Facebook's lead regulator in the European Union must "swiftly" investigate the legality of data sharing related to a controversial WhatsApp policy update, according to an order by the European Data Protection Board (EDPB).

We have reached out to the Irish Data Protection Commission (DPC) for comment. Update: See below for their statement.

Updated terms had been set to be enforced on the Facebook-owned messaging app users this January, but in January, Facebook delayed the update of WhatsApp terms until May following a major privacy backlash and continued confusion over details about how it processes user data.
WhatsApp has gone ahead to enforce the policy update, but the ToS continues facing scrutiny from regulators and rights organizations around the world.

For instance, the Indian government has repeatedly commanded Facebook to withdraw the new terms. In Europe, meanwhile, privacy regulators and consumer protection organizations have objected to how opaque terms are being thrust upon users — and in May, a German data protection authority issued a temporary (national) blocking order.

Today's development follows that and is significant as it's the first urgent binding decision adopted by the EDPB under the bloc's General Data Protection Regulation (GDPR).

Though the Board hasn't agreed to order the adoption of final measures against Facebook-WhatsApp as the requesting data supervisor, the Hamburg DPA, had asked — saying that "conditions to demonstrate the existence of an infringement and an urgency are not met.".

The Board’s intervention in the confusing mess around the WhatsApp policy update follows the use of GDPR Article 66 powers by Hamburg’s data protection authority.

In May, the latter instructed Facebook not to apply new terms to users in Germany — claiming that its analysis showed that the policy conferred "far-reaching powers" on WhatsApp to share data with Facebook, with it being unclear what legal basis the tech giant was relying upon to be able to process users' data.

Hamburg also accused the Irish DPC of failing to investigate the Facebook-WhatsApp data sharing when it raised concerns — hence seeking to take matters into its own hands by making an Article 66 intervention.

As part of the process it asked the EDPB to take a binding decision to ask for definitive steps being taken on blocking data sharing between WhatsApp and Facebook in a bit to sidestep glacial procedures within the Irish regulators by getting the board to order an enforcement measure to be applied statute across the whole bloc.

However, the Board's assessment found that Hamburg had not met the bar for demonstrating the Irish DPC "failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR", as it puts it.

It also concluded that the adoption of updated terms by WhatsApp — which it nonetheless says "contain similar problematic elements as the previous version" — cannot "on its own" justify the urgency for the EDPB to order the lead supervisor to adopt final measures under Article 66(2) GDPR.

The upshot — as the Hamburg DPA puts it — is that data exchange between WhatsApp and Facebook remains "unregulated at the European level".

Facebook ordered not to apply controversial WhatsApp T&Cs in Germany

 Article 66 powers
The significance of Article 66 of the GDPR is that it empowers EU data protection authorities to derogate from the regulation's one-stop-shop mechanism — which otherwise funnels cross border complaints (such as those against Big Tech) via a lead data supervisor (oftentimes the Irish DPC), and is thus widely seen as a bottleneck to effective enforcement of data protection (especially against tech giants).

An Article 66 urgency procedure gives the data controller in any of the EU's member states the right to apply ex parte for interim measures immediately — in case a situation falls under the scope of this kind of emergency intervention. That is one way to bypass a bottleneck, albeit only for a time-limited period.

A number of EU data protection authorities have invoked (or threatened to invoke) Article 66 powers in recent years since GDPR came into application in 2018, and the power is increasingly proving its worth in reconfiguring certain Big Tech practices — for example, Italy's DPA recently used it to force TikTok to remove hundreds of thousands of suspected underage accounts.

Just the threat of Article 66's use back in 2019 (also by Hamburg) was enough to encourage Google to suspend manual reviews of audio reviews of recordings captured by its voice AI, Google Assistant. (And later led to a number of major policy changes by several tech giants who had similarly been manually reviewing users' interactions with their voice AIs.)

At the same time, Article 66 provisional measures can last only three months — and only apply nationally, not across the whole EU. So it's a bounded power. (Perhaps especially in this WhatsApp-Facebook case, where the target is a ToS update, and Facebook could just wait out the three months and apply the policy anyway in Germany after the suspension order lapses.)

That's why Hamburg wanted EDPB to issue a decision that was binding. And it's a blow for privacy advocates wanting GDPR enforcement to be delivered to tech giants like Facebook that the Board refused to do here.

Uncontrolled data exchange
In response to the Board's decision not to adopt definitive measures to prevent the sharing of data between WhatsApp and Facebook, the Hamburg authority expressed disappointment - see below for its full statement - and also expressed disappointment that the EDPB has not established a deadline for the Irish DPC to complete the investigation into the legal basis of the data sharing.

As it is, Ireland's data protection authority has issued just one final GDPR decision to date against a tech giant: Twitter. So there's more than enough reason to fear that without a concrete deadline, the ordered probe could be kicked down the road for years.

