Analysis: “The EDPB’s Binding decision on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland” by Tiago Sérgio Cabral
On 28 July 2021, the European Data Protection Board (EDPB) adopted Binding Decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland, under article 65(1)a of the General Data Protection Regulation (GDPR). Through this decision the EDPB aimed to address a number of objections raised by concerned supervisory authorities (CSAs) regarding the draft decision submitted by the Data Protection Commission (DPC) − the Irish Supervisory Authority and lead supervisory authority (LSA) in this case.
The Board’s Binding Decision (No. 1/2021) follows an investigation by the DPC regarding the use of personal data of users and non-users by WhatsApp Ireland. Data protection professionals have been closely monitoring this case for a considerable number of reasons: (i) the DPC has been criticized by lack of enforcement of the GDPR and this case closes one of the authority’s first large investigations against tech companies; and (ii) key aspects of data protection law, related to the legal bases for data processing, transparency and rules governing sanctions are under discussion and, as such, this case will have a wide impact across the entire EU.
In this Analysis we will try to draw the readers’ attention to what we believe are the more important elements of Decision 1/2021 and the ones which will have a more profound impact on data protection law in the EU (coincidently they are also the most controversial). Decisions of the EDPB under article 65 of the GDPR are especially relevant since, even though they refer to concrete case, they represent the joint position of the Board regarding a certain matter. Therefore, even if the reader’s LSA is the Spanish, the Polish or any other European data protection authority, it is very likely that this decision will still be of interest. What this Analysis will not do is to provide an assessment or an opinion on the substance of the Board’s analysis. That is, we will not make any considerations on whether the Board is right or wrong in its decisions because doing so would entail a much more complete and complex legal analysis than what is possible or adequate here.
A quick reminder on how the system works
Before we begin our analysis of the decision itself, it is important to note that Decision 1/2021follows the GDPR rules on dispute resolution (Article 65 of the GDPR) according to which:
- The supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller. This is the LSA, which leads the investigation.
- However, the LSA does not act alone, and it must cooperate with CSAs and submit the draft decision for their appreciation. If the CSAs do not agree with a conclusion of the draft decision, they may submit reasoned and relevant objections to it.
- If the LSA decides not the follow the reasoned and relevant objections, the EDPB is called upon to decide and issue a binding decision concerning all the matters which are subject to the reasoned and relevant objections.
The EDPB’s decision binds the LSA/DPC. Therefore, even thought it is not a final decision, any conclusions by the Board will be reflected in the LSA/DPC’s final decision. In fact, if one reads the DPC’s final decision (which is already available) it is very easy to see the influence of the Board, as some sections are directly copied from Decision 1/2021.
With this introduction completed, and before we go to our analysis it is important for the reader to know the (fairly high) sanctions resulting from the DPC’s final decision:
- a reprimand to WhatsApp Ireland Limited pursuant to Article 58(2)(b) GDPR;
- an order for the company to, within a period of 3 months, bring processing operations into compliance, pursuant to Article 58(2)(d) GDPR, and
- a fine totaling amount of 225 million euros.
Main objections and the EDPB’s decision
a) On the information provided regarding legitimate interests
In its draft decision, the LSA had considered WhatsApp Ireland to be in compliance with Article 13(1)(d) GDPR as the information provided regarding legitimate interests was provided in a meaningful manner allowing the user to understand the legitimate interests being pursued.
The objections to the LSA conclusion raised by the CSAs of other Member States concerned mostly the need to ensure that the information was clearer, more detailed, and did not allow the data subject to understand the specific legitimate interest being pursued and the processing operations needed to do so.
Assessing these objections, the EDPB stated that ‘the purpose of these duties of the controller is to enable data subjects to exercise their rights under the GDPR’ and that information currently provided was not sufficient to do so. Thus, the Board concluded that ‘specific information about what legitimate interests relate to each processing operation, and about which entity pursues each legitimate interest, is necessary’ and instructed the LSA to amend its draft decision, including an infringement of Article 13(1)(d) GDPR in its finding.
The EDPB also instructed the LSA to amend its decision by including an infringement of Article 13(2)(e) GDPR, on the consideration that it was no sufficiently clear ‘what is necessary and what consequences arise from the failure to provide certain information’ within the context of the contract regarding online services entered into by the data subjects.
b) On whether the result of the lossy hashing procedure should be considered as personal data
According to WhatsApp Ireland, it ‘only processes the non-users’ phone numbers for the minimum time required to apply cryptographic lossy hashing, which is generally no more than a few seconds. This process generates a new value (known as a “lossy-hashed value”) based on the phone number. It is this lossy-hashed value, and not the non-users’ phone numbers, that is stored by WhatsApp’.
In its draft decision, the LSA had considered that, even though non-users phone numbers used in the context of the Contact Feature were personal data, the result of the lossy hashing procedure should not be considered as personal data (because it was anonymised).
