On 2 September 2021, the European Data Protection Board ("EDPB") published its decision on the dispute on the draft decision of the Irish Data Protection Commission ("DPC") regarding WhatsApp Ireland ("WhatsApp") under Article 65(1)(a) of the General Data Protection Regulation ("GDPR"). WhatsApp was issued a ?225 million fine, the largest ever fine from the DPC, and the second-highest under GDPR rules. In this update, we provide an overview of the key findings arising from the EDPB's decision relating to:
- The strict approach to transparency information when legitimate interests are the legal basis for processing;
- What amounts to anonymisation versus pseudonymisation for GDPR purposes; and
- The methodology for the calculation of the administrative fine.
Processing Personal Data on the Basis of Legitimate Interests
The EDPB decision found that WhatsApp had infringed of Article 13(1)(d) GDPR, identifying a number of shortcomings in WhatsApp's "legitimate interests" legal basis for processing data. The EDPB found that the legal basis notice provided by WhatsApp had not provided sufficient information with regard to the processing operations including information about what categories of personal data are being processed under the basis of each legitimate interest. It also found that several passages from the legal basis notice, including those with regard to persons under the age of majority, did not meet the necessary clarity and intelligibility that is required by Article 13(1)(d) GDPR.
The EDPB's finding in relation to providing full information on each and every "processing operation" will require businesses to review existing privacy notices and incorporate specific information on processing operations for each of the specified purposes and legal basis. Processing operations include collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This will increase the inherent tension between providing full transparency information and providing it in a clear and concise manner.
Anonymisation vs Pseudonymisation
WhatsApp used a process known as "lossy hashing" to compress and blur certain data, particularly non-user phone numbers stored in a "Non-User List". It had been argued that this process anonymised the data and that it therefore no longer constituted personal data for the purposes of the GDPR. The EDPB found, however, that as WhatsApp had an accessible means of decrypting and thereby restoring this data, the process amounted instead to one of pseudonymisation. This resultant pseudonymised data was still considered personal data for the purposes of processing under the GDPR.
The EDPB found that given the means and data available to WhatsApp and the reasonable likelihood that they be used, the capacity to single out data subjects was too high to consider the dataset anonymous.
The net result of this finding is that for data to be fully anonymised, it must be processed in such a way that it can no longer be used to directly or indirectly identify a natural person using "all the means reasonably likely to be used'' by either the controller or a third party. Data which has been fully anonymised in this way will not be considered personal data for the purposes of the GDPR, while data which has been pseudonymised, but not fully anonymised, will still constitute personal data.
Reassessment of the Administrative Fine
The EDPB instructed that the administrative fine imposed by the DPC be increased while remaining in line with the principles of effectiveness, proportionality and dissuasiveness. Facebook Inc. and WhatsApp were determined to be a single undertaking for the purpose of calculating the fine, and the consolidated global turnover of the group of companies headed by Facebook Inc. was therefore relevant in calculating the fine. The EDPB identified a number of key considerations to be taken into account when assessing the administrative fine, notably:
- The relevant turnover is the global annual turnover of all component companies of the single undertaking;
- The relevant turnover is the one corresponding to the financial year preceding the date of the final decision taken by the lead supervisory authority (in this case the DPC);
- The relevant turnover is pertinent for the determination of the maximum fine amount and also for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive; and
- All the infringements identified are to be taken into account and reflected in the amount of the fine, in accordance with the EDPB's interpretation of Article 83(3) GDPR.
The EDPB's approach and the size of the reassessed fine ultimately imposed by the DPC indicate that the EDPB may want supervisory authorities across Europe to be more heavy-handed with their fining for infringements of the GDPR in the future. It is likely that WhatsApp will appeal this fine in the Irish courts and it may therefore be sometime before it is confirmed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.