The WhatsApp GDPR Fine 

mika-baumeister-uKdkh25_wc0-unsplash

On 2nd September, the instant messaging service WhatsApp was fined €225 million by the Irish Data Protection Commission (DPC) under GDPR. It is the largest fine issued by the DPC and the second highest in the EU (In July Luxembourg’s National Commission for Data Protection fined Amazon €746 million after finding that the way the e-commerce giant handles people’s personal data, especially around personalised ads, was not GDPR compliant).

The background to the WhatsApp fine is an investigation by the DPC, which started in December 2018. WhatsApp users are required to provide the company with all their contacts’ phone numbers. Some of these will inevitably belong to non-WhatsApp users.
The DPC found that these numbers were also personal data because the subjects were identifiable and consequently WhatsApp was the data controller in relation to such data.

The DPC then evaluated WhatsApp’s compliance with the transparency obligations set out in Articles 14 and 12(1) of GDPR. WhatsApp argued that it took “appropriate measures” to inform non-users of the “very limited ways” in which it processed their personal data.
This was supposedly done by stating users provide the company with all their contacts’ phone numbers in their privacy policy. 

The DPC rejected this argument, pointing to the lack of a discoverable and accessible “public notice” that would provide non-users of WhatsApp services with the information they are entitled to under Article 14. For example, they should be provided with details about the “circumstances in which any non-user personal data is shared with any of the Facebook Companies”(Facebook bought WhatsApp in 2014). It emphasised that the burden of providing such information is outweighed by “the role and utility of the right to be informed”.

The DPC also ruled that WhatsApp had not complied with Article 13 in relation to the privacy information it provided to users. It specifically assessed the extent to which WhatsApp explained its relationship with the Facebook companies and any consequent sharing of data. It criticised the manner in which the information is spread out “across a wide range of texts”, and how a significant amount of it is so high level as to be meaningless. It pointed out how the Facebook FAQ is only linked to WhatsApp’s privacy policy in one place. The information being provided was “unnecessarily confusing and ill-defined”. 

In addition to the fine, the DPC has also imposed a formal reprimand (under GDPR Art. 58(2)(b)) along with an order (under GDPR Art. 58(2)(d)) for WhatsApp to bring its processing into compliance by taking a eight specified remedial actions.  WhatsApp has 3 months to comply. One of the remedial actions is to remind users of their GDPR rights which will lead to substantially more work for WhatsApp in meeting these requests.

Data Controllers need to assess how well their privacy policies and notices comply with Article 13 and 14. This cases shows that regulators are willing to enforce GDPR transparency obligations on data controllers even where the obligations are difficult to meet because, like WhatsApp, they have millions of non-service user data subjects with whom there is no direct relationship.

WhatsApp has confirmed that it will appeal the decision. 

Most of our courses are now available as both classroom and online options. The GDPR Practitioner Certificate is our most popular certificate course with may courses filling up fast. We have added more dates.

Veni, Veto, Vici : Court of Appeal FOI Veto Case and its Implications

Image

What effect will the Court of Appeal’s recent decision on the FOI – and EIR – ministerial veto have on another recent case – the vetoing of the decision to require disclosure of the High Speed Rail assessment review?

On 6 June 2013 the Information Commissioner (IC) served a Decision Notice under the Environmental Information Regulations 2004 (EIR). Section 50(4) of the Freedom of Information Act 2000 (FOIA) gives the IC the power to do so (those powers being extended to the EIR by Regulation 18). The Decision Notice required the Cabinet Office to disclose a Project Assessment Review (“PAR”) report concerning the high-speed rail link, High Speed Two (HS2).  On 30 January 2014 Patrick McCloughin, Secretary of State for Transport, signed a certificate pursuant to section 53 of FOI and Regulation 18(6) of the EIR. The effect of this certificate was that the Cabinet Office was no longer required to comply with the IC’s Decision Notice:

“the decision taken by the Cabinet Office not to disclose the PAR report in response to the relevant request was fully in accordance with the provisions of the EIR, or the Act, as appropriate”

Of course, this exercise of ministerial veto – described as a “constitutional aberration” by the Lord Chief Justice (Evans, R (on the application of) v HM Attorney General & Anor [2013] EWHC 1960 (Admin)), is not unprecedented; the power has now been wielded seven times (twice by the Labour government and five times by the coalition). The minister, notably, was minded to disagree with the IC that the request had fallen to be determined under the EIR, rather than FOIA:

“there is considerable force in the Cabinet Office’s position that the information within the PAR report was insufficiently proximate to the environmental impact of the HS2 project itself to amount to “environmental information” for the purposes of the EIR”

However, he went on to say that:

“it is not necessary for me to determine whether the PAR report is environmental information, because I take the view that the Cabinet Office was entitled to withhold it from disclosure, whether or not it consisted of environmental information”

This is perhaps surprising, because at the time he issued that veto certificate there was an argument, being aired in the Court of Appeal, that the power to exercise the veto does not exist under the European law to which the EIR give domestic effect.

