Article 29 Working Party’s concerns over data protection compliance by WhatsApp

This article was first published on Lexis®PSL Information Law on 16 November 2017. 

Information Law analysis: The Article 29 Working Party (WP29) recently sent a letter to WhatsApp, reiterating concerns about changes to their terms of service and privacy policy. Will Richmond-Coggan, partner and solicitor-advocate at Pitmans Law and head of the firm’s data privacy, media and reputation practice, explains the background to this letter and its potential implications.

What is the background to the letter?

The WP29 is a body set up under Directive 95/46/EC (the Data Protection Directive), comprising representatives from each EU Member State’s data protection authority (eg the Information Commissioners Office (ICO) in the case of the UK). They first wrote to WhatsApp in 2016, following a change to the company’s terms of business and fair processing notice which gave rise to concerns that users’ personal data was in danger of being unlawfully processed under the Data Protection Directive.

It is worth noting that the risk of unlawful processing derived specifically from some very general language in connection with the ways in which subjects’ data would be processed by WhatsApp, and shared with other entities in the Facebook group of companies. This was of importance generally, because data subjects are entitled to be informed of how their data will be used, but also specifically because WhatsApp relied on data subject consent as the basis for processing. Self-evidently, if a data subject cannot understand from a fair processing notice (also sometimes called a privacy policy) how their data will be used, they cannot meaningfully consent to that processing.

During 2017, the WP29 continued to monitor WhatsApp’s compliance and lingering concerns about the clarity of the explanations given to data subjects led them to send the present letter in October 2017.

What are the potential implications for companies seeking to ensure that they lawfully process personal data and those advising them under current data protection laws?

In keeping with the approach of the ICO domestically, the WP29 have sought to use the letter as an opportunity to spell out some of the considerations which WhatsApp should have had in mind from the outset in order to comply with the existing data protection legislation. They have also taken the opportunity to spell out ways in which the data protection regime is going to become more stringent from 25 May 2018, when the GDPR comes into force.

The primary implication is for those businesses which seek to rely on opaque or loosely worded privacy policies in order to secure ‘consent’ to a wider range of processing activities than a data subject might otherwise be aware of. The WP29’s letter makes clear that such an approach runs the risk of failing to secure valid consent to processing which has not been clearly identified and explained.

On the issue of whether the consent was freely given, the WP29 noted the pre-eminence of WhatsApp’s messaging service among other similar services, and the extent to which Facebook’s social networking service is embedded into the digital lives of European citizens. The means by which WhatsApp sought to introduce its updated terms of service and privacy policy however, effectively resulted in WhatsApp adopting a ‘take it or leave it’ approach in which users either signal their ‘consent’ to the sharing of data or they are unable to avail themselves of WhatsApp’s messaging service. For this reason, in the particular circumstances of this case, the WP29 considered that consent could not be freely given by WhatsApp users in the absence of sufficiently granular user controls allowing for an appropriate level of control over the sharing of the data. The approach of WP29 in this matter reflects that as a matter of best practice (eg see WP29 Opinion 15/2011 on the definition of consent) where possible and proportionate to do so, all organisations should seek to offer granular control over the processing to which subjects give their consent, rather than requiring a single blanket consent.

Secondly, the letter reminds WhatsApp, and by extension other businesses and advisors, that consent is not the only basis on which data may lawfully be processed. But if a controller wishes to rely on another basis, they must still spell out what that is in their privacy policy, and selecting some other basis does not absolve the controller of the requirement to inform the data subject of the ways in which their data will be processed, pursuant to that lawful basis. The WP29’s specific focus in this respect was to clarify the constraints around processing on the basis of the controller’s legitimate interests. In particular, they were keen to emphasise that processing on this basis could only be undertaken where the processing was ‘necessary’ for those interests, and where those interests were not at odds to the rights and protections afforded to the data subject.

To what extent are the views of the WP29 helpful in providing guidance on interpreting lawful grounds of processing under the forthcoming GDPR?

The General Data Protection Regulation (EU) 2016/679 (GDPR) will apply from 25 May 2018 and will change data protection laws across the EU, including repealing the Data Protection Directive.

The WP29 noted that the current Data Protection Directive requires such consent to be unambiguous, specific, informed, freely given and that the GDPR provides further clarification and specification of what is required in order for consent to be considered valid. In particular, the WP29 noted that the GDPR specifies that consent must consist of a statement or clear affirmative action, be demonstrable, clearly distinguishable, intelligible and easily accessible, use clear language and be capable of being withdrawn.

The WP29 reinforced the importance of consent being properly documented, having been obtained in a clear, specific and coherent manner and the consent itself being informed, unequivocal and positive (ie by action rather than inaction) once the GDPR applies. For example, the WP29 noted that the GDPR explicitly confirms that pre-ticked boxes do not constitute a valid consent and called upon WhatsApp and Facebook to ensure users are provided with easy to use persistent controls over the sharing of their personal data.

The views of the WP29 in this regard are significant and carry a good deal of weight—they are after all the views of the regulatory bodies who will be responsible for upholding (and more importantly, interpreting) the GDPR and any associated domestic legislation, once it comes into force.

What are the next steps?

The next steps for WhatsApp will be carefully to consider the points identified by the WP29 and to seek either to satisfy them that their existing arrangements meet the requirements of the existing and forthcoming legislation or to modify their procedures and policies in order to meet the requirements set out in that correspondence. In light of the content of the WP29’s correspondence, and the history of prior concerns identified above, the former outcome seems unlikely and thus WhatsApp users will probably be receiving further updates to their privacy policy which are likely to include some form of greater granularity over the associated privacy controls, in the fairly near future.

Similarly, any other business whose present approach to compliance with the existing data protection mirrors that of WhatsApp will need to take urgent advice on how they might modify their approach in advance of May 2018, in order to ensure that they both comply with the existing legislation and continue to comply once the GDPR comes into force.

Following the latest W29 letter, the Irish Data Protection Commissioner issued a press statement confirming that it is continuing to engage directly with WhatsApp and Facebook Ireland in resolving the same issues.