WhatsApp was recently fined €225 million by the Irish Data Protection Commissioner (“DPC”) for a number of failings related to its compliance with the GDPR’s transparency obligations (primarily set out in Art. 13 and 14 GDPR).
The fine is the second highest handed out under the GDPR to date and many of the practices for which WhatsApp was fined are relatively standard. The decision should, therefore, come as a warning shot for organisations who are bound by the GDPR regime, especially those in the online consumer technology space, to make sure that they are providing individuals with all the required information when drafting and updating privacy notices.
The DPC’s decision is extremely long winded (266 pages), so we have summarised the key “dos” and “don’ts” for privacy notices in light of the decision below:
When providing information on the purposes for which you process personal data and the lawful bases upon which such processing is based (as required by Art. 13(1)(c) GDPR):
Do
Provide information to individuals around how their personal data are actually used to achieve the relevant purpose. For example, if personal data are processed “to promote safety and security”, you should explain how the data are used to achieve those purposes, rather than simply stating the overall objective.
Provide information regarding the categories of personal data which are processed for each purpose. Up until now, it has been relatively common for controllers to simply set out the purposes for which they process personal data and the corresponding lawful basis, without clarifying which types of personal data are required for each purpose.
If more than one lawful basis applies in respect of a specific purpose for which you process personal data, clearly specify the circumstances when each basis will apply (for example, if you rely on both consent and also legitimate interests to send marketing communications, you should explain when each of these will apply).
Where processing is carried out on the basis of Art. 6(1)(c) GDPR (i.e. to comply with a legal obligation), you should provide information as to the types of law which require such processing to take place.
Don’t
Use vague wording to explain your purpose for processing the data (e.g. will readers know what you mean if you say that you use their data for the purpose of “improving their experience”?).
When providing information regarding your reliance on legitimate interests (as required by Art. 13(1)(d) GDPR):
Do
Be as specific as possible in setting out the relevant interest which applies which makes the processing necessary.
If the processing is being carried out based on the legitimate interests of a third party, you should specify the relevant third party who will benefit from the processing.
Don’t
Bundle together numerous interests to justify processing being carried out for one purpose.
Simply say you rely on legitimate interests to carry out a certain type of processing without mentioning what your interests are (this is more common than you think!).
When providing information on the third parties with which you share personal data (as required by Art. 13(1)(e) GDPR):
Do
If you identify the “categories of recipients” (rather than the specific third parties with whom personal information is shared), be as specific as possible when setting out such categories. For example, if your privacy policy says that you share customers’ personal information with service providers, you should provide information on the different types of service providers you share data with (e.g. IT service providers, data hosting service providers, marketing agencies etc.).
Identify the categories of data which are transferred to the specific third parties referred to the notice. (NB. To date, it is uncommon for controllers to provide this level of information in connection with data sharing.)
If you share personal data with other group members, clearly identify the specific entities with which the data is shared.
When providing information on international transfers (as required by Art. 13(1)(f) GDPR):
Do
If relying on an adequacy decision(s) to transfer personal data internationally, identify the specific adequacy decision(s) relied upon.
Identify the categories of data that are being transferred internationally. (NB. Again, providing this level of information has been uncommon in practice.)
Don’t
Use conditional language such as “may” when referring to reliance on a transfer mechanism (e.g. “we may transfer personal data internationally on the basis of an adequacy decision”).
When providing information on the right to withdraw consent (as required by Art. 13(2)(c) GDPR):
Do
Inform individuals that this does not affect the lawfulness of processing based on consent before its withdrawal (the DPC considers this necessary to “manage the data subject’s expectations” and ensure they are fully informed on the right).
Include the relevant information in the section of the privacy notice which discusses data subject rights, as this is the area individuals are most likely to consult for information around this.
If you have collected personal data indirectly but are exempt from providing relevant individuals with a privacy notice on the basis that this would involve “disproportionate effort”:
Do
Make sure that you still provide all the information required under Art. 14(1) and (2) in a privacy notice which you make publicly available – you can’t rely on this exemption if not!
Clearly identify in the privacy notice the parts of the document which are intended to apply in respect of individuals who have not been provided the privacy notice directly.
