On July 28th, the EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR. This binding decision seeks to address the dispute arisen following a draft decision issued by the Irish (IE) SA as lead supervisory authority (LSA) regarding WhatsApp Ireland Ltd. (WhatsApp IE) and the subsequent objections expressed by a number of concerned supervisory authorities (CSAs). In accordance with the GDPR, the EDPB’s binding decision has now been published, following the notification of the IE SA’s final decision to the company.
Following its assessment, the EDPB was of the opinion that the IE SA should amend its draft decision regarding infringements of transparency, the calculation of the fine, and the period for the order to comply.
Regarding transparency, the draft decision of the IE SA already identified a severe breach of Art. 12-13-14 GDPR. The EDPB identified additional shortcomings with the information provided, impacting users’ ability to understand the legitimate interests being pursued. Therefore, the EDPB requested the IE SA to include a finding of an infringement of Art. 13(1)(d) GDPR in its decision.
In addition, the EDPB clarified that, while not every infringement of Art. 12-14 GDPR necessarily entails an infringement of Art. 5 (1) (a) GDPR, in this particular case, in light of the gravity and the overarching nature and impact of the infringements, there has been an infringement of the transparency principle enshrined in Art. 5(1)(a) GDPR.
Regarding WhatsApp IE’s collection of data of non-users - when users decide to use the Contact Feature functionality - the EDPB found that in the present case, the procedure used by WhatsApp IE does not lead to anonymisation of the collected personal data.
Regarding the imposed fine and the calculation of the fine, the EDPB decided that the turnover of an undertaking is not exclusively relevant for the determination of the maximum fine amount in accordance with Art. 83(4)-(6) GDPR, but it may also be considered for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Art. 83(1) GDPR. In this case, the EDPB found the consolidated turnover of the parent company (Facebook Inc.) is to be included in the turnover calculation.
In addition, the EDPB, for the first time, provided clarification on the interpretation of Art. 83(3) GDPR. When faced with multiple infringements for the same or linked processing operations, all the infringements should be taken into consideration when calculating the amount of the fine. This is notwithstanding the duty on SAs to take into account the proportionality of the fine and to respect the maximum fine amount set out by the GDPR.
The IE SA Draft Decision further included an order to bring processing operations into compliance within a period of 6 months. The EDPB found it of primary importance that compliance with transparency obligations is ensured in the shortest timeframe possible. As such, the IE SA was requested to amend the six months deadline for compliance to a period of three months.
This binding decision was addressed to the supervisory authorities concerned, and the IE SA as lead SA has adopted its national decision on the basis of the EDPB decision. WhatsApp IE was notified of the national decision, with the EDPB decision annexed to it.
This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties.
For further information regarding the Art. 65 GDPR procedure, please consult the Art. 65 FAQ