€225M is the unreasonable cost if you don’t have control of privacy operations

by Maricar Tuazon

In the same year as the GDPR’s enforcement, an investigation into WhatsApp’s privacy practises was conducted by the Irish Data Protection Commission (DPC). This led to the Irish DPC finding WhatsApp in breach of its obligations under Article 12-14 of the GDPR - namely its obligations to inform data subjects within and outside Ireland about how they process their data.

The Irish DPC accordingly sought opinions from other DPA’s on this case - and after a lengthy review, some EU Member States (EU MS) did not share the same reasoning as the Irish DPC on the severity of the breach or how multiple provisions had been violated. Hence these EU MS raised objections on its proposed outcome and fine. This ultimately led to the Irish DPC referring this case to the EDPB for clarifications.

Fast forward to the year 2020, the EDBP published a binding decision imposing €225 Million fine on WhatsApp. This decision made headlines as it is four times the amount that the Irish DPC had originally proposed.

Sending a signal - what informed the EDPB decision and level of fine?

We asked the same questions as you probably did when we heard the news, and, diving into the reasoning behind this decision took a lot of time and effort - which is probably worth a separate article in itself.

To spare you all that work and to give you a summary, what we know from the EDPB’s decision is that it favours the EU MS objections on the initial amount of fine and deadline for compliance proposed by the Irish DPC.

The EDPB explained that such objections are (especially in terms of the amount of fine) considered “relevant and reasonable” as the matter involved several infringements relating to principle of transparency (Art 5(1a) and 12-14 of the GDPR). Beyond that, they judged WhatsApp’s effort to ensure privacy compliance was the “bare minimum”- hence the amount of fine should send a signal to companies on what the consequences can be when below par privacy practices negatively impact the high standard of data protection for which the GDPR stands.

Transparency is King

Ultimately, the EDPB highlights the Transparency Guidelines where it mentions that transparency is an overarching obligation that, although not exclusively, contains 3 essential elements (see also EDPB final decision):

1. Connectivity: how the provision of information to data subjects aligns with the actual processing of their data.

2. Quality/Comprehensibility: how data controllers communicate with data subjects in relation to their rights under the GDPR

3. Accessibility: How data controllers facilitate access and enable data subjects to exercise their rights.

WhatsApp had numerous legitimate interests recorded for its data processing activities, however the EDPB found them to be contrary to Article 13(1)(d) GDPR.

Quote “this provision does not only require for the information on data processing to be of good quality and formulated in a simple manner - as it should also be understood as such information to maintain clear connection to the processed data”

Conclusion – take action……today.

This judgement means that WhatsApp’s violation not only highlights the failure to comply with its obligations under the said provisions and one of GDPR’s core principles, but, that it’s practises also undermined the reinforcement of other principles such as fairness and accountability, as well as other provisions derived from the GDPR transparency principle.

With that in mind, the amount of fine imposed on WhatsApp is in my opinion at a level that is incomparable to the negative impact that such infringement could or will create. So, unless your company can afford comparatively that level of fine,

I would say that today (yes today, not tomorrow or the day after) is the time for you to take a second look at your privacy notices, make sure they are up to date, accurately reflect what you do with personal data and that they are understandable by an ordinary data subject.

How to avoid such violations

Having correct policies is one thing, but how well have you embedded them into how you operate? This ruling was not only about the legal basis of data processing, but also about the quality of communication to the data subject, the transparency and accessibility for and to the data subject and matching policy statements with how the data was being used operationally.

If you don’t have a way to translate your privacy policies into business as usual (BAU) processes or show demonstrable accountability, you are running risks in light of this ruling. Having a way to show/measure how; policies match your operations, processing purposes are maintained, ensure that the right staff are aware of privacy obligations, ensure that you can consistently meet your obligations to data subjects all will help you mature your privacy. More importantly, you can prove your intentions and progression around transparency, fairness and accountability in a case like this.

We help our customers already with these challenges, and the great news is you don’t need to be a privacy expert. Our Privacy Navigator tool guides you and helps you identify where your operational problems are, helps you set an action plan, and gives you transparency and accountability. We are here to help, let us show you how and book a demo here.