WhatsApp Inquiry – Impact of Regulatory Corrective Powers

The Irish Data Protection Commission (Irish DPC) announced on 2 September, that it had issued a fine against WhatsApp Ireland Limited (‘WhatsApp) of EUR 225 million for failing to properly explain how it was using personal data. The Irish DPC also exercised its corrective powers, and ordered WhatsApp to undertake a number of remedial actions to ensure compliance with the EU General Data Protection Regulation (GDPR). It should be noted that in coming to the determination of the fine and remedial orders, the Irish DPC was required to reassess its initial decision under the Dispute Resolution Mechanism, following  concerns raised by other EU Member State Supervisory Authorities on the potential number of infringements under GDPR and the quantification of the initial fine (initially set at EUR 30 to 55 million).

Remedial orders under the GDPR

Readers are reminded that, under the GDPR, the penalties for infringement can have significant consequences with fines of up to EUR 20 million or 4% of global turnover.  The lesser-publicised weapon in the armoury of the supervisory authorities is the power to compel organisations to take remedial action to bring their processing operations in compliance with the provisions of the GDPR, and failing that, to issue orders to halt the processing of personal data itself. The significance of this should not be underestimated.

The Irish DPC’s WhatsApp Enforcement Action

As well as the monetary penalty imposed, the Irish DPC ordered WhatsApp to undertake 9 remedial actions to bring its operations into compliance with the GDPR giving it 3 months from the date of the order to complete the specified actions. These actions centred around the information communicated to individuals about the use of their personal data through the privacy notice. A table detailing these actions can be found at Annex 1.

The information contained in a privacy notice serves as the primary channel to communicate to individuals how their personal data is collected and processed and how they can exercise their rights. As such, changes to the privacy notice can meaningfully impact whether personal data can be collected and how it is used. For example, the third remedial action mandated by the Irish DPC relates to the information communicated around the usage of legitimate interests. Similarly, the first remedial action requires non-users of WhatsApp to be informed of the processing of their personal data. Without the provision of the necessary information, it will be difficult for an individual to object to the processing, or even be aware their personal data is being processed.

Taking the two examples above, it can be argued that the imposition of the remedial order is as impactful, if not more impactful than the imposition of the monetary penalty. A monetary penalty may, in some circumstances, be offset by the commercial advantages that can be gained through a liberal interpretation of the requirements or lapses in  compliance. However, the imposition of a remedial order can fundamentally alter the cost-impact equation for non-compliance, as the remedial order can fundamentally alter the way in which personal data is collected and processed, thereby impacting on the commerciality of the business model and associated operating costs.

A Survey of Remedial Orders

The use of corrective powers has also been applied outside of Europe. In 2019 the Federal Trade Commission (FTC) announced a settlement of $5 Billion with Facebook, Inc for how it communicated to  users about the ability to control the privacy of their personal information. In addition to the fine, Facebook was subject to numerous requirements to ensure compliance with the FTC Order, a subset of which have been reproduced below and must remain in place for a period of 20 years.

  • Appointment of an independent privacy committee;
  • Appointment of an independent third party assessor to evaluate the effectiveness of the privacy program and report to the Privacy Committee;
  • Quarterly reviews to ensure compliance with the FTC Order, with an annual certification exercise;
  • Every new or modified product must go through a privacy review before it is implemented and decisions about user privacy must be documented; and
  • Document and deliver reports to the FTC and third party assessor about any data breaches affecting over 500 users within 30 days of the incident.

Arguably, the cost of the FTC order requirements is likely to be more burdensome than the imposition of the $5 billion penalty, given the breadth of the requirements, the impact on new and existing products/services and the appointment of independent third parties.

The use of remedial orders has also been seen in China. In May 2020, the Ministry of Industry and Information Technology (MIIT) ordered the removal of over 90 applications from various App Stores due to the over-collection of personal information. Additionally, in July 2021 the Cyberspace Administration of China (CAC) halted downloads of the ride-hailing app Didi due to the alleged illegal collection of user personal data. Furthermore, the Personal Information Protection Law (due to come into force 01 November 2021) enables the CAC to issue suspension and / or termination of data processing operations where violations of privacy occur, as well as powers to issue monetary penalties.

Summary

The use of remedial orders by regulatory authorities signifies that the penalties associated with breaches of privacy regulations are not purely financial. When evaluating the risks connected to privacy regulation, companies should look beyond financial penalties, but also the business impact that a remedial order can bring and incorporate this into their risk management frameworks.

There are a number of practical takeaway points set out below that derive from the enforcement mechanisms examined in this article.

  • The privacy notice should be treated as the organisations’ public disclosure of how  it collects and uses personal data. As such, it is imperative that the content of the notice is an accurate reflection of the actual processing operations.
  • Privacy notices should be periodically reviewed to ensure that they remain accurate and up to date and organisations should cross-reference with their Records of Processing Activities (RoPA) to ensure a joined-up approach to incorporating changes as and when required.
  • Consider linking privacy notices to the RoPA for ease of reference where future updates are required, including channels privacy notices are used e.g. website, mobile applications, customer portals etc.
  • Ensure record-keeping and version control processes are in place to clearly document and evidence when and why changes were made to privacy notices.
  • A robust privacy impact assessment and privacy by design culture, which includes consultation with the privacy function during business change activities, can help to identify at the developmental stage whether changes to existing, or new, privacy notices may be required. This can help to avoid the need  to reverse engineer or discontinue products or services that are impacted by regulatory corrective action.

A&M: Leadership. Action. Results.

A&M’s privacy and data protection professionals have extensive operations and advisory experience together with a proven track record in leading businesses through tough, complex situations. To learn more about our expertise and to understand the full scope of our services, please get in touch with one of our authors.

Authors:

Robert Grosvenor, Managing Director

rgrosvenor@alvarezandmarsal.com

Matthew Negus, Senior Director

mnegus@alvarezandmarsal.com

Stephen Miller, Manager

smiller@alvarezandmarsal.com

Christopher Woodhead, Associate

cwoodhead@alvarezandmarsal.com

Annex 1 – Remedial Actions Required

Table derived from Appendix C Page 264 / 265 of the DPC’s decision

Action #

Action Required

Additional Information

1

Ensure that non-users of WhatsApp are informed of the processing of their personal data

Paragraphs 163,164, 166 and 167

2

Clearly define the purposes of processing

Paragraphs 301 to 302 ; 325 to 399 and 539 to 592

3

Where legitimate interests is used as a legal basis, clearly define those interests pursued

Paragraphs 411 to 416 and 539 to 592

4

Where there are recipients / categories of recipients, clearly define those recipients

Paragraphs 422 to 434 and 539 to 592

5

Where there are international data transfers, clearly set out the safeguards applied

Paragraphs 443 to 457

6

Clearly define the period for which personal data will be stored / criteria used to determine that period

Paragraphs 464 to 476

7

Where processing is based on consent, provide the existence of the right to withdraw consent and clearly define the consequences

Paragraphs 486 to 496

8

Where processing is based on statute / contractual requirements, clearly state whether the information is required to be provided

Paragraphs 507 to 520

9

Make reference to the right to make a complaint to the supervisory authority in the ‘How You Exercise Your Rights’ section of the Privacy Policy

N/A