Published On: Fri, Jul 16th, 2021

Ireland contingency ‘swiftly’ examine legality of Facebook-WhatsApp information sharing, says EDPB

Facebook’s lead regulator in a European Union contingency “swiftly” examine a legality of information pity associated to a argumentative WhatsApp routine update, following an sequence by a European Data Protection Board (EDPB).

We’ve reached out to a Irish Data Protection Commission (DPC) for a response. (Update: See next for their statement.)

Updated terms had been set to be imposed on users of a Facebook-owned messaging app early this year — nonetheless in Jan Facebook behind a WhatsApp terms refurbish until May after a critical remoteness recoil and ongoing difficulty over a sum of a user information processing.

Despite WhatsApp going forward with a routine update, a ToS has continued to face inspection from regulators and rights organizations around a world.

The Indian government, for example, has repeatedly ordered Facebook to repel a new terms. While, in Europe, remoteness regulators and consumer insurance organizations have lifted objections about how ambiguous terms are being pushed on users — and in May a German information insurance management released a proxy (national) restraint order.

Today’s growth follows that and is poignant as it’s a initial obligatory contracting preference adopted by a EDPB underneath a bloc’s General Data Protection Regulation (GDPR).

Although a Board has not resolved to sequence a adoption of final measures opposite Facebook-WhatsApp as a requesting information supervisor, a Hamburg DPA, had asked — observant that “conditions to denote a existence of an transgression and an coercion are not met”.

The Board’s involvement in a treacherous disaster around a WhatsApp routine refurbish follows a use of GDPR Article 66 powers by Hamburg’s information insurance authority.

In May a latter systematic Facebook not to ask a new terms to users in Germany — observant a research found a routine postulated “far-reaching powers” to WhatsApp to share information with Facebook, but it being transparent what authorised basement a tech hulk was relying on to be means to routine users’ data.

Hamburg also indicted a Irish DPC of unwell to examine a Facebook-WhatsApp information pity when it lifted concerns — hence seeking to take matters into a possess hands by creation an Article 66 intervention.

As partial of a routine it asked a EDPB to take a contracting preference — seeking it to take decisive stairs to retard data-sharing between WhatsApp and Facebook — in a bid to by-pass a Irish regulator’s freezing procedures by removing a Board to sequence coercion measures that could be practical stat opposite a whole bloc.

However, a Board’s criticism found that Hamburg had not met a bar for demonstrating a Irish DPC “failed to yield information in a context of a grave ask for mutual assistance underneath Article 61 GDPR”, as it puts it.

It also motionless that a adoption of updated terms by WhatsApp — that it nonetheless says “contain identical cryptic elements as a prior version” — can't “on a own” transparent a coercion for a EDPB to sequence a lead administrator to adopt final measures underneath Article 66(2) GDPR.

The upshot — as a Hamburg DPA puts it — is that information sell between WhatsApp and Facebook stays “unregulated during a European level”.

Facebook systematic not to ask argumentative WhatsApp TCs in Germany

Article 66 powers

The significance of Article 66 of a GDPR is that it allows EU information insurance authorities to disparage from a regulation’s one-stop-shop resource — that differently funnels cranky limit complaints (such as those opposite Big Tech) around a lead information administrator (oftentimes a Irish DPC), and is so widely seen as a bottleneck to effective coercion of information insurance (especially opposite tech giants).

An Article 66 coercion move allows any information administrator opposite a EU to immediately adopt provisional measures — supposing a conditions meets a criteria for this kind of puncture intervention. Which is one proceed to get around a bottleneck, even if usually for a time-limited period.

A series of EU information insurance authorities have used (or threatened to use) Article 66 powers in new years, given GDPR came into focus in 2018, and a energy is increasingly proof a value in reconfiguring certain Big Tech practices — with, for example, Italy’s DPA regulating it recently to force TikTok to mislay hundreds of thousands of suspected underage accounts.

Just a hazard of Article 66’s use behind in 2019 (also by Hamburg) was adequate to inspire Google to postpone primer reviews of audio reviews of recordings prisoner by a voice AI, Google Assistant. (And after led to a series of critical routine changes by several tech giants who had likewise been manually reviewing users’ interactions with their voice AIs.)

