Aleksei - stock.adobe.com

WhatsApp’s £4.8m fine raises questions for organisations using behavioural advertising

The Irish Data Protection Commissioner has fined WhatsApp, owned by Meta, in a case that will raise questions for organisations that rely on contracts rather than consent to comply with GDPR when offering behavioural advertising

The Irish Data Protection Commissioner (DPC) has fined WhatsApp, which provides an encrypted communication service, €5.5 million (£4.8m) after finding the company is unlawfully relying on a contract with its users to comply with General Data Protection Regulation (GDRP) data protection requirements.

The decision, announced 19 January 2022, will have wider implications for companies that collect data about their users and raises the question whether companies that rely on contractual necessity will need to obtain explicit consent from their users to process their data in future.

The DPC reluctantly imposed the fine on Meta and WhatsApp, which has its headquarters in Ireland, and employs around 3,000 people in the country, after the European Data Protection Board forced its hand by overturning a more lenient draft decision from the DPC in December 2022.

WhatsApp said that it strongly disagreed with the decision, which focuses on its use of customer data for “service improvement and security services” and said it would appeal.

“We strongly believe that the way the service operates is both technically and legally compliant,” said a spokesperson.

“We rely upon contractual necessity for service improvement and security purposes because we believe helping to keep people safe and offering an innovative product is a fundamental responsibility in operating our service,” the spokesperson added.

Complaint alleged ‘force consent’

The DPC’s ruling follows a complaint filed by noyb, a privacy campaigning group run by the Austrian lawyer Max Schrems, in May 2018 which accused Meta’s Facebook, Instagram and WhatsApp of forcing customers to consent to their data being collected and processed in return for using their services.

The Irish DPC fined Instagram and Facebook €390m in the first week of January for breaching GDPR in a near identical case that is likely to have implications for other companies relying on “contractual necessity” to provide personalised advertisements.

WhatsApp Ireland changed its terms of service on 25 May 2018, the day GDPR came into force, and informed users they would have to agree to the new terms if they wanted to continue using WhatsApp.

The company argued that users, by accepting the terms, entered into a contract with WhatsApp, and that processing their data was necessary to perform the contract, making processing lawful under GDPR. 

Nyob filed a complaint on the same day alleging that WhatsApp Ireland was forcing users to consent to the processing of their personal data in breach of the GDPR.

WhatsApp did not rely on consent

The DPC found in a draft decision, that WhatsApp Ireland had not relied on user’s consent to provide a lawful basis for processing their personal data. It did find that company had failed to be transparent about the legal basis it was relying on in breach of GDPR.

The Irish regulator, however, decided against imposing fines as it had already fined WhatsApp €225m for this and similar breaches over the same period.

During a consultation, six other EU regulators, known as Concerned Supervisory Authorities (CSA), objected to the DPC’s decision on the grounds that WhatsApp should not be permitted to rely on contractual necessity to deliver “service improvement and security”.

The European Data Protection Board overturned the DPC in a decision on 5 December 2022 after the regulators failed to reach an agreement with the Irish DPC.

It found that as a matter of principle, WhatsApp Ireland was not entitled to rely on the contractual necessity as a legal basis for processing personal data  for service improvement and security, in contravention of Article 6(1) of GDPR.

WhatsApp now has six months to comply.

DPC focused on ‘minor issues’

Schrems said in a statement that the DPC had limited its 4.5-year investigation to minor issues around the legal basis for using data for security purposes and service improvement.

The DPC had ignored more serious issues of WhatsApp sharing data with Meta’s other companies, Facebook and Instagram, to provide targeted advertising.

“WhatsApp still knows who you chat with most and at what time. This allows Meta to get a very close understanding of the social fabric around you,” said Schrems.

“Meta uses this information to, for example, target ads that friends were already interested in. It seems the DPC has now simply refused to decide on this matter, despite 4.5 years of investigations,” he added.

Schrems claims that the DPC and Meta collaborated to enable Meta to “bypass” the requirements of GDPR by using a contract rather than consent as a legal basis.

Documents obtained by noyb under the Freedom of Information (FoI) Act show that the DPC also attempted to introduce the use of “freedom to contract” provisions in proposed EDPB guidelines that would have benefited WhatsApp.

These proposals, made by the DPC after receiving the complaint from Noyb against Meta and its subsidiaries, were rejected by other data protection authorities.

DPC to challenge EDPB in court

The DPC said it will issue a legal challenge against a direction from the European data regulator to conduct a fresh investigation into WhatsApp.

The EDPB has directed the Irish regulator to investigate whether WhatsApp processes special categories of personal information, which can include people’s ethnic origin, political opinions, religious or philosophical beliefs or details about their sexual orientation.

The direction asks the DPC to determine whether WhatsApp uses special category information for behavioural advertising, marketing, providing metrics to third parties, or affiliated companies for service improvements, and whether that complies with GDPR.

The DPC said that it was not open to the EDPB to instruct the DPC to engage in an “open-ended and speculative investigation”. The direction may involve an “overreach” on the part of the EDPB, it said.

The Irish regulator said it would bring an action for annulment against the EDPB’s direction before the European Court of Justice of the European Union.

Read more about Meta and data protection

Read more on IT risk management