Yet, on the other hand, it does seem to be quite a major intervention by an EU-wide authority to demand that the Irish DPC "quickly" scrutinize the detailed granularity of the data shared between Facebook and WhatsApp — it's certainly highly public in the poking of a regulator whose infamous reputation now is that they refuse to do their job, that of actually thoroughly investigating complaints.

Demonstrably it has failed to do so in this WhatsApp case. Despite major concerns having been raised about the policy update — within Europe and globally — Facebook's lead EU data supervisor failed not to open a formal investigation and has not expressed public objections to the update.

Last month in January, we'd asked about concerns over this update, and the DPC told TechCrunch that it had obtained "a confirmation" from Facebook-owned WhatsApp that there was no change in data-sharing practices affecting users from within the EU — essentially retorting the Facebook line that, the update did not change anything hence "nothing to see here.".

The updates of WhatsApp last week are intended at providing clearer, detailed information to users on how and why they use data,". We are advised by WhatsApp that there are no updates to data sharing practices, either in Europe or worldwide, as a result of these updates," the DPC said, although it also said at the time that it received "a lot of queries from stakeholders, confused and concerned by these updates," echoing Facebook's characterization of complaints.

We had engaged with WhatsApp on the issue and they assured us that they will extend the date for which people are going to be requested to review and accept the terms from February 8th to May 15th," said the DPC, in reference to a stop of the application deadline of the ToS that Facebook implemented following public outcry, during which hundreds of users signed up for alternative messaging applications, while adding: "Meanwhile, WhatsApp will initiate information campaigns to better educate people about how privacy and security operates on the service". We will continue to engage with WhatsApp on these updates." 

The EDPB's assessment of the rather knotty WhatsApp-Facebook data-sharing terms looks somewhat different — with the Board labeling WhatsApp's user communications confusing and simultaneously raising concerns about the legal basis for the data exchange.

In a press release, the EDPB writes that there's a "high likelihood of infringements" — highlighting purposes contained in the updated ToS in the areas of "safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies" as being of particular concern.

From the Board's PR [emphasis its]:

Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB considered that this matter requires swift further investigations. In particular to establish whether, in practice, Facebook Companies conduct processing activities which involve either the combination or comparison of WhatsApp IE's [Ireland] users' data with other datasets processed by different Facebook Companies within the context of other applications or services of the Facebook Companies, by means inter alia of the use of unique identifiers. Therefore, the EDPB asks the IE SA [Irish supervisory authority] to conduct, as a priority, a statutory investigation to establish whether such processing activities are indeed taking place or not and, if so, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.

NB: It is important to remember that WhatsApp users were first informed that they must accept the new policy or else the app would cease to function. (Although Facebook changed its approach later — after public backlash.) While WhatsApp users who haven't accepted the terms yet are still nagged to do so through regular pop-ups, although the tech giant does not appear to be taking steps to degrade the user experience further as yet (i.e. beyond annoying, recurring pop-ups).

The EDPB's concerns regarding the Whatsapp-Facebook data sharing "are related to a lack of information around how data is processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API," hence, the order it gave the Irish authorities to fully probe.

The Board also effectively endorses the notion that WhatsApp users themselves have no chance of ever being able to make sense of what Facebook is doing with their data from reading the comms material it has supplied them with—with the Board writing [emphasis ours]:

Based on the evidence presented, the EDPB concluded that there is a high probability that Facebook IE [Ireland] already processes WhatsApp IE [Ireland] user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE [Ireland] and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. However, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp's user-facing information, some written commitments adopted by Facebook IE [Ireland] and WhatsApp IE's [Ireland] written submissions, the EDPB concluded that it is not in a position to determine with certainty which processing operations are actually being carried out and in which capacity.

We reached out to Facebook for comment on the EDPB's order, and the company sent us this statement — attributed to a WhatsApp spokesperson:

We welcome the EDPB's decision not to extend the Hamburg DPA's order, which was based on fundamental misunderstandings as to the purpose and effect of the update to our terms of service. We remain fully committed to delivering secure and private communications for everyone and will work with the Irish Data Protection Commission as our lead regulator in the region in order to fully address the questions raised by the EDPB.

Facebook also asserted that it has controls in place for "controller to processor data sharing" (i.e. between WhatsApp and Facebook) — which it said prohibit it (Facebook) from using WhatsApp user data for its own purposes.

The tech giant went on to reiterate its line that the update does not expand WhatsApp's ability to share data with Facebook.

WhatsApp delays enforcement of privacy terms by 3 months, following backlash

 GDPR enforcement stalemate
Another important element to this tale is the fact that, for several years, the Irish DPC has been investigating longstanding complaints against WhatsApp's alleged non-compliance with GDPR's transparency requirements-and yet, it hasn't even issued a final decision.

So when the EDPB says it’s highly likely that some of the WhatsApp-Facebook data-processing being objected to is already going on it doesn’t mean Facebook gets a pass for that — because the DPC hasn’t issued a verdict on whether or not WhatsApp has been up front enough with users.

tl;dr: The regulatory oversight process is still ongoing.

