Product reviews, deals and the latest tech news

Under the EU’s GDPR, WhatsApp was fined for processing data without a legal basis

Meta has received another another fine for its continued failure to adhere to the General Data Protection Regulation (GDPR) of the European Union, but this one is rather minor. WhatsApp, a messaging network owned by Meta, was fined €5.5 million (just under $6M) for failing to have a valid basis for certain types of personal data processing by the region’s principal data protection regulator.

In December, the European Data Protection Board (EDPB) issued a binding ruling ordering Meta’s primary regulator, the Irish Data Protection Commission (DPC), to provide a final decision on this complaint (which originated in May 2018) and two other complaints, against Facebook and Instagram.

The DPC released its final decisions earlier this month, including a total of €310M in penalties and a deadline of three months for Meta to establish a legitimate legal foundation for that ad processing.

Ireland’s WhatsApp decision appears to have sidestepped the ads processing legality issue altogether, as its enquiry has focused on the legal basis Meta claimed for “service improvements” and “security,” whereas the latter pair of GDPR decisions addressed Meta’s lack of a valid legal basis for processing user data to run behavioural advertising (its core business model).

In this case, Meta (like in others) tried to rely on a contractual necessity claim, but Ireland ruled (through EDPB order) that it couldn’t.

WhatsApp has been given six months to fix its data processing issues as outlined by the DPC. That is, it will need to figure out how to legally process the data (for example, by asking users for their consent before using their information for such reasons).

However, despite a parallel EDPB mandate instructing the DPC to investigate whether WhatsApp processes user (meta)data for ads, the regulator has simply declined to act on this matter. The initial complainant has voiced their outrage about this, saying that it is proof of another cover-up by the Irish regulatory body.

The privacy rights nonprofit noyb, which filed the initial strategic complaints, wasted no time in a news release criticising Ireland for “basically giving the finger to the EDPB.”

After a 4.5 year process, we are astounded by the DPC’s continued refusal to address the case’s key issues. It is also obvious that the DPC does not care about the EDPB’s final ruling. Honorary chairman Max Schrems made a usually succinct and pointed remark, saying, “It seems the DPC finally cuts loose all ties with EU partner authorities and with the obligations of EU and Irish law.”

Even though WhatsApp messages are end-to-end encrypted (so long as you trust Meta’s implementation of the Signal protocol), the social media giant can still learn a lot about its users by monitoring their WhatsApp metadata (such as who is contacting whom and how often), and by linking the dot and users to accounts and public (or otherwise non-E2EE) digital activity across other services it owns. Meta casts a wide net in its pursuit of information (and wide).

Which raises concerns about how and on what legal grounds it may be processing the data of WhatsApp users for marketing reasons.

Users of WhatsApp may recall the big debate that began in 2021, when the platform released an update to its Terms of Service that users were required to approve in order to continue using the service. What exactly had been updated was unclear. Whatever was going on, though, Meta wasn’t letting WhatsApp users make their own decisions. And while the issue has received some regulatory attention, leading to what appeared to be a climbdown on Meta’s part, with the company no longer forcing EU users to agree (or leave) with its terms of service through aggressive pop-ups, the whole episode has led to widespread confusion as to what exactly it was doing with WhatsApp user data (and how it was doing it, legally speaking).

Some people who were affected by the incident complained to consumer groups. Consequently, the European Commission gave the corporation a month last summer to clarify its terms and conditions and “clearly inform” customers about its business strategy.

A far earlier about-face on syncing user data with Facebook didn’t do much to clear up the misunderstanding and mistrust surrounding WhatsApp’s T&Cs, as the platform had previously pledged never to cross those streams. In a nutshell, it’s a mess that European authorities can’t take credit for fixing.

Nonetheless, the DPC seems stunningly uninterested in conducting a serious investigation into how WhatsApp may be processing user data for advertisements, despite the continued confusion and privacy concerns.

Noyb claims the regulator has largely ignored a key part of its complaint, stating, “The DPC has now reduced the 4.5 year procedure to the small problems of the legal basis for utilising data for security purposes and for service enhancement.” This means that “the DPC completely overlooks the main difficulties” of sharing WhatsApp data with Meta’s other firms (Facebook and Instagram) for advertising and other uses.

Until the very end of the news release detailing the DPC’s ruling, the phrase “behavioural advertising” is nowhere to be found. However, this is the first time it has mentioned the EDPB’s directive to re-examine “WhatsApp IE’s [Ireland’s] processing operations in its service to determine if it processes special categories of personal data (Article 9 GDPR), processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvment,” among other things.

Therefore, Ireland may have taken the initiative on behalf of WhatsApp users by monitoring data flows to better understand the implications of Meta’s control over the E2EE messaging platform for end-user privacy. (Remember that Meta’s behavioural ad targeting empire is now operating without a lawful basis for advertisements processing on Facebook and Instagram within the EU.)

The Irish regulator could have moved forward with an investigation into WhatsApp’s data handling, but instead it has instructed its attorneys to challenge the EDPB’s binding decision and attempt to have it annulled in court.