Now, the Court of Appeal has handed down judgment (Evans, R (on the application of) v HM Attorney General & Anor [2014] EWCA Civ 254). The case is being recognised, correctly, as primarily about the specific lawfulness of the vetoing of the disclosure of private correspondence on policy matters between the Prince of Wales and government departments. However, as in the Divisional Court beforehand, one point which fell to be determined was about the general status of the veto power in relation to environmental information. On this point the Court of Appeal held that

“the certificate is incompatible with EU law in so far as the information to which it relates is environmental information”

The court’s reasoning was that, although, the EIR, by Regulation 18, provide for a ministerial veto no such power exists in the Directive 2003/4/EC of the European Parliament and of the Council of 28 January 2003 on public access to environmental information (“the Directive”) which is implemented in domestic legislation by the EIR. Moreover, Article 6(2) of the Directive says, crucially

Member States shall ensure that an applicant has access to a review procedure before a court of law or another independent and impartial body established by law, in which the acts or omissions of the public authority concerned can be reviewed and whose decisions may become final

And this requirement to have a “final” review before a court or independent and impartial body could not be satisfied by the availability of judicial review of a ministerial veto. Article 6(2) and (3) should be given their natural and ordinary meaning: the right is to have the acts or omissions of the public authority reviewed, but in judicial review proceedings the question becomes whether the accountable person had reasonable grounds for forming the opinion that the public authority had in fact complied with its EIR obligations and, “that difference is not a mere matter of form”. Moreover, and for broadly similar reasons, the veto power offended Article 47 of The EU Charter of Fundamental Rights which provides:

“Everyone whose rights and freedoms guaranteed by the law of the Union are violated has the right to an effective remedy before a tribunal in compliance with the conditions laid down in this Article”

So what does this mean for the veto on the HS2 “PAR” request? It certainly appears at the moment that following the Court of Appeal’s ratio in Evans, and to the extent that the HS2 request was for environmental information, that the veto may be unlawful, if (as has been suggested, it is challenged). However, there are two caveats to that. Firstly, the Attorney General has been given permission to appeal Evans to the Supreme Court: it seems highly likely that the general EIR point will be appealed, as well as the overarching specific point about the public law validity of the veto (if the former is not appealed, then it would mean in effect that the government accepts that the EIR fail properly to implement the Directive). Secondly, we must look back to the suggestion by the Minister when issuing the certificate in the HS2 veto that he tended to disagree with the IC that the information in question was environmental. Much, despite what he implied about the lack of need to determine this point, may now turn on this: if the information was environmental then Evans, providing the EIR point is not overturned by the Supreme Court, may well lead to the veto being struck down. If, however, the information was not environmental, and FOIA applied, then any appeal of it will presumably be on domestic public law grounds.

At this point it is probably otiose to start speculating on what will happen with requests which are classed as hybrid ones – namely, those which seek information which is a mix of environmental and non-environmental (as, indeed, those in both Evans and the HS2 case arguably are). All these matters are by no means yet resolved.

Jon Baines, who is Chairman of the National Association of Data Protection Officers (NADPO) and works in local government.

Ibrahim Hasan will be discussing this and other recent FOI decisions in the FOI Update workshops and online webinars.

NEW FOI Podcast – Episode 27

In this episode Ibrahim Hasan discusses FOI developments and decisions during September and December 2011. This includes Commissioner and Tribunal decisions on:

  • Information in private e mails
  • Section 11 and providing summaries
  • Vexatious requests
  • Empty properties
  • The Qualfied Person’s Opinion
  • And disclosure of statistics

There is also a quick review of recent developments in the world of transparency and FOI. Click here to listen.

We have a few places left on our upcoming ISEB courses in Birmingham.

%d bloggers like this: