The 250 million euro GDPR fine against WhatsApp raises interesting points of attention impacting the privacy compliance of any business.
The hottest topic of the last days for privacy experts is certainly the € 225 million GDPR sanction imposed by the Irish Data Protection Commission against WhatsApp. There is less talk about the consequences that it could have concerning the privacy compliance of companies, which – based on my experience – are tending towards a pre-GDPR approach when privacy was often deemed merely a repetitive task without implications on the operations.
We often see multinational groups adopting unclear privacy information notices and internal policies to ensure consistency across the group.
Well, at the urging of the EDPB, the Irish Data Protection Commission took a clear stance, among others, on key points in the decision that led to the WhatsApp GDPR fine:
Be transparent on privacy information notices
Privacy information notices shall be easy to understand, keeping the relevant information in one place without obliging make users click or scroll through many documents to gather the information that is sometimes repetitive. The fact that other companies in the industry are following the same approach is not a valid excuse as members of particular industry sectors cannot determine GDPR compliance standards. When processing non-registered user data, a dedicated privacy information notice shall be provided in a place where non-registered users can easily find it.
📌 This position is clearly towards adopting a legal design approach that is exponentially adopted in privacy-related documents to increase transparency and make information more understandable.
There must be a clear link between each category of personal data, the purpose of the data processing, and the applicable legal basis invoked for that processing operation. Long and unrelated lists of bullet points for each of these items are not sufficient. Besides, individuals need to clearly understand how their personal data have been processed through reference to the purpose of the data processing.
📌 We often review privacy information notices where it is unclear which legal basis applies and when and multiple legal bases of the data processing are mentioned in connection with the same purpose of the data processing. Likewise, especially in relation to legitimate interest, the purpose of the data processing frequently is so broad and does not justify why it would actually be grounded.
On the topic, you may find interesting “Privacy information notice – more complicated with the GDPR“.
Clearly list retention periods
A reference to the data processing “until no longer needed to provide our services or until the user’s account is deleted, whichever event occurs first” is somewhat misleading as it gives the impression that if the user deletes their account, the company will no longer process their data. Practical examples of how each criterion impacts the retention period shall be provided to demonstrate accountability for compliance with the retention principle.
📌 It is necessary to list for each purpose of the data processing the applicable retention period clearly and transparently. On the topic, you can read “Data retention period, an intrigued rebus under the GDPR.”
Provide details on the actual transfers of personal data to third countries
A generic reference to transfers of personal data to third countries that “may” occur on the basis of either an adequacy decision or on other tools, allowing data subjects to access more information if requested, is not sufficient. Likewise, it is not sufficient to provide a link to a generic European Commission webpage.
📌 It can be hard to list all the non-EEA countries where personal data are transferred, but the modalities adopted to tackle data transfers need to be clearly communicated. Besides, after the Schrems II decision and the more recent adoption of the new set of Standard Contractual Clauses, the performance of the transfer impact assessment has become pivotal for any business. On the topic, you can read, “Do you have a data transfer impact assessment methodology based on the Schrems II decision?“.
I hope the above gives some useful insights on the impact of the WhatsApp GDPR fine.