At a same time, Article 66 provisional measures can usually final 3 months — and usually ask nationally, not opposite a whole EU. So it’s a restrained power. (Perhaps generally in this WhatsApp-Facebook case, where a aim is a ToS update, and Facebook could usually wait out a 3 months and ask a routine anyway in Germany after a cessation sequence lapses.)

This is given Hamburg wanted a EDPB to make a contracting decision. And it’s positively a blow to remoteness watchers fervent for GDPR coercion to tumble on tech giants like Facebook that a Board has declined to do so in this case.

Unregulated information sharing

Responding to a Board’s preference not to levy decisive measures to forestall information pity between WhatsApp and Facebook, a Hamburg management voiced beating — see next for a full matter — and also lamented that a EDPB has not set a deadline for a Irish DPC to control a examination into a authorised basement of a information sharing.

Ireland’s information insurance management has usually released one final GDPR preference opposite a tech hulk to date (Twitter) — so there is copiousness of means to be endangered that but a petrify deadline a systematic examine could be kicked down a highway for years.

Nonetheless, a EDPB’s sequence to a Irish DPC to “swiftly” examine a finer-grained fact of a Facebook-WhatsApp information pity does demeanour like a poignant involvement by a pan-EU physique — as it really publicly pokes a regulator with a now barbarous repute for hostility to indeed do a pursuit of rigorously questioning remoteness concerns. 

Demonstrably it has unsuccessful to do so in this WhatsApp case. Despite critical concerns being lifted about a routine refurbish — within Europe and globally — Facebook’s lead EU information administrator did not open a grave examination and has not lifted any open objections to a update.

Back in Jan when we asked about concerns over a update, a DPC told TechCrunch it had performed a “confirmation” from Facebook-owned WhatsApp that there was no change to data-sharing practices that would impact EU users — reiterating Facebook’s line that a refurbish didn’t change anything, ergo “nothing to see here”. 

“The updates done by WhatsApp final week are about providing clearer, some-more minute information to users on how and given they use data. WhatsApp have reliable to us that there is no change to data-sharing practices possibly in a European Region or a rest of a universe outset from these updates,” a DPC told us then, nonetheless it also remarkable that it had perceived “numerous queries” from stakeholders who it described as “confused and endangered about these updates”, mirroring Facebook’s possess characterization of complaints.

“We intent with WhatsApp on a matter and they reliable to us that they will check a date by that people will be asked to examination and accept a terms from Feb 8th to May 15th,” a DPC went on, referring to a postponement in a ToS focus deadline that Facebook enacted after a open recoil that saw scores of users signing adult to choice messaging apps, before adding: “In a meantime, WhatsApp will launch information campaigns to yield serve clarity about how remoteness and confidence works on a platform. We will continue to rivet with WhatsApp on these updates.”

The EDPB’s criticism of a gnarled WhatsApp-Facebook data-sharing terms looks rather opposite — with a Board job out WhatsApp’s user communications as treacherous and concurrently lifting concerns about a authorised basement for a information exchange.

In a press release, a EDPB writes that there’s a “high odds of infringements” — highlighting functions contained in a updated ToS in a areas of “safety, confidence and firmness of WhatsApp IE [Ireland] and a other Facebook Companies, as good as for a purpose of alleviation of a products of a Facebook Companies” as being of sold concern.

From a Board’s PR [emphasis its]:

Considering a high odds of infringements in sold for a purpose of safety, confidence and firmness of WhatsApp IE [Ireland] and a other Facebook Companies, as good as for a purpose of alleviation of a products of a Facebook Companies, a EDPB deliberate that this matter requires discerning serve investigations. In sold to establish if, in practice, Facebook Companies are carrying out estimate operations that indicate a multiple or comparison of WhatsApp IE’s [Ireland] user information with other information sets processed by other Facebook Companies in a context of other apps or services offering by a Facebook Companies, facilitated inter alia by a use of singular identifiers. For this reason, the EDPB requests a IE SA [Irish supervisory authority] to lift out, as a matter of priority, a orthodox investigation to establish possibly such estimate activities are holding place or not, and if this is a case, possibly they have a correct authorised basement underneath Article 5(1)(a) and Article 6(1) GDPR.

