New year, new fine
Earlier this year, WhatsApp was hit with another (albeit much smaller) fine, this time in relation to the legal basis it uses for some of its processing activities.
Prior to the entry into force of GDPR, WhatsApp updated its terms and conditions, prompting users to accept the terms in order to continue using the messaging service. WhatsApp argued that as it had entered into a contract with users, the processing of users’ information (for service improvement and security) was necessary for the performance of that contract.
A data subject complained about this practice, claiming that WhatsApp was, in reality, relying on consent for the processing and that the use of the service was conditional on the provision of such consent, in violation of GDPR.
The Irish Data Protection Commission (Irish DPC) issued its final decision in January 2023, wherein it concluded that:
- WhatsApp failed to clearly outline the legal basis for the processing (no additional fine was levied for this as it was deemed to be covered by the previous fine of €225m (£197m))
- WhatsApp did not rely on consent and was not obliged to do so.
The Irish DPC was of the view that contractual necessity could be used as the legal basis but could not reach agreement on this with its peer regulators. The matter was referred to the EDPB, who did not accept that contractual necessity was an appropriate basis for processing (excluding in relation to IT security) and added a fine of €5.5m (£4.8m) in this regard and a requirement to bring its processing operations into compliance with the GDPR within 6 months.
Changes for UK customers
WhatsApp users in the UK have been receiving service updates informing them that their service provider is changing. The existing service provider is Meta Platforms Ireland Ltd., and the new service provider will be Meta Platforms Inc., domiciled in the US. Meta has advised that it is making this change because “the UK has left the EU”. The US entity will now be providing Meta products such as WhatsApp, Instagram and Facebook to UK consumers.
Meta has advised that this change will not affect the way the company handles UK individuals’ personal data, but given the rough ride they have been experiencing within the EU perhaps they are hoping that the UK will, now that it has left the EU, take a more flexible approach to matters such as transfers to the US and will have the freedom to depart in some ways from some of the more restrictive interpretations of the legislation.