Tag Archives: GDPR

News

Tech News : WhatsApp Handed Massive GDPR Fine

Following an investigation into WhatsApp Ireland Ltd, the Irish data regulator (DPC) has issued Facebook’s popular WhatsApp chat app with the second-largest GDPR fine of €225m.

Long Investigation

The eye-watering fine of €225 million follows an investigation that started way back on 10 December 2018.

Big Fine

The DPC had submitted a draft decision to all Concerned Supervisory Authorities (CSAs) under Article 60 GDPR in December 2020. After objections from eight CSAs, the DPC was able to start the dispute resolution process (Article 65 GDPR) on 3 June 2021 and on 28 July 2021, the European Data Protection Board (EDPB) decided to impose the fine on WhatsApp under Article 65(1)(a) GDPR.

..And a Reprimand

In addition to the fine, the DPC has imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.

Transparency

The DPC has said that the investigation, which led to the fine, related to WhatsApp’s GDPR transparency obligations regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This included information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.

The problem with WhatsApp’s consumer services (not WhatsApp for Business), which is ‘explained’ in an 89-page document, appears to be that the descriptions of who ‘interests’ are, in relation to other business services and partners, are that they are not described in a transparent and intelligible form. In other words, it seems that the EDPB thought that WhatsApp may not have supplied enough information to users about how their data is processed, and that its privacy policies (which have been subject to several updates), may not be clear enough.

WhatsApp Says…

WhatsApp has said that it disagrees with the decision about the transparency it provided to users in 2018 and has described the penalties as “entirely disproportionate”.

Not The Only One

Even though this is a bad-break for WhatsApp, it is not the only big tech company to have found itself in trouble with data regulators.  For example, in July, Amazon received a staggering $885 million fine over data privacy, and in 2020, Twitter was fined €450,000 after a GDPR infringement.

Data Sharing For EU Users

Back in January, WhatsApp announced that in a change to its privacy policy (from February 8, 2021), users outside of Europe would have to agree to share their personal information with WhatsApp’s owner Facebook or leave the app.

An in-app notice is informing WhatsApp users of the terms of service and privacy policy changes, which were an extension of changes announced in July last year and were the result of discussions with the Irish Data Protection Commission and other Data Protection Authorities in Europe.

What Does This Mean For Your Business?

Even though one of the attractions of WhatsApp is its security and privacy, due to its end-to-end encryption, this fine indicates that there appears to have been, in 2018, a bit of grey area in terms of how user-data is processed and some of the meaning in the app’s privacy policies.  The problem appears to have been serious enough to warrant (according to the EDPB) the second biggest GDPR fine ever.  The news comes on the back of EU WhatsApp users having to accept their data being shared with Facebook (from February this year).  All this may be making WhatsApp users, particularly those who use WhatsApp for business, nervous about their privacy on the app in terms of details about their business and the passing on of their data (for targeted advertising).  Also, Facebook has faced significant trust issues with users since the Cambridge Analytica unauthorised data-sharing scandal plus having to share data with Facebook may be off-putting and may make them think about looking around for other possible secure comms apps. This fine represents some very poor publicity for WhatsApp at a time when it has been trying to compete with the likes of Snapchat and Apple, while nevertheless getting some good headlines too by announcing new features like its ‘View Once’ feature for photos and videos, and its ‘disappearing messages’ feature.

News

Featured Article: New ICO Head and Data Protection Law Reforms

Highlighting an early target of tackling cookie pop-ups, the UK government is to appoint John Edwards as the new ‘light touch’ ICO who will be expected to reform post-Brexit data protection rules for the UK.

Data Protection Reforms

Since Brexit, the UK government has been seeking to reform data protection regulations in the UK in a way that it says will cut down on what Digital Secretary Oliver Dowden has been quoted describing as the “needless bureaucracy” of the current system of data protection and data transfer between countries. The Government message is that the appointment of a new ICO who could “go beyond the regulator’s traditional role” would be a way to reform regulations and make new data adequacy agreements with other countries that would reduce barriers to data transfer, help data (and more trade) to flow more freely, and improve innovation and economic growth.  The government has been keen to stress that despite (and perhaps to facilitate) these planned changes, the new regulator will have a “light touch”, but data will still be protected.

