Facebook’s lead regulator within the European Union should “swiftly” examine the legality of knowledge sharing associated to a controversial WhatsApp coverage replace, following an order by the European Data Protection Board (EDPB).
We’ve reached out to the Irish Data Protection Commission (DPC) for a response. (Update: See beneath for his or her assertion.)
Updated phrases had been set to be imposed upon customers of the Facebook-owned messaging app early this yr — however in January Facebook delayed the WhatsApp phrases replace till May after a significant privateness backlash and ongoing confusion over the main points of its person information processing.
Despite WhatsApp going forward with the coverage replace, the ToS has continued to face scrutiny from regulators and rights organizations world wide.
The Indian authorities, for instance, has repeatedly ordered Facebook to withdraw the brand new phrases. While, in Europe, privateness regulators and client safety organizations have raised objections about how opaque phrases are being pushed on customers — and in May a German information safety authority issued a short lived (nationwide) blocking order.
Today’s growth follows that and is critical because it’s the primary pressing binding resolution adopted by the EDPB underneath the bloc’s General Data Protection Regulation (GDPR).
Although the Board has not agreed to order the adoption of ultimate measures in opposition to Facebook-WhatsApp because the requesting information supervisor, the Hamburg DPA, had requested — saying that “conditions to demonstrate the existence of an infringement and an urgency are not met”.
The Board’s intervention within the complicated mess across the WhatsApp coverage replace follows using GDPR Article 66 powers by Hamburg’s information safety authority.
In May the latter ordered Facebook to not apply the brand new phrases to customers in Germany — saying its evaluation discovered the coverage granted “far-reaching powers” to WhatsApp to share information with Facebook, with out it being clear what authorized foundation the tech big was relying upon to have the ability to course of customers’ information.
Hamburg additionally accused the Irish DPC of failing to research the Facebook-WhatsApp information sharing when it raised considerations — therefore looking for to take issues into its personal fingers by making an Article 66 intervention.
As a part of the method it requested the EDPB to take a binding resolution — asking it to take definitive steps to dam data-sharing between WhatsApp and Facebook — in a bid to avoid the Irish regulator’s glacial procedures by getting the Board to order enforcement measures that may very well be utilized stat throughout the entire bloc.
However, the Board’s evaluation discovered that Hamburg had not met the bar for demonstrating the Irish DPC “failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR”, because it places it.
It additionally determined that the adoption of up to date phrases by WhatsApp — which it nonetheless says “contain similar problematic elements as the previous version” — can’t “on its own” justify the urgency for the EDPB to order the lead supervisor to undertake ultimate measures underneath Article 66(2) GDPR.
The upshot — because the Hamburg DPA places it — is that information trade between WhatsApp and Facebook stays “unregulated at the European level”.
Article 66 powers
The significance of Article 66 of the GDPR is that it permits EU information safety authorities to derogate from the regulation’s one-stop-shop mechanism — which in any other case funnels cross border complaints (equivalent to these in opposition to Big Tech) by way of a lead information supervisor (oftentimes the Irish DPC), and is thus broadly seen as a bottleneck to efficient enforcement of knowledge safety (particularly in opposition to tech giants).
An Article 66 urgency continuing permits any information supervisor throughout the EU to instantly undertake provisional measures — offered a scenario meets the factors for this sort of emergency intervention. Which is one approach to get round a bottleneck, even when just for a time-limited interval.
A variety of EU information safety authorities have used (or threatened to make use of) Article 66 powers lately, since GDPR got here into software in 2018, and the ability is more and more proving its price in reconfiguring sure Big Tech practices — with, for instance, Italy’s DPA utilizing it lately to drive TikTok to take away a whole lot of hundreds of suspected underage accounts.
Just the specter of Article 66’s use again in 2019 (additionally by Hamburg) was sufficient to encourage Google to droop handbook critiques of audio critiques of recordings captured by its voice AI, Google Assistant. (And later led to numerous main coverage adjustments by a number of tech giants who had equally been manually reviewing customers’ interactions with their voice AIs.)
