In December, the European Data Protection Board (EDPB) announced three binding decisions against Meta Platforms Ireland Limited (Meta). The Irish Data Protection Commission (DPC) dealt with two of those decisions involving Facebook and Instagram when it issued Meta with a €390 million fine. On Thursday, the DPC addressed the final outstanding decision by announcing that it has fined WhatsApp Ireland €5.5 million in the conclusion of its long-running forced consent data processing investigation.
The case relates to a complaint filed by Austrian privacy group NOYB on 25 May 2018 after WhatsApp updated its Terms of Service ahead of the EU General Data Protection Regulation's (GDPR) introduction. WhatsApp informed users that they would need to select "agree and continue" to accept the new terms if they wished to continue using the messaging service. The complainant argued that this was in breach of the GDPR.
Fast forward to December again when the EDPB overturned the DPC's draft decision, which took the view Meta's GDPR bypass was legal, and requested a further WhatsApp investigation.
In its announcement today, the DPC confirmed that the EDPB decided WhatsApp "was not entitled to rely on performing a contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security." However, the DPC declined to investigate the EDPB's request to determine if WhatsApp "processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties," claiming the EDPB's direction may "involve an overreach."
The DPC said that the "EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation." Furthermore, "to the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction."
In a detailed response, which includes a thorough analysis of the case, Max Schrems, Honorary Chair of NOYB, said: "We are astonished how the DPC simply ignores the core of the case after a 4.5 year procedure. The DPC also clearly ignores the binding decision of the EDPB. It seems the DPC finally cuts loose all ties with EU partner authorities and with the requirements of EU and Irish law."
In a related post on Wednesday, the DPC refused the EDPB request to calculate Meta's revenue, which NOYB estimates cost the Irish taxpayers €3.97 billion.
What is this page?
You are reading a summary article on the Privacy Newsfeed, a free resource for DPOs and other professionals with privacy or data protection responsibilities helping them stay informed of industry news all in one place. The information here is a brief snippet relating to a single piece of original content or several articles about a common topic or thread. The main contributor is listed in the top left-hand corner, just beneath the article title.
The Privacy Newsfeed monitors over 300 global publications, of which more than 5,750 summary articles have been posted to the online archive dating back to the beginning of 2020. A weekly roundup is available by email every Friday.