Cookie Pop-Ups

It appears that cookie pop-ups have been used by the UK government as an example and as part of the justification for wanting to make changes to data protection laws. Digital Secretary Oliver Dowden has argued in recent media reports that the requirement for the kind of cookie pop-ups that are present on most large sites, asking for permission to store a user’s personal information, are a visible example of the kind of needless bureaucracy at work that could be avoided with a change to data regulations.

What Is Data Adequacy?

Data Adequacy partnerships are agreements that protections are in place and are similar in two countries, thereby allowing the safe sending of people’s personal data internationally. Having a data adequacy partnership in place was part of the negotiations with the EU for Brexit.

For post-Brexit UK, heralded by the impending appointment of John Edwards as the new ICO, the UK government is now keen to make new, more frictionless data adequacy partnership agreements with the EU and many different countries which the UK wants to trade with.

Criticism

Critics of the UK government’s post-Brexit push to reform data protection regulations with new data adequacy partnerships are worried that this could weaken the UK GDPR and lead to the personal and private data of UK citizens being put at risk of being taken and shared.

Privacy advocates have also been sceptical as to whether it is realistic and possible for the UK government to give UK citizens and consumers more control over how their data is used on the one hand, while also giving businesses (and the government) greater freedoms to use that data through new agreements.

EU and GDPR

It was only in June this year that the UK government managed to achieve a data adequacy agreement with the EU, and any more proposed changes to that agreement now by the UK may be difficult to negotiate.

Who Is John Edwards?

John Edwards, the person named to succeed the current Information Commissioner (data protection regulator) Elizabeth Denham, is currently New Zealand’s Privacy Commissioner and head of its Office of the Privacy Commissioner (OPC), where he has been in the job for more than 7 years. Prior to his work with the OPC, he was a self-employed barrister and solicitor focusing on information and privacy law, and Chair of the Global Privacy Assembly from 2014-17.

In addition to his obvious legal background and experience, he is also known for overseeing New Zealand’s adequacy status with the EU, which is one of the reasons why he is favoured for the UK job.

Hates Facebook?

Mr Edwards is also known for his apparent dislike for Facebook. In April 2019 for example, after Facebook appeared to not accept any responsibility for the Christchurch massacre (mosque shootings) where one shooter described YouTube to be “a significant source of information and inspiration”, Mr Edwards was quoted from his Twitter account in the Guardian as saying, “Facebook cannot be trusted” and that the company were “morally bankrupt pathological liars”. He was also quoted as saying of Facebook that they “allow the live streaming of suicides, rapes, and murders, continue to host and publish the mosque attack video, allow advertisers to target ‘Jew haters’ and other hateful market segments, and refuse to accept any responsibility for any content or harm”.

Recently, Mr Edwards has indicated on his Twitter account that he doesn’t hate Facebook.

Why Is This Relevant?

The relevance of a possible Facebook-hater as the ICO is that he would be responsible for imposing fines for breaches of the UK Data Protection Act 2018 and the Privacy in Electronic Communications Regulations (PECRs) and would have an influence over the UK government’s Online Safety Bill.  This Bill is designed to establish a new regulatory framework to tackle harmful content online and would, therefore, potentially affect Facebook as a major content hosting platform.

Is An Overseas Regulator A Problem?

Some critics have highlighted the fact that the current UK ICO, Elizabeth Denham, who has been criticised for not enforcing data protection laws well enough, has been working from home in Canada throughout most of the pandemic, and the UK now looks set to appoint another ICO from overseas where there is a different data protection regime.

What Does This Mean For Your Business?

If the government’s argument is to be accepted, changing data protection laws to help data transfers between different countries and the UK could unlock more trade and benefits for British businesses. If the argument of some data privacy/security advocates is to be accepted, new data laws could mean that our personal data is more at risk and that the government is proposing a balancing act that may not be possible to realistically achieve. For Facebook and other social media companies, the appointment of John Edwards as the new ICO may give them cause for concern given his previous comments about Facebook, and his soon-to-be power over the imposition of penalties and the possible impact of the development of the UK’s Online Safety Bill.