At the identical time, Article 66 provisional measures can solely final three months — and solely apply nationally, not throughout the entire EU. So it’s a bounded energy. (Perhaps particularly on this WhatsApp-Facebook case, the place the goal is a ToS replace, and Facebook might simply wait out the three months and apply the coverage anyway in Germany after the suspension order lapses.)
This is why Hamburg needed the EDPB to make a binding resolution. And it’s actually a blow to privateness watchers longing for GDPR enforcement to fall on tech giants like Facebook that the Board has declined to take action on this case.
Unregulated information sharing
Responding to the Board’s resolution to not impose definitive measures to forestall information sharing between WhatsApp and Facebook, the Hamburg authority expressed disappointment — see beneath for its full assertion — and likewise lamented that the EDPB has not set a deadline for the Irish DPC to conduct the investigation into the authorized foundation of the information sharing.
Ireland’s information safety authority has solely issued one ultimate GDPR resolution in opposition to a tech big so far (Twitter) — so there’s loads of trigger to be involved that with no concrete deadline the ordered probe may very well be kicked down the highway for years.
Nonetheless, the EDPB’s order to the Irish DPC to “swiftly” examine the finer-grained element of the Facebook-WhatsApp information sharing does appear like a big intervention by a pan-EU physique — because it very publicly pokes a regulator with a now notorious repute for reluctance to really do the job of rigorously investigating privateness considerations.
Demonstrably it has failed to take action on this WhatsApp case. Despite main considerations being raised concerning the coverage replace — inside Europe and globally — Facebook’s lead EU information supervisor didn’t open a proper investigation and has not raised any public objections to the replace.
Back in January after we requested about considerations over the replace, the DPC advised TechChange it had obtained a “confirmation” from Facebook-owned WhatsApp that there was no change to data-sharing practices that might have an effect on EU customers — reiterating Facebook’s line that the replace didn’t change something, ergo “nothing to see here”.
“The updates made by WhatsApp last week are about providing clearer, more detailed information to users on how and why they use data. WhatsApp have confirmed to us that there is no change to data-sharing practices either in the European Region or the rest of the world arising from these updates,” the DPC advised us then, though it additionally famous that it had obtained “numerous queries” from stakeholders who it described as “confused and concerned about these updates”, mirroring Facebook’s personal characterization of complaints.
“We engaged with WhatsApp on the matter and they confirmed to us that they will delay the date by which people will be asked to review and accept the terms from February 8th to May 15th,” the DPC went on, referring to a pause within the ToS software deadline which Facebook enacted after a public backlash that noticed scores of customers signing as much as various messaging apps, earlier than including: “In the meantime, WhatsApp will launch information campaigns to provide further clarity about how privacy and security works on the platform. We will continue to engage with WhatsApp on these updates.”
The EDPB’s evaluation of the knotty WhatsApp-Facebook data-sharing phrases seems to be quite completely different — with the Board calling out WhatsApp’s person communications as complicated and concurrently elevating considerations concerning the authorized foundation for the information trade.
In a press launch, the EDPB writes that there’s a “high likelihood of infringements” — highlighting functions contained within the up to date ToS within the areas of “safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies” as being of explicit concern.
From the Board’s PR [emphasis its]:
Considering the excessive chance of infringements specifically for the aim of security, safety and integrity of WhatsApp IE [Ireland] and the opposite Facebook Companies, in addition to for the aim of enchancment of the merchandise of the Facebook Companies, the EDPB thought of that this matter requires swift additional investigations. In explicit to confirm if, in observe, Facebook Companies are finishing up processing operations which indicate the mix or comparability of WhatsApp IE’s [Ireland] person information with different information units processed by different Facebook Companies within the context of different apps or companies provided by the Facebook Companies, facilitated inter alia by way of distinctive identifiers. For this cause, the EDPB requests the IE SA [Irish supervisory authority] to hold out, as a matter of precedence, a statutory investigation to find out whether or not such processing actions are going down or not, and if so, whether or not they have a correct authorized foundation underneath Article 5(1)(a) and Article 6(1) GDPR.
