WhatsApp Is Fined €5.5 Million  

WhatsApp Ireland has been fined €5.5 million for misusing its fine print and ordered to make changes to their data processing methods within 6 months for breaking EU data privacy laws.

The order came after a complaint was made in May 2018 by a German user.

WhatsApp had updated its Terms of Service and told its users to “agree and accept” the new terms (following the enforcement of the General Data Protection Regulation). However, the updated Terms of Service (the contract) were not made available to users who declined to agree to them. WhatsApp said that the processing of users’ data was necessary for the performance of the contract between WhatsApp and its users to make service improvements and add security features. 

The German user argued that WhatsApp was using personal data without any valid legal basis.

Namely, it was relying on ‘forced consent’, which is a breach of ​​Article 6 (1) of the General Data Protection Regulation (GDPR), and dismissed the claims that “service improvements” and “security features” were legitimate reasons for this.

The German user claimed that making people agree to allow personal data to be used in an unnecessary way, without giving them a choice to opt-out is not lawful.

The issue of forced consent was not clear-cut in this case and since the DPC and Concerned Supervisory Authorities could not agree on whether WhatsApps’ Terms of Service were a valid lawful basis for processing personal data, the matter was referred to the European Data Protection Board (EDPB).

The EDPB referred to the GDPR guidelines which state that it must be “objectively necessary” for meeting commitments in the Terms of Service (the contract) to rely on the contract as the legal basis for using personal data. WhatsApp may only use personal data for the basic functionality of the app.

If WhatsApp was collecting the data for business purposes, then just relying on the Terms of Service is not enough to meet GDPR requirements and another legal basis is needed from the six options listed in Article 6 of the GDPR. 

Key Takeaways

WhatsApp was the third most-downloaded app worldwide in 2022. This ruling sends a clear message to the wider technology industry, specifically companies that offer online services and businesses within the advertising industry that rely on data collected by apps for targeted advertising. But, it is not just the titans that receive fines. The total number of EU GDPR fines to date is 1,295, with some as small as €28.

Most companies tend to collect or use more personal data than is necessary for the performance of their contract commitments. Often this is information like gender, age, opinions, preferences, or anything to profile users for more targeted advertising. This cannot be considered ‘necessary’ under the GDPR if you are able to fulfill your contractual commitments without doing so. 

“If your business processes personal data, check your terms of service for instances where an individual must accept their data being collected. Where you do not need to use that data to provide your ‘core’ services, consider whether your terms are lawful under Article 6. 

For example, if you needed your customers’ addresses to post them an online order, you cannot also use those addresses to send them marketing from third-party affiliates just because it is written deep within your terms and conditions when they place their online order. You cannot say that sending the addresses to third parties is ‘necessary’ for delivering the order. Having it written in the fine print alone might be considered invalid and ‘forced consent’, especially if the person feels they have no choice but to opt-in.” 

— Charlotte Gerrish of Gerrish Legal

How Can Gerrish Legal Help?

Gerrish Legal is a dynamic digital law firm. We pride ourselves on giving high-quality and expert legal advice to our valued clients. We specialise in many aspects of digital law such as GDPR, data privacy, digital and technology law, commercial law, and intellectual property. We give companies the support they need to successfully and confidently run their businesses whilst complying with legal regulations without the burdens of keeping up with ever-changing digital requirements. 

We are here to help you, get in contact with us today for more information.

Previous
Previous

What is a Confidentiality Agreement and when do I need one? 

Next
Next

The Safeguards Rule: Stricter Measures Are Imposed to Protect Customer Information