NB: It’s value recalling that WhatsApp users were primarily told they contingency accept a updated routine or else a app would stop working. (Although Facebook after altered a proceed — after a open backlash.) While WhatsApp users who still haven’t supposed a terms continue to be nagged to do so around unchanging pop-ups, nonetheless a tech hulk does not seem to be holding stairs to reduce a user knowledge serve as nonetheless (i.e. over annoying, steady pop-ups).

The EDPB’s concerns over a WhatsApp-Facebook information pity extend to what it says is “a miss of information around how information is processed for selling purposes, team-work with a other Facebook Companies and in propinquity to WhatsApp Business API” — hence a sequence to Ireland to entirely investigate.

The Board also radically confirms a perspective that WhatsApp users themselves have no wish of bargain what Facebook is doing with their information by reading a comms element it has supposing them with — with a Board essay [emphasis ours]:

Based on a justification provided, a EDPB resolved that there is a high odds that Facebook IE [Ireland] already processes WhatsApp IE [Ireland] user information as a (joint) controller for a common purpose of safety, confidence and firmness of WhatsApp IE [Ireland] and a other Facebook Companies, and for a common purpose of alleviation of a products of a Facebook Companies. However, in a face of the several contradictions, ambiguities and uncertainties remarkable in WhatsApp’s user-facing information, some combined commitments adopted by Facebook IE [Ireland] and WhatsApp IE’s [Ireland] combined submissions, a EDPB resolved that it is not in a position to establish with certainty that estimate operations are indeed being carried out and in that capacity.

We contacted Facebook for a response to a EDPB’s order, and a association sent us this matter — attributed to a WhatsApp spokesperson:

We acquire a EDPB’s preference not to extend a Hamburg DPA’s order, that was formed on elemental misunderstandings as to a purpose and outcome of a refurbish to a terms of service. We sojourn entirely committed to delivering secure and private communications for everybody and will work with a Irish Data Protection Commission as a lead regulator in a segment in sequence to entirely residence a questions lifted by a EDPB.

Facebook also claimed it has controls in place for “controller to processor information sharing” (i.e. between WhatsApp and Facebook) — that it pronounced demarcate it (Facebook) from regulating WhatsApp user information for a possess purposes.

The tech hulk went on to echo a line that a refurbish does not enhance WhatsApp’s ability to share information with Facebook.

WhatsApp delays coercion of remoteness terms by 3 months, following backlash

GDPR coercion stalemate

A serve critical member to this tale is a fact a Irish DPC has, for years, been questioning long-standing complaints opposite WhatsApp’s correspondence with GDPR’s clarity mandate — and still hasn’t released a final decision.

So when a EDPB says it’s rarely approaching that some of a WhatsApp-Facebook data-processing being objected to is already going on it doesn’t meant Facebook gets a pass for that — given a DPC hasn’t released a outcome on possibly or not WhatsApp has been adult front adequate with users.

tl;dr: The regulatory slip routine is still ongoing.

The DPC provisionally resolved a WhatsApp clarity examination final year — observant in Jan that it sent a breeze preference to a other EU information insurance authorities for examination (and a possibility to object) on Dec 24, 2020; a step that’s compulsory underneath a GDPR’s co-decision-making process.

In January, when it pronounced it was still watchful to accept comments on a breeze decision, it also said: “When a routine is finished and a final preference issues, it will make transparent a customary of clarity to that WhatsApp is approaching to belong as articulated by EU Data Protection Authorities.”

Over a half a year after and WhatsApp users in a EU are still watchful to find out possibly a company’s comms lives adult to a compulsory authorised customary of clarity or not — with their information stability to pass between Facebook and WhatsApp in a meanwhile.

The Irish DPC was contacted for criticism on a EDPB’s sequence now and with questions on a stream standing of a WhatsApp clarity investigation.

It told us it would have a response after now — we’ll refurbish this news when we get it.

Update: The DPC’s emissary commissioner Graham Doyle pronounced [emphasis his]:

This Article 66 procession was about possibly a EDPB on ask from Hamburg would take final measures confirming a provisional measures practical by a Hamburg SA opposite Facebook. The EDPB preference motionless not to take measures as deficient justification to belligerent such measures was presented by a Hamburg SA.