NB: It’s price recalling that WhatsApp customers have been initially advised they need to settle for the up to date coverage or else the app would cease working. (Although Facebook later modified its strategy — after the general public backlash.) While WhatsApp customers who nonetheless haven’t accepted the phrases proceed to be nagged to take action by way of common pop-ups, though the tech big doesn’t seem like taking steps to degrade the person expertise additional as but (i.e. past annoying, recurring pop-ups).
The EDPB’s considerations over the WhatsApp-Facebook information sharing prolong to what it says is “a lack of information around how data is processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API” — therefore its order to Ireland to completely examine.
The Board additionally basically confirms the view that WhatsApp customers themselves haven’t any hope of understanding what Facebook is doing with their information by studying the comms materials it has offered them with — with the Board writing [emphasis ours]:
Based on the proof offered, the EDPB concluded that there’s a excessive chance that Facebook IE [Ireland] already processes WhatsApp IE [Ireland] person information as a (joint) controller for the widespread goal of security, safety and integrity of WhatsApp IE [Ireland] and the opposite Facebook Companies, and for the widespread goal of enchancment of the merchandise of the Facebook Companies. However, within the face of the assorted contradictions, ambiguities and uncertainties famous in WhatsApp’s user-facing info, some written commitments adopted by Facebook IE [Ireland] and WhatsApp IE’s [Ireland] written submissions, the EDPB concluded that it’s not able to find out with certainty which processing operations are literally being carried in and out which capability.
We contacted Facebook for a response to the EDPB’s order, and the corporate despatched us this assertion — attributed to a WhatsApp spokesperson:
We welcome the EDPB’s resolution to not prolong the Hamburg DPA’s order, which was based mostly on basic misunderstandings as to the aim and impact of the replace to our phrases of service. We stay absolutely dedicated to delivering safe and personal communications for everybody and can work with the Irish Data Protection Commission as our lead regulator within the area in an effort to absolutely handle the questions raised by the EDPB.
Facebook additionally claimed it has controls in place for “controller to processor data sharing” (i.e. between WhatsApp and Facebook) — which it mentioned prohibit it (Facebook) from utilizing WhatsApp person information for its personal functions.
The tech big went on to reiterate its line that the replace doesn’t develop WhatsApp’s capability to share information with Facebook.
GDPR enforcement stalemate
An additional very important element to this saga is the actual fact the Irish DPC has, for years, been investigating long-standing complaints in opposition to WhatsApp’s compliance with GDPR’s transparency necessities — and nonetheless hasn’t issued a ultimate resolution.
So when the EDPB says it’s extremely doubtless that among the WhatsApp-Facebook data-processing being objected to is already happening it doesn’t imply Facebook will get a go for that — as a result of the DPC hasn’t issued a verdict on whether or not or not WhatsApp has been up entrance sufficient with customers.
tl;dr: The regulatory oversight course of remains to be ongoing.
The DPC provisionally concluded its WhatsApp transparency investigation final yr — saying in January that it despatched a draft resolution to the opposite EU information safety authorities for overview (and the prospect to object) on December 24, 2020; a step that’s required underneath the GDPR’s co-decision-making course of.
In January, when it mentioned it was nonetheless ready to obtain feedback on the draft resolution, it additionally mentioned: “When the process is completed and a final decision issues, it will make clear the standard of transparency to which WhatsApp is expected to adhere as articulated by EU Data Protection Authorities.”
Over a half a yr later and WhatsApp customers within the EU are nonetheless ready to seek out out whether or not the corporate’s comms lives as much as the required authorized customary of transparency or not — with their information persevering with to go between Facebook and WhatsApp in the mean time.
The Irish DPC was contacted for touch upon the EDPB’s order immediately and with questions on the present standing of the WhatsApp transparency investigation.
It advised us it might have a response later immediately — we’ll replace this report after we get it.
Update: The DPC’s deputy commissioner Graham Doyle mentioned [emphasis his]:
This Article 66 process was about whether or not the EDPB on request from Hamburg would take ultimate measures confirming the provisional measures utilized by the Hamburg SA in opposition to Facebook. The EDPB resolution determined to not take measures as inadequate proof to floor such measures was offered by the Hamburg SA.
