'Patent ambiguity': WhatsApp's record €225 million fine underlines grave transparency issues

IT MIGHT HAVE taken a while but the €225 million fine handed down to WhatsApp Ireland this week is the second-largest penalty ever doled out for breaches of the European Union’s General Data Protection Regulation (GDPR).

Sure, that’s a drop in the ocean for an entity in the Facebook “family of companies”, as its parent company refers to the overall group.

And yes, the Irish Data Protection Commission (DPC) initially suggested a €50 million fine before being forced to up the ante by the European Data Protection Board (EDPB).

WhatsApp has disputed the findings of the DPC, the EDPB and the size of the fine, which it may yet manage to reduce on appeal.

But Data Protection Commissioner Helen Dixon’s final 250-plus page decision, dated 20 August but published this week, could be significant for the application of GDPR across the bloc and its interaction with powerful ‘Big Tech’ companies across the European Union.

As US-based privacy expert Omer Tene told The Journal, the fine and its global context underline the “urgency for businesses to devise privacy strategies, compliance programs and risk mitigation”.

While the disagreement between the Irish DPC and the EDPB over the calculation of the fine took centre stage following the publication of the decision this week, the overwhelming majority of Dixon’s findings were uncontested by other European supervisory authorities on the board.

The findings also seem to reveal plenty about WhatsApp Ireland’s approach to its transparency obligations under GDPR thus far — and leave no doubt about the gravity of the breaches involved.

‘Unnecessarily ambiguous’

Underlying most of Dixon’s findings are the rights guaranteed under Article 13 of the GDPR.

It’s simple, very basic stuff — data controllers (in this case WhatsApp Ireland) are required to provide data subjects (WhatsApp users) with clear information about how their data is being stored and used, what categories of data are being processed and for what purpose.

On these fronts, the Irish DPC found WhatsApp Ireland to be lacking, severely so in some cases.

The investigation itself didn’t look at exactly how or why WhatsApp Ireland shares user data with other Facebook companies. It was solely focused on how much clear information the messaging app provides to users and non-users about its data procedures.

On that front, some of the information provided by WhatsApp is described as “unnecessarily ambiguous” and “ill-defined” in the report.

Users are often required to negotiate multiple links to get to the material they’re looking for on the WhatsApp website.

“At the end of this exercise”, the report continues, “the use of qualifying language leaves the reader questioning what, exactly, is meant by the ‘Facebook Companies.’”

Separately, due to the plethora of linked materials, an “abundance of text” and the fact that “certain key information has been set out in an entirely separate notice with only a single link”, the inquiry found engaging with WhatsApp’s Privacy Policy during the investigation to be a “needlessly frustrating exercise”.

It “required the extensive and repeated search of the Privacy Policy and related material to try and piece together the full extent of the information that had been provided”.

Contact feature

Perhaps the investigation’s most serious findings related to WhatsApp’s obligation to inform users about the purpose of and legal basis for data processing.

The DPC found that the company often used multiple bases to “ground” certain processing operations.

WhatsApp, for its part, said it was being transparent by indicating that it potentially relies on different legal bases for processing user data “in different circumstances”.

But Dixon wrote in her decision that it was “surprising” that WhatsApp considers “patent ambiguity to represent transparency”, given the clarity of the EU’s Transparency Guidelines.

Not only was WhatsApp found to be in breach of its obligations to users, but non-users were similarly if not more severely affected, the DPC found.

That’s because when a WhatsApp user turns on the app’s ‘Contact Feature’ — allowing them to add their friends’ mobile numbers to their contact list on the app — it enabled Whatsapp to access those details, even the numbers of non-users.

By way of rebuttal, WhatsApp told the DPC that it doesn’t process the phone numbers of non-users as a data controller but rather as a data processor on behalf of users.

When it does, those numbers are stored briefly before deletion and no other information that could lead to the identification of the non-user was obtained.

But the DPC found that no information whatsoever was provided to non-users about this process by WhatsApp, nor were they told the purpose of it.

One of the consequences of this lack of transparency is that a non-user who is considering signing up to WhatsApp has no knowledge that their contact details will, once they have signed up, automatically appear in the contact lists of other users.

So non-users who subsequently become WhatsApp users are being “singled out”, the DPC found.

WhatsApp was ordered to rectify this by providing the relevant information to non-users in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

Primary focus

It’s perhaps not surprising that the disagreement between Dixon’s office and the EDPB over the calculation of the fine was a primary focus in the hours after the decision was published this week.

Helen Dixon and her office have, after all, been placed under intense scrutiny over their workload and importance as the lead European oversight authority for the many multinational companies headquartered in Ireland.

Regardless, the WhatsApp decision itself should make clear to businesses like Facebook what, exactly, their transparency obligations are under GDPR.

“Together with the €746 million GDPR fine against Amazon in Luxembourg, the Irish data protection regulator fine in the WhatsApp case creates a perfect storm for global businesses as they struggle to make sense of an increasingly complex and fractured legal landscape,” Omer Tene told The Journal.

“Three years after GDPR comes into force, the steady drumbeat of multi-million euro fines heralds a new age for data protection enforcement – and compliance.”