Facebook’s lead regulator in the European Union must “swiftly” investigate the legality of data sharing related to a controversial WhatsApp policy update, following an order by the European Data Protection Board (EDPB).
We’ve reached out to the Irish Data Protection Commission (DPC) for a response. (Update: See below for their statement.)
Updated terms had been set to be imposed upon users of the Facebook-owned messaging app early this year — but in January Facebook delayed the WhatsApp terms update until May after a major privacy backlash and ongoing confusion over the details of its user data processing.
Despite WhatsApp going ahead with the policy update, the ToS has continued to face scrutiny from regulators and rights organizations around the world.
The Indian government, for example, has repeatedly ordered Facebook to withdraw the new terms. While, in Europe, privacy regulators and consumer protection organizations have raised objections about how opaque terms are being pushed on users — and in May a German data protection authority issued a temporary (national) blocking order.
Today’s development follows that and is significant as it’s the first urgent binding decision adopted by the EDPB under the bloc’s General Data Protection Regulation (GDPR).
Although the Board has not agreed to order the adoption of final measures against Facebook-WhatsApp as the requesting data supervisor, the Hamburg DPA, had asked — saying that “conditions to demonstrate the existence of an infringement and an urgency are not met”.
The Board’s intervention in the confusing mess around the WhatsApp policy update follows the use of GDPR Article 66 powers by Hamburg’s data protection authority.
In May the latter ordered Facebook not to apply the new terms to users in Germany — saying its analysis found the policy granted “far-reaching powers” to WhatsApp to share data with Facebook, without it being clear what legal basis the tech giant was relying upon to be able to process users’ data.
Hamburg also accused the Irish DPC of failing to investigate the Facebook-WhatsApp data sharing when it raised concerns — hence seeking to take matters into its own hands by making an Article 66 intervention.
As part of the process it asked the EDPB to take a binding decision — asking it to take definitive steps to block data-sharing between WhatsApp and Facebook — in a bid to circumvent the Irish regulator’s glacial procedures by getting the Board to order enforcement measures that could be applied stat across the whole bloc.
However, the Board’s assessment found that Hamburg had not met the bar for demonstrating the Irish DPC “failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR”, as it puts it.
It also decided that the adoption of updated terms by WhatsApp — which it nonetheless says “contain similar problematic elements as the previous version” — cannot “on its own” justify the urgency for the EDPB to order the lead supervisor to adopt final measures under Article 66(2) GDPR.
The upshot — as the Hamburg DPA puts it — is that data exchange between WhatsApp and Facebook remains “unregulated at the European level”.
Article 66 powers
The importance of Article 66 of the GDPR is that it allows EU data protection authorities to derogate from the regulation’s one-stop-shop mechanism — which otherwise funnels cross border complaints (such as those against Big Tech) via a lead data supervisor (oftentimes the Irish DPC), and is thus widely seen as a bottleneck to effective enforcement of data protection (especially against tech giants).
An Article 66 urgency proceeding allows any data supervisor across the EU to immediately adopt provisional measures — provided a situation meets the criteria for this kind of emergency intervention. Which is one way to get around a bottleneck, even if only for a time-limited period.
A number of EU data protection authorities have used (or threatened to use) Article 66 powers in recent years, since GDPR came into application in 2018, and the power is increasingly proving its worth in reconfiguring certain Big Tech practices — with, for example, Italy’s DPA using it recently to force TikTok to remove hundreds of thousands of suspected underage accounts.
Just the threat of Article 66’s use back in 2019 (also by Hamburg) was enough to encourage Google to suspend manual reviews of audio reviews of recordings captured by its voice AI, Google Assistant. (And later led to a number of major policy changes by several tech giants who had similarly been manually reviewing users’ interactions with their voice AIs.)
At the same time, Article 66 provisional measures can only last three months — and only apply nationally, not across the whole EU. So it’s a bounded power. (Perhaps especially in this WhatsApp-Facebook case, where the target is a ToS update, and Facebook could just wait out the three months and apply the policy anyway in Germany after the suspension order lapses.)
This is why Hamburg wanted the EDPB to make a binding decision. And it’s certainly a blow to privacy watchers eager for GDPR enforcement to fall on tech giants like Facebook that the Board has declined to do so in this case.
Unregulated data sharing
Responding to the Board’s decision not to impose definitive measures to prevent data sharing between WhatsApp and Facebook, the Hamburg authority expressed disappointment — see below for its full statement — and also lamented that the EDPB has not set a deadline for the Irish DPC to conduct the investigation into the legal basis of the data sharing.
Ireland’s data protection authority has only issued one final GDPR decision against a tech giant to date (Twitter) — so there is plenty of cause to be concerned that without a concrete deadline the ordered probe could be kicked down the road for years.
