In an order with immediate enforcement, Johannes Caspar, the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI), has prohibited Facebook Ireland Ltd. from further processing WhatsApp user data in Germany, if this is done for their own purposes. As part of the emergency procedure under Art. 66 GDPR already discussed on this blog, this measure will remain valid for three months in the respective territory. In light of this short time frame, the Commissioner’s aim is to refer this issue to the European Data Protection Board (EDPB) in order to find a solution on a European level.
In the last months, WhatsApp had requested their users to agree to the new terms and conditions of use and privacy by May 15, 2021. With the new privacy terms and conditions, WhatsApp would receive wide-ranging data processing powers. This applies, among other things, to the evaluation of location information, the transfer of personal data to third-party companies including Facebook and cross-company verification of the account. Furthermore, the companies’ legitimate interest for data processing and transfer is brought forth in a blanket manner – even with regard to underage users.
After Facebook had announced the new terms and conditions at the beginning of this year, a discussion arouse. As a result, the company decided to postpone the introduction to May. With many million Whatsapp users in Germany alone, Johannes Caspar now stressed the importance of having functioning institutions in place, in order to prevent the misuse of data power. At this point, Caspar could not exclude, that the data-sharing provisions between WhatsApp and Facebook would be enforced illegally, due to the lack of voluntary and informed consent. In order to prevent a potentially unlawful exchange of data and to put an end to any impermissible pressure on users for giving their consent, the formal administrative procedure was initiated.
Based on Art. 66 GDPR (“exceptional circumstances”), the emergency procedure is aimed at the European headquarters in Ireland. The American company is given the opportunity to state its position, whereby it can be expected that Facebook will consider the adjustments to be sufficient. However, the Hamburg data protection authorities had already issued an injunction against such data matching in 2016. Although Facebook took legal action, the company did not prevail in court (OVG Hamburg, February 26, 2018 – 5 Bs 93/17 – K&R 2018, 282).
The outcome of the proceedings in Hamburg is eagerly awaited since it may have an impact on the entire European market, given the direct applicability of Art. 66 GDPR in the different Member States. Although the decision from 2018 could delineate a trend, the outcome is open.
Today, the Italian Competition Authority (ICA) issued a 7 million euro fine to Facebook Ireland Ltd and Facebook Inc for failing to comply with the request to end their unfair practice regarding the use of users’ personal data, and to publish a due rectification (full text in Italian here).
Indeed, in November 2018 the ICA found the information given by Facebook to the users at the moment of the creation of the account misleading, due to the lack of adequate disclosure about the economic value of their personal data, which are monetized through the supply of targeted advertising (case PS1112). On the contrary, the ICA found that Facebook emphasized the free nature of the service, inducing users into making a transaction that they would not have taken otherwise. The misleading nature of such practice has also been confirmed by the Italian administrative judge (T.A.R. Lazio, decisions nn. and 261/2020).
The ICA advances that Facebook, despite having removed the claim about the free-of-charge nature of the service, still fails to provide users with clear information on the role of data as a means of payment in the exchange.
Italian Competition Authority, decision of 17 February 2021, ICA v. Facebook Ireland Ltd and Facebook Inc