\n<\/p>\n
Another bill has come in for Meta for failing to comply with the European Union\u2019s General Data Protection Regulation (GDPR) \u2014 but this one\u2019s a tiddler! Meta-owned messaging platform, WhatsApp, has been fined \u20ac5.5 million (just under $6M) by the tech giant\u2019s lead data protection regulator in the region for failing to have a lawful basis for certain types of personal data processing.<\/p>\n
Back in December, Meta\u2019s chief regulator, the Irish Data Protection Commission (DPC), was given orders to issue a final decision on this complaint (which dates back to May 2018) \u2014 via a binding decision from the European Data Protection Board (EDPB) \u2014 along with two other complaints, against Facebook and Instagram.<\/p>\n
Those two final decision emerged from the DPC earlier this month<\/a>, when it announced a total of \u20ac310M in penalties; and gave Meta three months to find a valid legal basis for that ads processing.\u00a0But while the latter pair of GDPR decisions tackled Meta\u2019s lack of a valid legal basis for processing user data to run behavioral advertising (aka, its core business model), with the WhatsApp decision Ireland appears to have skirted the ads processing legality issue entirely \u2014 since its enquiry has focused on the legal basis Meta claimed for \u201cservice improvements\u201d and \u201csecurity\u201d.<\/p>\n Here Meta had (similarly) sought to rely on a claim of contractual necessity \u2014 but Ireland has now found (via EDPB order) that it can\u2019t.<\/p>\n The DPC has given WhatsApp six months to mend its ways for these purposes of data processing. Meaning it will need to find a way to lawfully process the data (perhaps by asking users if they consent to such purposes and not processing their data if they don\u2019t).<\/p>\n But the regulator has simply declined to act on a parallel EDPB instruction telling the DPC to investigate whether WhatsApp processes user (meta)data for ads. And this has led to fresh cries, by the original complainant, of yet another stitch-up by the much criticized<\/a> Irish regulator.<\/p>\n In a press release<\/a>, noyb<\/a>, the privacy rights not-for-profit behind the original strategic complaints<\/a> pulls no punches \u2014 arguing that Ireland is essentially giving the EDPB the finger at this point.<\/p>\n \u201cWe are astonished how the DPC simply ignores the core of the case after a 4.5 year procedure. The DPC also clearly ignores the binding decision of the EDPB. It seems the DPC finally cuts loose all ties with EU partner authorities and with the requirements of EU and Irish law,\u201d said its honorary chairman, Max Schrems, in a typically pithy and punchy statement.<\/p>\n While messaging content on WhatsApp is end-to-end encrypted \u2014 which means, assuming you trust Meta\u2019s implementation of the Signal protocol, that this information should be protected from its prying eyes \u2014 the social media giant can still glean insights on users by tracking their WhatsApp metadata (aka, who\u2019s talking to who, how often etc) \u2014 and also by connecting the dot and users to accounts and public (or otherwise non-E2EE digital activity) across other services it owns (and, potentially, third party services it\u2019s seeded with tracking technologies)\u2026 So, basically, Meta\u2019s data-gathering net is long (and wide).<\/p>\n That means there are certainly questions to be asked about how it might be processing WhatsApp users\u2019 data for marketing purposes \u2014 and what legal basis it\u2019s relying on for any such processing.<\/p>\n WhatsApp users may remember the major controversy that kicked off back in 2021<\/a> \u2014 when the platform announced an update to its T&Cs that it said users had to accept in order to carry on using the service. It wasn\u2019t clear exactly what was changing in the updated terms. But, whatever was going on, Meta sure wasn\u2019t giving WhatsApp users a free choice over the matter! And while regulatory attention on that issue led to what appeared to be a bit of a climbdown by Meta, which stopped sending aggressive pop-ups demanding EU users agree (or leave), the whole episode led to widespread confusion about what exactly it was doing with WhatsApp user data (and how it was doing it, legally speaking).<\/p>\n The episode also sparked some consumer protection complaints<\/a>. Which led, last summer<\/a>, to the European Commission giving the company a month to fix the confusing T&Cs and \u201cclearly inform\u201d consumers about its business model.<\/p>\n None of the confusion and mistrust around WhatsApp\u2019s T&Cs was helped by a much earlier U-turn<\/a> on syncing user data with Facebook \u2014 when the platform flipped a founder pledge never to cross those streams. In short, it\u2019s a mess \u2014 and a mess that Europe\u2019s regulators can\u2019t claim to have cleaned up.<\/p>\n Yet despite all the ongoing confusion and privacy concerns, the DPC appears spectacularly uninterested in taking a proper look at how WhatsApp may be processing user data for ads.<\/p>\n \u201cThe DPC has now limited the 4.5 year procedure to the minor issues of the legal basis for using data for security purposes and for service improvement,\u201d writes noyb, accusing the regulator of essentially ignoring this major component of its complaint. \u201cThe DPC thereby ignores the major issues of sharing WhatsApp data with Meta\u2019s other companies (Facebook and Instagram) for advertisement as well as other purposes.\u201d<\/p>\n