Nonetheless, the EDPB’s order to the Irish DPC to “swiftly” investigate the finer-grained detail of the Facebook-WhatsApp data sharing does look like a significant intervention by a pan-EU body — as it very publicly pokes a regulator with a now infamous reputation for reluctance to actually do the job of rigorously investigating privacy concerns.
Demonstrably it has failed to do so in this WhatsApp case. Despite major concerns being raised about the policy update — within Europe and globally — Facebook’s lead EU data supervisor did not open a formal investigation and has not raised any public objections to the update.
Back in January when we asked about concerns over the update, the DPC told TechCrunch it had obtained a “confirmation” from Facebook-owned WhatsApp that there was no change to data-sharing practices that would affect EU users — reiterating Facebook’s line that the update didn’t change anything, ergo “nothing to see here”.
“The updates made by WhatsApp last week are about providing clearer, more detailed information to users on how and why they use data. WhatsApp have confirmed to us that there is no change to data-sharing practices either in the European Region or the rest of the world arising from these updates,” the DPC told us then, although it also noted that it had received “numerous queries” from stakeholders who it described as “confused and concerned about these updates”, mirroring Facebook’s own characterization of complaints.
“We engaged with WhatsApp on the matter and they confirmed to us that they will delay the date by which people will be asked to review and accept the terms from February 8th to May 15th,” the DPC went on, referring to a pause in the ToS application deadline which Facebook enacted after a public backlash that saw scores of users signing up to alternative messaging apps, before adding: “In the meantime, WhatsApp will launch information campaigns to provide further clarity about how privacy and security works on the platform. We will continue to engage with WhatsApp on these updates.”
The EDPB’s assessment of the knotty WhatsApp-Facebook data-sharing terms looks rather different — with the Board calling out WhatsApp’s user communications as confusing and simultaneously raising concerns about the legal basis for the data exchange.
In a press release, the EDPB writes that there’s a “high likelihood of infringements” — highlighting purposes contained in the updated ToS in the areas of “safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies” as being of particular concern.
From the Board’s PR [emphasis its]:
Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB considered that this matter requires swift further investigations. In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s [Ireland] user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers. For this reason, the EDPB requests the IE SA [Irish supervisory authority] to carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if this is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.
NB: It’s worth recalling that WhatsApp users were initially told they must accept the updated policy or else the app would stop working. (Although Facebook later changed its approach — after the public backlash.) While WhatsApp users who still haven’t accepted the terms continue to be nagged to do so via regular pop-ups, although the tech giant does not appear to be taking steps to degrade the user experience further as yet (i.e. beyond annoying, recurring pop-ups).
The EDPB’s concerns over the WhatsApp-Facebook data sharing extend to what it says is “a lack of information around how data is processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API” — hence its order to Ireland to fully investigate.
The Board also essentially confirms the view that WhatsApp users themselves have no hope of understanding what Facebook is doing with their data by reading the comms material it has provided them with — with the Board writing [emphasis ours]:
Based on the evidence provided, the EDPB concluded that there is a high likelihood that Facebook IE [Ireland] already processes WhatsApp IE [Ireland] user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. However, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, some written commitments adopted by Facebook IE [Ireland] and WhatsApp IE’s [Ireland] written submissions, the EDPB concluded that it is not in a position to determine with certainty which processing operations are actually being carried out and in which capacity.
We contacted Facebook for a response to the EDPB’s order, and the company sent us this statement — attributed to a WhatsApp spokesperson:
We welcome the EDPB’s decision not to extend the Hamburg DPA’s order, which was based on fundamental misunderstandings as to the purpose and effect of the update to our terms of service. We remain fully committed to delivering secure and private communications for everyone and will work with the Irish Data Protection Commission as our lead regulator in the region in order to fully address the questions raised by the EDPB.
Facebook also claimed it has controls in place for “controller to processor data sharing” (i.e. between WhatsApp and Facebook) — which it said prohibit it (Facebook) from using WhatsApp user data for its own purposes.
The tech giant went on to reiterate its line that the update does not expand WhatsApp’s ability to share data with Facebook.
GDPR enforcement stalemate
A further vital component to this saga is the fact the Irish DPC has, for years, been investigating long-standing complaints against WhatsApp’s compliance with GDPR’s transparency requirements — and still hasn’t issued a final decision.
So when the EDPB says it’s highly likely that some of the WhatsApp-Facebook data-processing being objected to is already going on it doesn’t mean Facebook gets a pass for that — because the DPC hasn’t issued a verdict on whether or not WhatsApp has been up front enough with users.
tl;dr: The regulatory oversight process is still ongoing.