Measures, had they been determined by the Board, wouldn’t in any case be measures that might be adopted by the Irish DPC. They could be measures adopted by the EDPB. This is a call of the Board based mostly on a request from Hamburg SA underneath a provision that could be a derogation to the cooperation and consistency mechanism.
The DPC, in fact, has already carried out an in-depth inquiry into WhatsApp’s privateness coverage person going through materials within the context of its transparency inquiry. That inquiry reached the Article 60 (co-decision making) stage in December 2020 and is now progressing by means of the dispute decision process. The Hamburg SA has been actively concerned within the decision-making course of since December 2020 and the dispute decision course of (which commenced in June) is an EDPB-led initiative, involving all different supervisory authorities.
The DPC notes the request of the Board and can give consideration to any acceptable regulatory follow-up the place it identifies issues canvassed within the EDPB resolution haven’t already been addressed within the Article 60 draft resolution transmitted by the DPC (and now presently with the Board underneath Article 65).
The DPC additionally has a separate, complaint-based inquiry ongoing that considers the authorized foundation that WhatsApp depends upon for processing. That inquiry can also be at a sophisticated stage.
Back in November the Irish Times reported that WhatsApp Ireland had put aside €77.5 million for “possible administrative fines arising from regulatory compliance matters presently under investigation”. No fines in opposition to Facebook have but been forthcoming, although.
Indeed, the DPC has but to situation a single ultimate GDPR resolution in opposition to Facebook (or a Facebook-owned firm) — regardless of greater than three years having handed because the regulation began being utilized.
Scores of GDPR complaints in opposition to the Facebook’s data-processing empire — equivalent to this May 2018 criticism in opposition to Facebook, Instagram and WhatsApp’s use of so-called “forced consent” — proceed to languish with out regulatory enforcement within the EU as a result of there’s been no selections from Ireland (and generally no investigations both).
The scenario is a big black mark in opposition to the EU’s flagship information safety regulation. So the Board’s failure to step in additional firmly now — to course-correct — does appear like a missed alternative to sort out a problematic GDPR enforcement bottleneck.
That mentioned, any failure to comply with the procedural letter of the legislation might invite a authorized problem that unpicked any progress. So it’s laborious to see any fast wins within the glacial recreation of GDPR enforcement.
In the in the meantime, the winners of the stalemate are in fact the tech giants who get to proceed processing individuals’s information how they select, with loads of time to work on reconfiguring their authorized, enterprise and system constructions to route round any enforcement harm that does finally come.
Hamburg’s deputy commissioner for information safety, Ulrich Kühn, basically warns as a lot in a press release responding to the EDPB’s resolution in a press release — through which he writes:
The resolution of the European Data Protection Board is disappointing. The physique, which was created to make sure the uniform software of the GDPR all through the European Union, is lacking the chance to obviously rise up for the safety of the rights and freedoms of hundreds of thousands of knowledge topics in Europe. It continues to go away this solely to the Irish supervisory authority. Despite our repeated requests over greater than two years to research and, if obligatory, sanction the matter of knowledge exchanges between WhatsApp and Facebook, the IDPC has not taken motion on this regard. It is successful of our efforts over a few years that IDPC is now being urged to conduct an investigation. Nonetheless, this non-binding measure doesn’t do justice to the significance of the difficulty. It is difficult to think about a case through which, in opposition to the background of the dangers for the rights and freedoms of a really massive variety of information topics and their de facto powerlessness vis-à-vis monopoly-like suppliers, the pressing want for concrete motion is extra apparent. The EDPB is thus depriving itself of a vital instrument for imposing the GDPR all through Europe. This isn’t any excellent news for information topics and information safety in Europe as an entire.
In additional remarks the Hamburg authority emphasizes that the Board famous “considerable inconsistencies between the information with which WhatsApp users are informed about the extensive use of their data by Facebook on the one hand, and on the other the commitments made by the company to data protection authorities not (yet) to do so”; and likewise that it “expressed considerable doubts about the legal basis on which Facebook intends to rely when using WhatsApp data for its own or joint processing” — arguing that the Board subsequently agrees with the “essential parts” of its arguments in opposition to WhatsApp-Facebook information sharing.
Despite carrying that weight of argument, the decision for motion is as soon as once more again in Ireland’s court docket.