WhatsApp slapped for processing data without a lawful basis under EU’s GDPR

Another bill has come in for Meta for failing to comply with the European Union’s General Data Protection Regulation (GDPR) — but this one’s a tiddler! Meta-owned messaging platform WhatsApp has been fined €5.5 million (just under $6 million) by the tech giant’s lead data protection regulator in the region for failing to have a lawful basis for certain types of personal data processing.

Back in December, Meta’s chief regulator, the Irish Data Protection Commission (DPC), was given orders to issue a final decision on this complaint (which dates back to May 2018) — via a binding decision from the European Data Protection Board (EDPB) — along with two other complaints, against Facebook and Instagram.

Those two final decision emerged from the DPC earlier this month, when it announced a total of €310 million in penalties and gave Meta three months to find a valid legal basis for that ads processing. But while the latter pair of GDPR decisions tackled Meta’s lack of a valid legal basis for processing user data to run behavioral advertising (aka, its core business model), with the WhatsApp final decision Ireland appears to have skirted the ads processing legality issue entirely — since its inquiry has focused on the legal basis Meta claimed for “service improvements” and “security.”

Here Meta had (similarly) sought to rely on a claim of contractual necessity — but Ireland has now found (via EDPB order) that it can’t.

The DPC has given WhatsApp six months to mend its ways for these purposes of data processing. This means it will need to find a way to lawfully process the data (perhaps by asking users if they consent to such purposes and not processing their data if they don’t).

But the regulator has simply declined to act on a parallel EDPB instruction telling the DPC to investigate whether WhatsApp processes user (meta)data for ads. And this has led to fresh cries, by the original complainant, of yet another stitch-up by the much criticized Irish regulator.

In a press release, noyb, the privacy rights not-for-profit behind the original strategic complaints pulls no punches — arguing that Ireland is essentially giving the EDPB the finger at this point.

“We are astonished how the DPC simply ignores the core of the case after a 4.5 year procedure. The DPC also clearly ignores the binding decision of the EDPB. It seems the DPC finally cuts loose all ties with EU partner authorities and with the requirements of EU and Irish law,” said its honorary chairman, Max Schrems, in a typically pithy and punchy statement.

While messaging content on WhatsApp is end-to-end encrypted — which means, assuming you trust Meta’s implementation of the Signal protocol, that this information should be protected from its prying eyes — the social media giant can still glean insights on users by tracking their WhatsApp metadata (i.e., who’s talking to who, how often). The company can also connect the dots and users to accounts and public (or otherwise non-E2EE) digital activity across other services it owns (and, potentially, third-party services it’s seeded with tracking technologies)… So, basically, Meta’s data-gathering net is long (and wide).

That means there are certainly questions to be asked about how it might be processing WhatsApp users’ data for marketing purposes — and what legal basis it’s relying on for any such processing.

WhatsApp users may remember the major controversy that kicked off back in 2021 — when the platform announced an update to its T&Cs that it said users had to accept in order to carry on using the service. It wasn’t clear exactly what was changing in the updated terms. But, whatever was going on, Meta sure wasn’t giving WhatsApp users a free choice over the matter! And while regulatory attention on that issue led to what appeared to be a bit of a climbdown by Meta, which stopped sending aggressive pop-ups demanding EU users agree (or leave), the whole episode led to widespread confusion about what exactly it was doing with WhatsApp user data (and how it was doing it, legally speaking).

The episode also sparked some consumer protection complaints, which led, last summer, to the European Commission giving the company a month to fix the confusing T&Cs and “clearly inform” consumers about its business model.

None of the confusion and mistrust around WhatsApp’s T&Cs was helped by a much earlier U-turn on syncing user data with Facebook — when the platform flipped a founder pledge never to cross those streams. In short, it’s a mess — and a mess that Europe’s regulators can’t claim to have cleaned up.

Yet despite all the ongoing confusion and privacy concerns, the DPC appears spectacularly uninterested in taking a proper look at how WhatsApp may be processing user data for ads.

“The DPC has now limited the 4.5 year procedure to the minor issues of the legal basis for using data for security purposes and for service improvement,” writes noyb, accusing the regulator of essentially ignoring this major component of its complaint. “The DPC thereby ignores the major issues of sharing WhatsApp data with Meta’s other companies (Facebook and Instagram) for advertisement as well as other purposes.”

The DPC’s press release announcing its final decision almost entirely avoids making mention of behavioral advertising — until the finale, when the phrase does crop up. But only because it quotes the EDPB’s instruction to it — to conduct a fresh investigation of “WhatsApp IE’s [Ireland’s] processing operations in its service in order to determine if it processes special categories of personal data (Article 9 GDPR), processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR.”

So the opportunity was there for Ireland to grasp the nettle on WhatsApp users’ behalf and follow the data streams to draw a clear picture of what Meta’s ownership of the E2EE messaging platform really means for users’ privacy. (And, remember, Meta’s behavioral ad targeting empire currently lacks a lawful basis for ads processing on Facebook and Instagram in the EU.)

But instead of getting on with investigating WhatsApp’s data processing, the Irish regulator has opted to instruct its lawyers to challenge the EDPB’s binding decision and seek to get it annulled in court.

Update: Meta has now responded to the DPC decision — sending us this statement, attributed to a WhatsApp spokesperson, in which it confirms it will appeal:

WhatsApp has led the industry on private messaging by providing end-to-end encryption and layers of privacy that protect people. We strongly believe that the way the service operates is both technically and legally compliant. We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and we intend to appeal.