De European Data Protection Board (EDPB) nam zijn eerste dringende bindende beslissing op grond van art. 66(2) AVG naar aanleiding van een verzoek van de Hamburgse privacytoezichthouder, nadat hij voorlopige maatregelen had genomen jegens Facebook op basis van art. 66 (1) AVG. De toezichthouder beval een verbod op het verwerken van WhatsApp-gebruikersgegevens door Facebook voor hun eigen doeleinden na een wijziging in de Servicevoorwaarden en het Privacybeleid die van toepassing zijn op Europese gebruikers van WhatsApp. De EDPB heeft geoordeeld dat niet is voldaan aan de voorwaarden om het bestaan van een inbreuk en urgentie aan te tonen. Daarom heeft de EDPB besloten dat in dit geval geen definitieve maatregelen door de Ierse toezichthouder tegen Facebook hoeven te worden genomen.
The EDPB adopted its first urgent binding decision pursuant to Art. 66(2) GDPR following a request from the Hamburg supervisory authority (DE-HH SA), after the SA had adopted provisional measures towards Facebook Ireland Ltd (Facebook IE) on the basis of Art. 66 (1) GDPR. The DE-HH SA ordered a ban on processing WhatsApp user data by Facebook IE for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd.
The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the IE SA against Facebook IE in this case.
Based on the evidence provided, the EDPB concluded that there is a high likelihood that Facebook IE already processes WhatsApp IE user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. However, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, some written commitments adopted by Facebook IE and WhatsApp IE’s written submissions, the EDPB concluded that it is not in a position to determine with certainty which processing operations are actually being carried out and in which capacity.
In addition, there was not enough information to establish with certainty whether Facebook IE already started to process WhatsApp IE user data as a (joint) controller for its own purposes of marketing communications and direct marketing, and cooperation with the other Facebook Companies. Nor could it be established whether Facebook IE already started or will soon start processing WhatsApp IE user data as a (joint) controller for its own purpose in relation to WhatsApp Business API.
On the existence of urgency, the EDPB considered that Art. 61(8) GDPR was not applicable as the DE-HH SA did not demonstrate that the IE SA failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR. Moreover, the EDPB decided that the adoption of the Updated Terms, which contain similar problematic elements as the previous version, cannot, on its own, justify the urgency for the EDPB to order the LSA to adopt final measures under Article 66(2) GDPR. The EDPB therefore considered that there is no urgency for the LSA to adopt final measures in this case.
Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB considered that this matter requires swift further investigations. In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers. For this reason, the EDPB requests the IE SA to carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.
In addition, taking into consideration the lack of information as regards how data are processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API, the EDPB calls upon the IE SA to further investigate the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to these processing operations.
This urgent binding decision was addressed to the IE SA, the DE-HH SA and the other concerned SAs, and Facebook IE and WhatsApp IE have been informed about this urgent binding decision.
The urgent binding decision will be made public on the EDPB website after the assessment on whether some parts of the decision need to be redacted in order to avoid disclosure of information covered by professional secrecy.
This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties.