Don’t
Assume that posting your privacy notice on your website will be sufficient to satisfy the requirement that the privacy notice be made “publicly available”. In the WhatsApp decision, the DPC noted that:
“WhatsApp should give careful consideration to the location and placement of such a public notice so as to ensure that it is discovered and accessed by as wide an audience of non-users as possible. [A]…non-user is unlikely to have a reason to visit WhatsApp’s website of his/her own volition such that he/she might discover the information which he/she is entitled to receive”.
Other practical tips
Much of the DPC’s decision focused on the way in which WhatsApp presented information in its privacy notice, with WhatsApp being found to have violated Art. 12(1) GDPR (which requires controllers to provide information in a concise, transparent, intelligible and easily accessible form, using clear and plain language) in numerous instances.
In this regard, the following practical tips can be drawn from the decision:
Avoid excessive linking to external documents in your privacy notice, particularly where these duplicate or (even worse) contradict information set out in your privacy notice or elsewhere. Readers should not have to “work hard” to get to grips with the notice.
Consider where in your privacy notice you are setting out information to ensure information is presented in a cohesive way and in the place that readers would expect. For example, the DPC considered that it would be logical to include information on the right to withdraw consent and the right to a complain to a data protection regulator in the “data subject rights” section of WhatsApp’s privacy notice as this is where most readers would come to find this information.
Avoid using vague and opaque language.
Conclusion
The DPC expects the information to be provided in privacy notices to be extremely granular, even more so than most organisations (and even data protection practitioners) would have expected to date, whilst still presenting the information in a concise and accessible manner.
This will no doubt prove challenging for larger organisations carrying out complex processing operations, who will have to remain fully on top of their processing activities and data flows to stand a chance of providing the information expected by the DPC. The cost of compliance could be significant.
The decision is by an EU data protection regulator and relates to EU GDPR. It is not clear whether the UK ICO, which tends to be more pragmatic on data protection compliance, would take such a hard-line stance on the issues investigated by the DPC. However, it is clear that UK organisations that have a presence in the EU or are otherwise caught by the extra-territorial scope of the EU GDPR will need to update their privacy notices in line with the DPC’s decision.
Contact us
If you have any questions about these issues in relation to your own organisation, please contact a member of the team or speak with your usual Fox Williams contact.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Cookie
Type
Duration
Description
__atuvc
third party
1 year
This cookie is set by Addthis to make sure you see the updated count if you share a page and return to it before our share count cache is updated.
__atuvs
third party
30 minutes
This cookie is set by Addthis to make sure you see the updated count if you share a page and return to it before our share count cache is updated.
__stripe_mid
third party
1 year
__stripe_sid
third party
30 minutes
_ga
third party
2 years
This cookie is installed by Google Analytics and collects information on how users interact with the website. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. It is used to distinguish users.
_gat
third party
1 minute
Google Analytics cookies to track users as they navigate the website and help improve the website's usability.
_gid
third party
24 hours
This cookie is installed by Google Analytics and collects information on how users interact with the website. The cookies store information anonymously and assigns a randomly generated number to identify unique visitors. It is used to distinguish users.
cookielawinfo-checkbox-necessary
session
1 year
Records the default button state of the corresponding category. It works only in coordination with the primary cookie.
cookielawinfo-checkbox-non-necessary
session
1 year
This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Non-Necessary'.
di2
third party
1 year
This cookie is set by addthis.com on sites that allows sharing on social media. The cookie is used to track user behavior anonymously to generate usage trends to improve relevance to their services and advertising.
loc
third party
1 year
This cookie is set by Addthis. This is a geolocation cookie to understand where the users sharing the information are located.
m
third party
2 years
na_id
third party
1 year
This cookie is set by Addthis.com to enable sharing of links on social media platforms like Facebook and Twitter
NID
third party
6 months
This cookie is used to a profile based on user's interest and display personalized ads to the users.
ouid
third party
1 year
The cookie is set by Addthis which enables the content of the website to be shared across different networking and social sharing websites.
uid
third party
1 year
This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
um
third party
1 year
Set by addthis.com.(Purpose not known)
uvc
third party
1 year
The cookie is set by addthis.com to determine the usage of Addthis.com service.
vc
third party
1 year
This cookie is set by addthis.com on sites that allow sharing on social media.
viewed_cookie_policy
session
1 year
Is the primary cookie that records the user consent for the usage of the cookies upon accept and reject. It doesn't track any personal data and is set only upon user action (accept/reject).
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.