Another bill has been submitted to Meta on the grounds that it is not compliant with the European Union’s General Data Protection Regulation (GDPR). Meta-owned messaging platform WhatsApp has been fined €5.5 million (just under $6 million) by the region’s main data protection regulator for not having a legal basis for processing certain types of personal data. it was done.
Last December, Meta’s lead regulator, the Irish Data Protection Board (DPC), confirmed the complaint (dating back to May 2018) via a binding decision from the European Data Protection Board (EDPB). I have been ordered to make a final decision on — along with two other complaints against Facebook and Instagram.
These two final decisions were issued by the DPC earlier this month, announcing fines totaling €310 million. He gave Meta three months to find a valid legal basis for its ad processing. But the latter GDPR decision addressed Meta’s lack of a valid legal basis for processing user data to run behavioral advertising (a.k.a. its core business model), while WhatsApp’s With the decision, Ireland appears to have sidestepped the issue of ad processing legality entirely. That investigation focuses on the legal basis for Meta’s claims of “improved service” and “security.”
Here, Meta (as well) sought to rely on the claim of contractual necessity, but Ireland found (by order of the EDPB) unable to do so.
The DPC has given WhatsApp six months to amend its methods for these data processing purposes. This means finding ways to process data lawfully (perhaps by asking users if they consent to such purposes and not processing the data if they do not).
But the regulator simply refused to comply with a parallel EDPB order directing the DPC to investigate whether WhatsApp is processing user (meta)data for advertising. led to renewed cries of yet another fabrication by the much-criticized Irish regulator.
In a press release, noyb, the nonprofit privacy rights behind the first strategic complaint, pulls no punches – claiming Ireland is essentially giving the EDPB the finger at this point.
“We are appalled that the DPC has simply ignored the crux of the case after 4.5 years of proceedings. It appears to have severed all ties between the EU partner authorities and the requirements of EU and Irish law,” DPC Honorary President Max Schrems said in a typically brief and punchy statement. said in
WhatsApp messaging content is end-to-end encrypted, which means that assuming you trust Meta’s implementation of the Signal protocol, this information should be protected from prying eyes. WhatsApp metadata (a.k.a. who is talking to whom, how often, etc.) — also connects dots and users to other services that own them (and potentially third-party services that they own) ) by connecting across accounts and public (or non-E2EE digital activities), so basically, Meta’s data collection net is a long (and wide) one.
This means that you should certainly ask how we may be processing WhatsApp users’ data for marketing purposes and the legal basis on which we rely on such processing.
WhatsApp users may remember the big controversy that started in 2021. When the platform announced an update to his T&Cs, it said users would have to agree to continue using the service. It wasn’t clear exactly what changed in the updated terms. Regulatory interest in this issue has led to what appears to be a bit of a downturn by Meta. Meta stopped sending offensive pop-ups asking EU users to consent (or leave), but the entire episode caused widespread confusion as to what exactly it was doing. WhatsApp user data (and how it was done, legally speaking).
The episode also sparked consumer protection complaints. This led to the European Commission last summer giving companies one month to fix confusing T&Cs and “clearly inform” consumers about their business model.
The confusion and mistrust about WhatsApp’s T&Cs were not fueled by a previous U-turn on syncing user data with Facebook. In short, it’s a mess, a mess that European regulators can’t claim to have cleaned up.
But despite the ongoing confusion and privacy concerns, the DPC appears surprisingly uninterested in properly examining how WhatsApp handles user data for advertising. .
“The DPC is currently limiting its four-and-a-half-year procedure to a minor issue of legal basis for using data for security purposes and service improvement,” noyb wrote, noting that the regulator has filed a complaint against this issue. It accuses it of essentially ignoring key elements. “The DPC therefore ignores the major issue of sharing his WhatsApp data with Meta’s other companies (Facebook and Instagram) for promotional and other purposes.”
The DPC’s press release announcing its final decision almost completely avoids mentioning behavioral advertising. But just because it quotes the EDPB instructions, “WhatsApp IE’s [Ireland’s] For processing operations on its services, behavioral advertising, marketing purposes and for providing and exchanging metrics with third parties to determine whether to process special categories of personal data (Article 9 GDPR) We share data with our affiliates for the purpose of improving our services and determining whether we comply with our relevant obligations under the GDPR. “
So there was an opportunity for Ireland to figure out the nettles on behalf of WhatsApp users and track the data stream to paint a clear picture of what Meta’s ownership of the E2EE messaging platform really means for user privacy. (And remember, Meta’s behavioral advertising targeting empire currently has no legal basis for processing ads on Facebook and Instagram in the EU.)
But instead of continuing to investigate WhatsApp’s data processing, the Irish regulator has opted to ask its lawyers to challenge the EDPB’s binding decision and invalidate it in court.
update: Meta has now responded to the DPC’s decision and sent us this statement attributed to a WhatsApp spokesperson to confirm their intention to appeal.
whats up has led the private messaging industry by providing end-to-end encryption and a privacy layer that protects people. We believe that the way we operate our services is both technically and legally compliant. We believe that keeping people safe and providing innovative products are fundamental responsibilities in running our services, so we do not meet contractual necessity for service improvement and security purposes. depends. We disagree with this decision and intend to appeal.