The DPC provisionally concluded its WhatsApp transparency investigation last year — saying in January that it sent a draft decision to the other EU data protection authorities for review (and the chance to object) on December 24, 2020; a step that’s required under the GDPR’s co-decision-making process.
In January, when it said it was still waiting to receive comments on the draft decision, it also said: “When the process is completed and a final decision issues, it will make clear the standard of transparency to which WhatsApp is expected to adhere as articulated by EU Data Protection Authorities.”
Over a half a year later and WhatsApp users in the EU are still waiting to find out whether the company’s comms lives up to the required legal standard of transparency or not — with their data continuing to pass between Facebook and WhatsApp in the meanwhile.
The Irish DPC was contacted for comment on the EDPB’s order today and with questions on the current status of the WhatsApp transparency investigation.
It told us it would have a response later today — we’ll update this report when we get it.
Update: The DPC’s deputy commissioner Graham Doyle said [emphasis his]:
This Article 66 procedure was about whether the EDPB on request from Hamburg would take final measures confirming the provisional measures applied by the Hamburg SA against Facebook. The EDPB decision decided not to take measures as insufficient evidence to ground such measures was presented by the Hamburg SA.
Measures, had they been decided by the Board, would not in any case be measures that would be adopted by the Irish DPC. They would be measures adopted by the EDPB. This is a decision of the Board based on a request from Hamburg SA under a provision that is a derogation to the cooperation and consistency mechanism.
The DPC notes the request of the Board and will give consideration to any appropriate regulatory follow-up where it identifies matters canvassed in the EDPB decision have not already been addressed in the Article 60 draft decision transmitted by the DPC (and now currently with the Board under Article 65).
The DPC also has a separate, complaint-based inquiry ongoing that considers the legal basis that WhatsApp relies upon for processing. That inquiry is also at an advanced stage.
Back in November the Irish Times reported that WhatsApp Ireland had set aside €77.5 million for “possible administrative fines arising from regulatory compliance matters presently under investigation”. No fines against Facebook have yet been forthcoming, though.
Indeed, the DPC has yet to issue a single final GDPR decision against Facebook (or a Facebook-owned company) — despite more than three years having passed since the regulation started being applied.
Scores of GDPR complaints against the Facebook’s data-processing empire — such as this May 2018 complaint against Facebook, Instagram and WhatsApp’s use of so-called “forced consent” — continue to languish without regulatory enforcement in the EU because there’s been no decisions from Ireland (and sometimes no investigations either).
The situation is a huge black mark against the EU’s flagship data protection regulation. So the Board’s failure to step in more firmly now — to course-correct — does look like a missed opportunity to tackle a problematic GDPR enforcement bottleneck.
That said, any failure to follow the procedural letter of the law could invite a legal challenge that unpicked any progress. So it’s hard to see any quick wins in the glacial game of GDPR enforcement.
In the meanwhile, the winners of the stalemate are of course the tech giants who get to continue processing people’s data how they choose, with plenty of time to work on reconfiguring their legal, business and system structures to route around any enforcement damage that does eventually come.
Hamburg’s deputy commissioner for data protection, Ulrich Kühn, essentially warns as much in a statement responding to the EDPB’s decision in a statement — in which he writes:
The decision of the European Data Protection Board is disappointing. The body, which was created to ensure the uniform application of the GDPR throughout the European Union, is missing the opportunity to clearly stand up for the protection of the rights and freedoms of millions of data subjects in Europe. It continues to leave this solely to the Irish supervisory authority. Despite our repeated requests over more than two years to investigate and, if necessary, sanction the matter of data exchanges between WhatsApp and Facebook, the IDPC has not taken action in this regard. It is a success of our efforts over many years that IDPC is now being urged to conduct an investigation. Nonetheless, this non-binding measure does not do justice to the importance of the issue. It is hard to imagine a case in which, against the background of the risks for the rights and freedoms of a very large number of data subjects and their de facto powerlessness vis-à-vis monopoly-like providers, the urgent need for concrete action is more obvious. The EDPB is thus depriving itself of a crucial instrument for enforcing the GDPR throughout Europe. This is no good news for data subjects and data protection in Europe as a whole.
In further remarks the Hamburg authority emphasizes that the Board noted “considerable inconsistencies between the information with which WhatsApp users are informed about the extensive use of their data by Facebook on the one hand, and on the other the commitments made by the company to data protection authorities not (yet) to do so”; and also that it “expressed considerable doubts about the legal basis on which Facebook intends to rely when using WhatsApp data for its own or joint processing” — arguing that the Board therefore agrees with the “essential parts” of its arguments against WhatsApp-Facebook data sharing.
Despite carrying that weight of argument, the call for action is once again back in Ireland’s court.