, which was created to make sure the uniform software of the GDPR all through the European Union, is lacking the chance to obviously rise up for the safety of the rights and freedoms of hundreds of thousands of knowledge topics in Europe. It continues to go away this solely to the Irish supervisory authority. Despite our repeated requests over greater than two years to investigate and, if crucial, sanction the matter of knowledge exchanges between WhatsApp and Facebook, the IDPC has not taken motion on this regard. It is successful of our efforts over a few years that IDPC is now being urged to conduct an investigation. Nonetheless, this non-binding measure doesn’t do justice to the significance of the difficulty. It is difficult to think about a case wherein, in opposition to the background of the dangers for the rights and freedoms of a really massive quantity of knowledge topics and their de facto powerlessness vis-à-vis monopoly-like suppliers, the pressing want for concrete motion is extra apparent. The EDPB is thus depriving itself of a vital instrument for imposing the GDPR all through Europe. This isn’t any excellent news for knowledge topics and knowledge safety in Europe as a complete.“
In additional remarks the Hamburg authority emphasizes that the Board famous “considerable inconsistencies between the information with which WhatsApp users are informed about the extensive use of their data by Facebook on the one hand, and on the other the commitments made by the company to data protection authorities not (yet) to do so”; and likewise that it “expressed considerable doubts about the legal basis on which Facebook intends to rely when using WhatsApp data for its own or joint processing” — arguing that the Board subsequently agrees with the “essential parts” of its arguments in opposition to WhatsApp-Facebook knowledge sharing.
Despite carrying that weight of argument, the decision for motion is as soon as once more again in Ireland’s court docket.