{"id":2708,"date":"2021-09-09T13:28:00","date_gmt":"2021-09-09T19:28:00","guid":{"rendered":"https:\/\/trustarc.com\/?post_type=resource&p=2708"},"modified":"2024-12-05T10:36:17","modified_gmt":"2024-12-05T16:36:17","slug":"lessons-from-edpb-binding-decision","status":"publish","type":"resource","link":"https:\/\/trustarc.com\/resource\/lessons-from-edpb-binding-decision\/","title":{"rendered":"A New Irish Fine: Lessons Learned from the EDPB Binding Decision"},"content":{"rendered":"\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t\t\tArticles<\/strong>\n\t\t\t\t\t\t\t\t\t\t

A New Irish Fine: Lessons Learned from the EDPB Binding Decision<\/h1>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\n\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\"\"\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\tAnnie Greenley-Giudici<\/strong>\n\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/span>\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t

WhatsApp fined 225 million Euros for violations of the GDPR<\/h2>\n

The Irish Data Protection Commission (DPC) has\u00a0imposed a fine of \u20ac225 million<\/a>\u00a0on WhatsApp\u2019s European headquarters following an\u00a0investigation<\/a>\u00a0that took many years to complete.<\/p>\n

In addition to the fine, WhatsApp has received a compliance order, which it needs to fulfill within 3 months.<\/p>\n

The sanctions are imposed for violating the transparency principle and requirements under the European Union\u2019s General Data Protection Regulation (GDPR).<\/p>\n

This in itself is noteworthy, but the case becomes more interesting because the sanctions are a result of a\u00a0Binding Decision<\/a>\u00a0by the European Data Protection Board (EDPB) following objections against the draft findings and sanctions proposed by the Irish DPC.<\/p>\n

The full report of the EDPB on the dispute resolution procedure sheds light on the considerations of the various regulators, as well as on some novel and updated interpretations of the GDPR by the EDPB.<\/p>\n

Here are three decision elements that might be relevant for other companies.<\/p>\n

Legitimate interest<\/h2>\n

Processing personal data based on a legitimate (business) interest has been possible in Europe for a long time already.<\/p>\n

Under the former 1995 Data Protection Directive, the Article 29 Working Party (WP29, the predecessor of the EDPB) issued an\u00a0opinion<\/a>\u00a0on how the legitimate interest should be used.<\/p>\n

In any case, a legitimate interest should be \u201csufficiently clearly articulated\u201d and \u201crepresent a real and present interest\u201d in order to be valid. If that is not the case, the required balancing test could not be completed.<\/p>\n

Furthermore, where legitimate interest is used, information needs to be provided to the individual on the basis of Article 13(1)(d) GDPR.<\/p>\n\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t\t

In the WhatsApp Binding Decision, the EDPB writes that it\u00a0\u201cconsiders that the purpose of these duties of the controller is to enable data subjects to exercise their rights under the GDPR, such as the right to object pursuant to Article 21 GDPR, which requires the data subject to state the grounds for the objection relating to his or her particular situation.\u201d<\/p>\n\t\t\t\t\t\t\t\t<\/blockquote>\n\t\t\t\t\t\t\t\t

Therefore, \u201cfull information on each and every processing operation\u201d needs to be provided to the individual.<\/p>\n

One of the concerns was raised\u00a0against the way WhatsApp provided notice on their use of legitimate interests.<\/strong><\/p>\n

Several purposes for data processing and several legitimate interests were listed, without making clear how each of these relate to each other.<\/p>\n

Also the use of words like \u201cother business services\u201d or \u201cmaintaining innovative services and features\u201d cannot meet the approval of the data protection authorities, because they \u201cdo not meet the necessary threshold of clarity and intelligibility.\u201d<\/p>\n

Recommendation:<\/b><\/h3>\n

When relying upon legitimate interest(s) for your data processing operations, ensure each legitimate interest is made clear in your privacy notice, with a clear link to the types of data used for each data subject category and the intended purpose(s).<\/p>\n

Matching address books<\/h2>\n

The second contentious issue is the question whether phone numbers of non-users, collected when matching an address book with WhatsApp\u2019s current user list to facilitate connections, remain personal data, even after so-called lossy hashing.<\/p>\n

Lossy Hashing is an encryption technique which basically \u2018translates\u2019 the phone number of a non-user into a code that at first glance does not have any meaning.<\/p>\n

The EDPB discusses the objections of multiple data protection authorities.<\/p>\n

In short, all argue that the original Irish DPC finding that lossy hashed data does not constitute personal data is incorrect, since re-identification is possible and does not require a lot of effort.<\/p>\n

This is due to the way the technique is implemented by WhatsApp, by only using\u00a0up to 16\u00a0phone numbers, instead of the\u00a0full available, and by \u201clinking a lossy hash to mobile phone numbers of those users who uploaded numbers via the Contact Features that fall into the group of different phone numbers that would have generated that same lossy hash.\u201d<\/p>\n

Furthermore, if these data are regarded as personal data, additional violations of the GDPR should be noted, both in terms of the legal basis to process these data and the information provided to individuals.<\/p>\n

Recommendation:<\/b><\/h3>\n

The EDPB does not raise principled objections against the possibility to match user lists against a database, while using a lossy hash on non-users to limit the amounts of available data.<\/p>\n

However, a \u201ctable of lossy hashes together with the associated users\u2019 phone numbers [retained] as Non-User List constitutes personal data.\u201d<\/p>\n

As such, this processing activity requires its own legal basis and proper information to be provided to individuals.<\/p>\n

Calculating sanctions<\/h2>\n

The final learning point in the EDPB Binding Decision relates to the calculation of the administrative fine.<\/p>\n

In their draft decision, the Irish DPC set a proposed range for the fine amount, with a cap that was calculated on the basis of the annual combined global turnover for Facebook Inc and WhatsApp Ireland, given they should be regarded as a group of undertakings under the GDPR.<\/p>\n

The question raised however, was \u201cwhether turnover is relevant only to determine the maximum fine that can be lawfully imposed, or whether it is potentially also relevant in the calculation of the fine amount\u201d.<\/p>\n

The EDPB considers a \u201cconclusion that turnover may be considered exclusively to calculate the maximum fine amount is unsustainable,\u201d because a fine needs to be effective, proportionate and dissuasive.<\/p>\n

Furthermore, GDPR explicitly provides for dynamic fines, which should allow for taking into account turnover as well as other considerations, like intent or negligence and others mentioned in Article 83(2) GDPR.<\/p>\n

This is also considered in line with case law from the Court of Justice, especially when it comes to the dissuasiveness of the fine.<\/p>\n\t\t\t\t<\/div>\n\t\t\t<\/div>\n\t\t\t

\n\t\t\t\t
\n\t\t\t\t\tFollow us<\/strong>\n\t\t\t\t\t
\n\t\t\t\t\t\t\"\"<\/a>\n\t\t\t\t\t\t\"\"<\/a>\n\t\t\t\t\t\t\"\"<\/a>\n\t\t\t\t\t\tLink Copied!<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\tKey Topics<\/strong>\n\t\t\t\t\t\t