It provisionally wrapped up last year its WhatsApp transparency investigation–saying in January it had sent a draft decision to the other EU data protection authorities for review—and potentially to object—to on 24 December 2020. That's a step necessary under the GDPR's process of co-decision making.

In January, when it said it was still waiting to receive comments on the draft decision, it also said: "When the process is completed and a final decision issues, it will make clear the standard of transparency to which WhatsApp is expected to adhere as articulated by EU Data Protection Authorities.

More than half a year on, EU Whatsapp users are still in limbo regarding the degree of transparency in company communications relating to its legally mandated legal compliance-or not, that is while their data is in transit across Facebook and WhatsApp in the interim.

The Irish DPC was reached for comment on the order from the EDPB today and also with questions about the status of its investigation into WhatsApp's transparency.

It said it will have a response later today — we will update this report when we get it.

Update: The DPC's deputy commissioner Graham Doyle said "[emphasis his]:

This Article 66 procedure was about whether the EDPB on request from Hamburg would take final measures confirming the provisional measures applied by the Hamburg SA against Facebook. The EDPB decision did not take measures as the Hamburg SA failed to present enough evidence to ground such measures.

Measures, if agreed by the Board, would not in any event be measures that the Irish DPC would adopt. They would be measures adopted by the EDPB. This is a decision of the Board based on a request from Hamburg SA under a provision that is a derogation to the cooperation and consistency mechanism.

Of course, the DPC has already conducted an in-depth investigation into WhatsApp's privacy policy user-facing material in the context of its transparency inquiry. That inquiry reached the Article 60 (co-decision making) stage in December 2020 and is now moving through the dispute resolution procedure. The Hamburg SA has been involved in the decision-making process since December 2020 and the dispute resolution process, which began in June, is an EDPB-led initiative, with all other supervisory authorities being involved.

The DPC takes note of the request of the Board and will give due consideration to any appropriate regulatory follow-up where it identifies matters canvassed in the EDPB decision have not already been addressed in the Article 60 draft decision transmitted by the DPC (and now currently with the Board under Article 65).

The DPC also has a separate, complaint-based inquiry ongoing that considers the legal basis that WhatsApp relies upon for processing. That inquiry is also at an advanced stage.

Back in November the Irish Times reported that WhatsApp Ireland had set aside €77.5 million for "possible administrative fines arising from regulatory compliance matters presently under investigation". No fines against Facebook have yet been forthcoming, though.

Indeed, the DPC has yet to issue a single final GDPR decision against Facebook (or a Facebook-owned company) — despite more than three years having passed since the regulation started being applied.

Scores of GDPR complaints against the Facebook's data-processing empire — like this May 2018 complaint against Facebook, Instagram and WhatsApp's use of so-called "forced consent" — languish without regulatory enforcement in the EU because there has been no decisions from Ireland (and sometimes no investigations either).

The situation is a huge black mark against the EU's flagship data protection regulation. So the Board's failure to step in more firmly now — to course-correct — does look like a missed opportunity to tackle a problematic GDPR enforcement bottleneck.

That said, any failure to follow the procedural letter of the law could invite a legal challenge that unpicked any progress. So it's hard to see any quick wins in the glacial game of GDPR enforcement.

Meanwhile, the winners of the stalemate are of course the tech giants who get to continue processing people's data how they choose, with plenty of time to work on reconfiguring their legal, business and system structures to route around any enforcement damage that does eventually come.

Hamburg's deputy commissioner for data protection, Ulrich Kühn, says something not very far off in a statement reacting to the decision by the EDPB with the words:

The European Data Protection Board has taken the decision which is disappointing. The body, which was created to ensure the uniform application of the GDPR throughout the European Union, is missing the opportunity to clearly stand up for the protection of the rights and freedoms of millions of data subjects in Europe. It continues to leave this solely to the Irish supervisory authority. Despite our repeated requests over more than two years to investigate and, if necessary, sanction the matter of data exchanges between WhatsApp and Facebook, the IDPC has not taken any action in this regard. It is a success of our efforts over many years that IDPC is now being urged to conduct an investigation. Nonetheless, this non-binding measure does not do justice to the importance of the issue. It is hard to imagine a case in which, against the background of the risks for the rights and freedoms of a very large number of data subjects and their de facto powerlessness vis-à-vis monopoly-like providers, the urgent need for concrete action is more obvious. The EDPB is thus depriving itself of a crucial instrument for enforcing the GDPR throughout Europe. This is no good news for data subjects and data protection in Europe as a whole.

In further comments the Hamburg authority stresses that the Board was of the opinion that "there are considerable inconsistencies between the information with which WhatsApp users are informed about the very extensive use of their data by Facebook on the one hand, and on the other hand the commitments made by the company to data protection authorities not (yet) to do so"; and also that it "expressed considerable doubts about the legal basis on which Facebook intends to rely when using WhatsApp data for its own or joint processing" — arguing that the Board therefore also shares the "essential parts" of its arguments against WhatsApp-Facebook data sharing.

Despite carrying that weight of argument, the call for action is once again back in Ireland's court.