A number of CSAs disagreed with this conclusion, advancing with scenarios in which the data could be, in theory, re-identified. In its response, the LSA acknowledged this issue but argued that a ‘zero-risk approach is likely to result in very few, if any, processes achieving anonymization’ and questioned whether this was the will of the legislator. It further considered that such a position could be difficult to sustain in court.
Nonetheless, the EDPB sided with the CSAs regarding this issue and ordered the LSA to amend the decision and to extend the infringement of Article 14 GDPR already contained within the draft decision also to the data to which the lossy hashing was applied.
c) Infringement of Article 5(1)(a) GDPR
Assessing an objection by the Italian DPA (the Hungarian DPA also presented an objection regarding this point, but it was considered as not providing a clear demonstration of the risks as specifically required by Article 4(24) GDPR), the EDPB addressed whether an infringement of Articles 12-14 GDPR would always result in an infringement of the principle of transparency. In this decision, the EDPB does not create a direct link according to which an infringement of one would always result in an infringement of the other, neither does it offer any criteria do understand in which situations it does and in which it does not. In fact, the EDPB states only that ‘an infringement of the transparency obligations under Articles 12-14 GDPR can, depending on the circumstances of the case, amount to an infringement of the transparency principle’. The Board concludes that, in this specific case, such an infringement of the principle of transparency exists.
It is important to note that WhatsApp Ireland had argued that this approach may result in a situation where, from a procedural perspective, the controller is punished twice for the same conduct. In addition, the EDBP considered that WhatsApp Ireland ‘[had] been provided the right to be heard on this issue, contrary to its claims, since it had the opportunity to express its point of view on the objections raised by the CSA’. Both these points are quite interesting and will certainly be highly debated in the court proceedings arising from this decision. In particular, regarding the second, one should note that being provided ‘the opportunity to express its point of view on the objections raised by the CSA’ may not be considered as being enough to comply with Articles 47 and 48 of the Charter of Fundamental Rights of the EU, which could reveal a significant gap within the current dispute resolution rules.
d) On the corrective measures
The Board considered that the initial six-month deadline proposed by the LSA in its draft decision to allow WhatsApp Ireland to bring its processing operations into compliance with the GDPR was excessive, and ordered it to be reduced to three months.
The specific amount of the administrative fine was discussed in depth by the supervisory authorities. Regarding the definition of the relevant turnover, the EDPB considered the case law of the CJEU in the field of competition law ‘relevant when assessing the turnover to be taken into account in the context of Article 83 GDPR, in particular for the verification of the upper limit of the amount of the fine under Article 83(4)-(6) GDPR’. Therefore, ‘when a parent company and its subsidiary are found to form a single undertaking within the meaning of Articles 101 and 102 TFEU, this means that the conduct of the subsidiary may be imputed to the parent company, without having to establish the personal involvement of the latter in the infringement. In particular, the parent company may be held liable for the fine’ and ‘when a parent company and its subsidiary form the single undertaking that has been found liable for the infringement committed by the subsidiary, the total turnover of its component companies determines the financial capacity of the single undertaking in question’.
Furthermore, the EDPB considered that the ‘preceding financial year’ relevant for the calculation of the fine was the financial year preceding the LSA final decision and not the LSA draft decision.
The Board also disagreed with the LSA on the interpretation of Article 83(3) GDPR, which states that ‘if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement’. While the LSA had sustained that this provision should be interpreted as meaning that only the most serious infringement should be taken into account when calculating the fine, the EDPB considered that ‘although the fine itself may not exceed the legal maximum of the highest fining tier, the offender shall still be explicitly found guilty of having infringed several provisions and these infringements have to be taken into account when assessing the amount of the final fine that is to be imposed’.
Lastly, the EDPB also ordered the LSA to review the specific value proposed for the administrative fine, since the Board considered that it ‘does not adequately reflect the seriousness and severity of the infringements nor has a dissuasive effect on WhatsApp IE’. Therefore, the fine did not fulfil the requirement of being effective, proportionate and dissuasive. While the Board did not direct the LSA to a specific amount, it is important to note that the draft decision had proposed a fine within the range of 30 million- 50 million euro. Much lower than the final value of 225 million euros.
Binding Decision 1/2021 and the DPC’s final decision are just the first chapter in the case’s history. WhatsApp Ireland will appeal this decision and the EDPB’s interpretation of the law will likely be put to the test both in Irish Courts an in the Court of Justice.
The latter’s decision, in particular, will certainly create a(nother) fairly interesting landmark case as the Court of Justice will have to decide not only on the interpretation of a few key norms of the GDPR, but also on the interplay between data protection and other fundamental rights enshrined in the Charter (Articles 47 and 48 are a notable example).
Tiago Sérgio Cabral is a lawyer working on Technology, Privacy, Data Protection, Cybersecurity and Artificial Intelligence. He is also a Researcher at the Research Centre for Justice and Governance – EU Law (University of Minho, Portugal). The author’s opinions are his own.