Décision WhatsApp : Fin de l’impunité pour les GAFAM en Europe ?

WhatsApp Decision: End of Impunity for GAFAM in Europe?

Legal Watch No. 38 – August 2021

WhatsApp Decision: End of Impunity for GAFAM in Europe? In a previous news item, we reported on the difficulties in reaching agreement at European level regarding the implementation of the General Data Protection Regulation. 

The Irish regulator's recent decision regarding WhatsApp demonstrates further progress in the cooperation between supervisory authorities established by the GDPR.

The administrative fine of 225 million euros imposed on WhatsApp on September 2 by Ireland follows several twists and turns within the European Data Protection Board (EDPB).

Under the dispute resolution procedure provided for in Article 65 of the GDPR, the Committee forced Ireland to review its conclusions : it thus had to broaden the elements of the offense, significantly increase the amount of the fine and shorten the deadlines granted to Whatsapp to comply with the decision.

In calculating the fine, the Committee considered that not only the turnover of WhatsApp, but also that of its parent company, Facebook, should be taken into account.

It also considered that in the event of multiple infringements for the same data processing, the infringements should be added together – while remaining below the ceiling of 4% of turnover provided for by the GDPR.

It should be noted that the fine, as substantial as it may seem, represents only 0.08% of Facebook's turnover.

Which is thought-provoking when you consider that the Irish authorities were initially planning a fine of 50 million euros.

Let us remember that The Luxembourg data protection authority fined Amazon €746 million in early August., the largest fine ever imposed under the GDPR.

The main issue of the investigation was whether WhatsApp was complying with its information obligations towards its users, as well as non-users whose data is also collected.

The information notices were deemed complex, making it impossible to properly understand the legitimate interests pursued by the company.

The use of the "access to contacts" functionality by users is completely opaque to the said contacts, whose data is processed even though they themselves do not necessarily use the application.

In addition to a breach of Articles 12, 13 and 14 of the GDPR regarding the information obligations, the Committee thus concludes that the violations are sufficiently serious to constitute a breach of Article 5(1)(a) of the GDPR regarding the general principle of transparency.

The decision of the Irish authority, reinforced by the Committee, constitutes a useful milestone for data controllers with regard to the information obligations of the GDPR.

The following guidelines are retained:

–           Avoid scattering information in different pages requiring the user to click on multiple links, as well as endless drop-down menus, and concentrating information in one place.

–           Describe the processing operations, the data collected and the legal basis for each identified purpose.

Also specify this information for each third party having access to the data.

Displaying these different elements in tabular form can help to clearly understand them.

–           Make information availablen concerning “non-users” in a separate and easily accessible manner.

–           Specify the circumstances under which the data will be retained / deleted, with concrete illustrations.

–           Indicate the legal basis allowing the transfer of data outside the European Union, specifying, if there is no adequacy decision, the alternative legal basis.

A generic reference to a European Commission web page is not sufficient.

.

And also

France:

The CNIL is continuing its compliance actions regarding cookies.

She addressed a second series of formal notices during the summer, against several online sales players, major digital economy platforms, local authorities and the banking sector.

She also has sanctioned On July 27, the Figaro company paid 50,000 euros for the deposit of advertising cookies without the consent of Internet users.

She takes this opportunity to recall the division of responsibility between site publishers and their commercial partners.

A computer flaw has made accessible the personal data of around 700,000 people who took a Covid test.

This security breach highlights the varying reliability of the transfer services used by pharmacists to feed the government's SI-DEP platform.

While the SI-DEP platform itself is secure, not all middleware is.

The General Directorate of Health (DGS) sent an email to pharmacists to remind them of the software approved and compatible with SI-DEP.

The one from Francetest, identified in the flaw made public on August 31, was not part of it.

The CNIL remember in the current context of the start of the school year, the requirements to be met in the context of the use of biometrics in schools.

It examines hand contour recognition for access to school canteens, and outlines the requirements for information, consent and data security.

She adds that refusing to process biometric data, and therefore to access the canteen by another means, must not cause harm to the student concerned.

Europe:

Consumer credit: The European Data Protection Supervisor (EDPS) published an opinion on the European Commission's proposed Directive on 26 August.

The cause is new methods of credit assessment using digital technologies.

If such assessments are essential for granting credit to the consumer, the EDPS requests that certain data be excluded from the assessment procedures.

In addition to health and social media data, the EDPS wants the ban to be extended to all sensitive data (for example, concerning religion and political opinions) as well as Internet users' browsing data.

The Controller also points out the need to better regulate the role of third parties providing credit analysis services, and the certification of artificial intelligence systems in this sector.

Facial recognition: Council of Europe publishes guidelines aimed at providing a set of reference measures for governments, facial recognition developers, manufacturers, service providers and entities using facial recognition technologies.

The aim is to ensure that when they are deployed they do not infringe on human dignity, human rights and fundamental freedoms, including the right to the protection of personal data.

Italy: The Data Protection Authority (Garante) has fined Deliveroo €2.5 millions for non-transparent use of an algorithm to manage its delivery drivers, and disproportionate collection of their personal data in violation of the principles of lawfulness, transparency, minimization and limitation of the GDPR.

International :

The People's Republic of China adopted on August 20 a law on the protection of personal information (PIPL).

This law will come into force on November 1, 2021. 

It aims not only to protect individual data, but also state security and the country's economic interests with regard to GAFAM.

The law contains strict obligations regarding local data storage and restrictions on international transfers.

The Taliban's takeover of Afghanistan also has repercussions in the area of data protection.

Multiple files, including the one managed by the Ministries of the Interior and Defense, would contain particularly sensitive information.

The data concerned includes police and army data on half a million people: surname, first name, but also identification number linked to a biometric profile, career data and family relationships, as well as the personal data of two "elders" from tribes, who act as guarantors during recruitment.

All this information, when it changes hands, can help map connections between local communities and ethnic groups.

Discover Viqtor®
en_USEN
fr_FRFR de_DE_formalDE es_ESES elEL it_ITIT hrHR pt_PTPT nl_NL_formalNL de_ATDE_AT etET fiFI lvLV lt_LTLT sk_SKSK sl_SISL en_USEN