Details:
Summary | The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization ‘None of Your Business’ (NOYB) had filed a complaint with the DPA on behalf of an individual.
WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click ‘Agree and Continue’ to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the acceptance of the updated terms of use constituted a contract between WhatsApp and the user, since the processing of the data would be necessary for the provision as well as the improvement of the services. According to WhatsApp, the data processing was therefore lawful pursuant to Art. 6 (1) b) GDPR. However, the complainant argued that WhatsApp was actually trying to rely on consent as a legal basis for processing users’ data. By making the access to its services conditional on users’ consent to the updated terms of service, WhatsApp was forcing users to consent to the processing of their personal data. Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The DPC found that WhatsApp did not rely on user consent as a legal basis, and did not consider ‘coerced consent’ in this case. It also did not rule out the possibility that WhatsApp relied on a contractual legal basis. In response, the DPC received objections from different supervisory authorities. However, the DPC found that WhatsApp had breached its transparency obligations under the GDPR, by not clearly explaining to users for what purpose and on what legal basis their personal data would be processed. As no agreement could be reached on the disputed points, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR. In its decision, the EDPB confirmed the violation of transparency obligations by WhatsApp. However, the EDPB took a different position than the DPC on the issue of the legal basis and found that WhatsApp was not entitled to rely on a contractual legal basis. The EDPB therefore found that WhatsApp had violated Art. 6 (1) GDPR. The DPC agreed in its final decision and imposed the fine and also required WhatsApp to bring its data processing into compliance within three months. |
Link: | link link |
Related articles: | Art. 6 (1) GDPR, Art. 12 GDPR, Art. 13 (1) c) GDPR |
Type: | Insufficient legal basis for data processing |
Fine: | EUR 5,500,000 |
Sector | Media, Telecoms and Broadcasting |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/