Confusion over an update to Facebook-owned chat platform WhatsApp’s terms and conditions has triggered an intervention by Italy’s data protection agency.
The Italian GPDP said today it has contacted the European Data Protection Board (EDPB) to raise concerns about a lack of clear information over what’s changing under the incoming T&Cs.
In recent weeks WhatsApp has been alerting users they must accept new T&Cs in order to keep using the service after February 8.
A similar alert over updated terms has also triggered concerns in India — where a petition was filed today in the Delhi High Court alleging the new terms are a violation of users’ fundamental rights to privacy and pose a threat to national security.
In a notification on its website the Italian agency writes that it believes it is not possible for WhatsApp users to understand the changes that are being introduced under the new terms, nor to “clearly understand which data processing will actually be carried out by the messaging service after February 8”.
For consent to be a valid legal basis for processing personal data under EU law the General Data Protection Regulation (GDPR) requires that users are properly informed of each specific use and given a free choice over whether their data is processed for each purpose.
The Italian agency adds that it reserves the right to intervene “as a matter of urgency” in order to protect users and enforce EU laws on the protection of personal data.
We’ve reached out to the EDPB with questions about the GPDP’s intervention. The steering body’s role is typically to act as a liaison between EU DPAs. But it also issues guidance on the interpretation of EU law and can step in to cast the deciding vote in cases where there is disagreement on cross-border EU investigations.
Earlier this week Turkish antitrust authorities also announced they are investigating WhatsApp’s updated T&Cs — objecting to what they claimed are differences in how much data will be shared with Facebook under the new terms in Europe and outside.
While, on Monday, Ireland’s Data Protection Commission — which is WhatsApp’s lead data regulator in the EU — told us the messaging app has given it a commitment EU users are not affected by any broader change to data-sharing practices. So Facebook’s lead regulator in the EU has not raised any objections to the new WhatsApp T&Cs.
WhatsApp itself has also claimed there are no changes at all to its data sharing practices anywhere in the world under this update.
Clearly there’s been a communications failure somewhere along the chain — which makes the Italian objection to a lack of clarity in the wording of the new T&Cs seem reasonable.
Reached for comment on the GDPD’s intervention, a WhatsApp spokesperson told us:
We are reviewing the Garante’s announcement regarding WhatsApp’s Privacy Policy update. We want to be clear that the policy update does not affect the privacy of your messages with friends or family in any way or require Italian users to agree to new data-sharing practices with Facebook. Instead, this update provides further transparency about how we collect and use data, as well as clarifying changes related to messaging a business on WhatsApp, which is optional. We remain committed to providing everyone in Italy with private end-to-end encrypted messaging.
How exactly the Italian agency could intervene over the WhatsApp T&Cs is an interesting question. (And, indeed, we’ve reached out to the GPDP with questions.)
The GDPR’s one-stop-shop mechanism means cross-border complaints get funnelled through a lead data supervisor where a company has its main regional base (Ireland in WhatsApp’s case). But as noted above, Ireland has — thus far — said it doesn’t have a problem with WhatsApp’s updated T&Cs.
However under the GDPR, other DPAs do have powers to act off their own bat when they believe there is a pressing risk to users’ data.
Such as, in 2019, when the Hamburg DPA ordered Google to stop manual reviews of snippets of Google Assistant users’ audio (which it had been reviewing as part of a grading program).
In that case Hamburg informed Google of its intention to use the GDPR’s Article 66 powers — which allows a national agency to order data processing to stop if it believes there is “an urgent need to act in order to protect the rights and freedoms of data subjects” — which immediately led to Google suspending human reviews across Europe.
The tech giant later amended how the program operates. The Hamburg DPA didn’t even need to use Article 66 — just the mere threat of the order to stop processing was enough.
Some 1.5 years later and there are signs many EU data protection agencies — outside a couple of key jurisdictions which oversee the lions’ share of big tech — are becoming frustrated by perceived regulatory inaction against big tech.
So there may be an increased willingness among these agencies to resort to creative procedures of their own to protect citizens’ data. (And it’s certainly interesting to note that France’s CNIL recently slapped Amazon and Google with big fines over cookie consents — acting under the ePrivacy Directive, which does not include a GDPR-style one-stop-shop mechanism.)
In related news this week, an opinion by an advisor to the EU’s top court also appears to be responding to concern at GDPR enforcement bottlenecks.
In the opinion Advocate General Bobek takes the view that the law allows national DPAs to bring their own proceedings in certain situations — including in order to adopt “urgent measures” or to intervene “following the lead data protection authority having decided not to handle a case”.
The CJEU ruling on that case is still pending but the court tends to align with the position of its advisors so it seems likely we’ll see data protection enforcement activity increasing across the board from EU DPAs in the coming years, rather than being stuck waiting for a few DPAs to issue all the major decisions.