Measures, had they been motionless by a Board, would not in any box be measures that would be adopted by a Irish DPC. They would be measures adopted by a EDPB. This is a preference of a Board formed on a ask from Hamburg SA underneath a sustenance that is a derogation to a team-work and coherence mechanism.

The DPC, of course, has already carried out an in-depth exploration into WhatsApp’s remoteness routine user confronting element in a context of a clarity inquiry. That exploration reached a Article 60 (co-decision making) theatre in Dec 2020 and is now surpassing by a brawl fortitude procedure. The Hamburg SA has been actively concerned in a decision-making routine given Dec 2020 and a brawl fortitude routine (which commenced in June) is an EDPB-led initiative, involving all other supervisory authorities.

The DPC records a ask of a Board and will give care to any suitable regulatory follow-up where it identifies matters canvassed in a EDPB preference have not already been addressed in a Article 60 breeze preference transmitted by a DPC (and now now with a Board underneath Article 65).

The DPC also has a separate, complaint-based exploration ongoing that considers a authorised basement that WhatsApp relies on for processing. That exploration is also during an modernized stage.

Back in Nov a Irish Times reported that WhatsApp Ireland had set aside €77.5 million for “possible executive fines outset from regulatory correspondence matters currently underneath investigation”. No fines opposite Facebook have nonetheless been forthcoming, though.

Indeed, a DPC has nonetheless to emanate a singular final GDPR preference opposite Facebook (or a Facebook-owned company) — notwithstanding some-more than 3 years carrying upheld given a law started being applied.

Scores of GDPR complaints opposite a Facebook’s data-processing sovereignty — such as this May 2018 censure opposite Facebook, Instagram and WhatsApp’s use of supposed “forced consent” — continue to languish but regulatory coercion in a EU given there’s been no decisions from Ireland (and infrequently no investigations either).

The conditions is a outrageous black symbol opposite a EU’s flagship information insurance regulation. So a Board’s disaster to step in some-more resolutely now — to course-correct — does demeanour like a missed event to tackle a cryptic GDPR coercion bottleneck.

That said, any disaster to follow a procedural minute of a law could entice a authorised plea that unpicked any progress. So it’s tough to see any discerning wins in a freezing diversion of GDPR enforcement.

In a meanwhile, a winners of a stand-off are of march a tech giants who get to continue estimate people’s information how they choose, with copiousness of time to work on reconfiguring their legal, business and complement structures to track around any coercion repairs that does eventually come.

Hamburg’s emissary commissioner for information protection, Ulrich Kühn, radically warns as most in a matter responding to a EDPB’s preference in a matter — in that he writes:

The preference of a European Data Protection Board is disappointing. The body, that was combined to safeguard a uniform focus of a GDPR via a European Union, is blank a event to clearly mount adult for a insurance of a rights and freedoms of millions of information subjects in Europe. It continues to leave this only to a Irish supervisory authority. Despite a steady requests over some-more than dual years to examine and, if necessary, permit a matter of information exchanges between WhatsApp and Facebook, a IDPC has not taken movement in this regard. It is a success of a efforts over many years that IDPC is now being urged to control an investigation. Nonetheless, this non-binding magnitude does not do probity to a significance of a issue. It is tough to suppose a box in which, opposite a credentials of a risks for a rights and freedoms of a really vast series of information subjects and their de facto powerlessness vis-à-vis monopoly-like providers, a obligatory need for petrify movement is some-more obvious. The EDPB is so depriving itself of a essential instrument for enforcing a GDPR via Europe. This is no good news for information subjects and information insurance in Europe as a whole.

In serve remarks a Hamburg management emphasizes that a Board remarkable “considerable inconsistencies between a information with that WhatsApp users are sensitive about a endless use of their information by Facebook on a one hand, and on a other a commitments done by a association to information insurance authorities not (yet) to do so”; and also that it “expressed substantial doubts about a authorised basement on that Facebook intends to rest when regulating WhatsApp information for a possess or corner processing” — arguing that a Board therefore agrees with a “essential parts” of a arguments opposite WhatsApp-Facebook information sharing.

Despite carrying that weight of argument, a call for movement is once again behind in Ireland’s court.

Confusion over WhatsApp’s new TCs triggers remoteness warning from Italy

India asks WhatsApp to repel new remoteness routine over ‘grave concerns’


About the Author