The EDPB adopted its first urgent binding decision pursuant to Art. 66(2) GDPR following a request from the Hamburg supervisory authority (DE-HH SA), after the SA had adopted provisional measures towards Facebook Ireland Ltd (Facebook IE) on the basis of Art. 66 (1) GDPR. The DE-HH SA ordered a ban on processing WhatsApp user data by Facebook IE for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd.
The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the IE SA against Facebook IE in this case.
Based on the evidence provided, the EDPB concluded that there is a high likelihood that Facebook IE already processes WhatsApp IE user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. However, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, some written commitments adopted by Facebook IE and WhatsApp IE’s written submissions, the EDPB concluded that it is not in a position to determine with certainty which processing operations are actually being carried out and in which capacity.
In addition, there was not enough information to establish with certainty whether Facebook IE already started to process WhatsApp IE user data as a (joint) controller for its own purposes of marketing communications and direct marketing, and cooperation with the other Facebook Companies. Nor could it be established whether Facebook IE already started or will soon start processing WhatsApp IE user data as a (joint) controller for its own purpose in relation to WhatsApp Business API.
On the existence of urgency, the EDPB considered that Art. 61(8) GDPR was not applicable as the DE-HH SA did not demonstrate that the IE SA failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR. Moreover, the EDPB decided that the adoption of the Updated Terms, which contain similar problematic elements as the previous version, cannot, on its own, justify the urgency for the EDPB to order the LSA to adopt final measures under Article 66(2) GDPR. The EDPB therefore considered that there is no urgency for the LSA to adopt final measures in this case.
Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB considered that this matter requires swift further investigations. In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers. For this reason, the EDPB requests the IE SA to carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.
In addition, taking into consideration the lack of information as regards how data are processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API, the EDPB calls upon the IE SA to further investigate the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to these processing operations.
Next steps:
This urgent binding decision was addressed to the IE SA, the DE-HH SA and the other concerned SAs, and Facebook IE and WhatsApp IE have been informed about this urgent binding decision.
The urgent binding decision will be made public on the EDPB website after the assessment on whether some parts of the decision need to be redacted in order to avoid disclosure of information covered by professional secrecy.
This current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties.
Note to editors:
What is Art. 66 GDPR?
In exceptional circumstances, when a supervisory authority considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects within its territory, it can adopt provisional measures that have a legal effect on their own territory for a maximum of three months.
These measures are adopted by way of derogation from the GDPR's consistency mechanism (Art. 63 GDPR) or the One-Stop-Shop mechanism (Art.60 GDPR). In this case, Art. 66 GDPR enables supervisory authorities to immediately adopt provisional measures.
The supervisory authority that issues such provisional measures must communicate these measures and the reasons for adopting them without undue delay to the other supervisory authorities concerned, the European Data Protection Board and the European Commission.
If the supervisory authority that has taken such provisional measures considers that final measures need to be adopted urgently, it can request an urgent opinion or an urgent binding decision from the EDPB, providing the reasons for the urgent need to order the adoption of final measures by derogation to the standard cooperation and consistency procedures.