By Giorgos Skampoulos, LL.M. Associate
The dispute at the issue was initiated on the basis of a complaint submitted to the Irish Data Protection Authority by a data subject, a user of the services of the company WhatsApp Ireland Limited. The complainant argued that WhatsApp relied on a “forced consent” given by the latter to accept the Terms of Use and Privacy Policy of the application so as to process a variety of personal data, which were not core contractual obligations of the complainant. The procession was referred to improvements of the application and not to the exchange of messages or calls, which is the main object of the application. Thus, WhatsApp processed the personal data without having a legitimate basis for processing. The Irish Supervisory Authority, after investigating the matter, has referred the matter to the European Council in order to initiate the procedure for a final resolution of the dispute.
The European Data Protection Board shall, within the scope of its powers, issue reasoned binding decisions, addressed to the competent supervisory authorities of the Member States. It therefore issued its Decision No 5/2022, in which it found that WhatsApp was not operating in compliance with its relevant obligations under the General Data Protection Regulation. Especially, it judged that the text of the WhatsApp Terms of Use, regarding the purposes of processing, was ambiguous, specifically for the “security and protection of the App”, adopting general wording, whereas according to the GDPR, the purposes of processing should be clearly and specifically identified by the Data Controller. Taking into consideration that, the average user cannot fully understand what is meant by application enhancement and security features and their impact on personal data, he/she reasonably expects the relevant analysis solely on the basis of the terms of use, which should be clear, understandable and detailed.
In addition, the Board, while recognizing fundamental principles underlying Community legislation on personal data, noted that, while the possibility of improving services may usually be included in the contractual terms, such processing cannot usually be considered objectively necessary for the performance of the contract with the user, nor was that demonstrated in the present case. Therefore, WhatsApp could not legitimately rely on the contract as a legitimate basis for processing the personal data.
In light of the above, the European Data Protection Board instructed the Irish Supervisory Authority to take appropriate remedial action, considering, but not limited to, the issue of imposing an administrative fine for the infringement in question, to conduct further investigations to determine whether special categories of personal data or data for advertising and marketing purposes are being processed, and to include in its final decision an instruction to WhatsApp to comply with the GDPR.
