GDPR Fines - Lessons From WhatsApp and Why Size Really Does Matter

Published by Global Data Review

What lessons can be learned from the recent WhatsApp €225 million fine?

The Irish Data Protection Commission (DPC) fined WhatsApp €225 million on 2 September for infringements of the GDPR's transparency obligations. This is the second-highest GDPR fine so far and was set at this level only after objections from eight supervisory authorities were resolved by the intervention of the European Data Protection Board (EDPB). The DPC originally proposed a much lower fine (€30-50 million), by taking a more lenient view of the offending; adopting a narrow view as to the scope of the economic unit of which WhatsApp was a part; punishing only the most serious infringement; and giving insufficient weight to turnover in the determining whether the fine would be "dissuasive".

The EDPB's binding decision will almost certainly be appealed. For now though, this provides considerable insight into the views of eight supervisory authorities and the EDPB itself on some of the most critical factors in the calculation of GDPR fines.

Background

In December 2018 the DPC commenced an 'own volition' investigation into certain practices of WhatsApp approach to transparency in relation to data sharing (specifically Articles 12, 13 and 14 of GDPR). Although this was an 'own-volition' inquiry, the investigation was prompted by a number of common themes emerging from complaints from individual data subjects. The DPC concluded its investigation, finding that there had been violations and that a financial penalty should be imposed, issuing a draft decision in December 2020 to other Concerned Supervisory Authorities (CSAs) under the GDPR's one-stop-shop for representations. Eight regulators responded (two from Germany, France, Hungary, Italy, Netherlands, Portugal and Poland) expressing objections to both the DPC's approach and the size of the proposed fine.

The unavailability of a single position acceptable to all CSAs triggered the consistency mechanism under Article 65(1)(a) of the GDPR, where the EDPB is brought in to issue a binding decision to resolve the issues between the supervisory authorities.

Nature of the infringements

The WhatsApp infringements involved significant and persistent breaches of the transparency and information provisions in Articles 12, 13 and 14 of GDPR. Significantly, in the view of the EDPB, following the objections from Italy, the DPC was required to add an infringement of one of the core principles of the GDPR (Article 5(1)(a) - lawful, fair and transparent processing) because of the gravity, overarching nature and impact of the infringements of Articles 12-14.

At the heart of the case was WhatsApp's approach to the provision of GDPR transparency information to 'users' of the service and also to 'non-users'. This included information about how data would be shared among other parts of the Facebook group and what legitimate interests existed for doing so. The EDPB described the transparency and information provisions as being fundamental to the rights of data subjects, as without information it is impossible to understand or challenge the actions of data controllers and processors.

In terms of 'users' of the WhatsApp service, estimated to be in the region of 326 million or 63% of the population of the European Economic Area (EEA), only 59% of the required information was provided. For an entity with the resources of WhatsApp, whose business hinges on the processing of personal data, this shortfall was regarded as being highly significant.

The data of 'non-users', amounting to 125 million affected persons or 24% of the EEA, came into focus because of the 'contact' feature of the WhatsApp service. This feature if enabled allows the app access to the user's address book in order to identify other users of the service. WhatsApp collected, processed and shared this data and attempts at anonymisation were not effective. In the case of 'non-users' no information was provided as to how their data would be used. Accordingly, infringements relating to 'non-users' were treated as the most serious.

Guidance on fines - five pivotal factors

It is difficult to overstate the importance the EDPB's decision on how to approach the calculation of fines for GDPR infringements. This is the first time that the central questions posed in Article 83 of the GDPR have been addressed by the EU body designated to achieve consistency in the assessment of financial penalties.

Whilst the whole of the decision is worth careful reading (particularly the analysis of each of the Article 83(2) factors), there are five pivotal questions impacting the scale of fines where we now have clearer guidance (pending of course any appeal process). These are:

1. What role does turnover play in the calculation of fines?
2. By reference to which entities should turnover be calculated?
3. What is the relevant period for the calculation of turnover?
4. What is the correct approach when there are multiple infringements arising from the same processing operations?
5. By what standard should intent or negligence be assessed?

The role of turnover

The answer to the first question is that size or turnover of an undertaking really does matter in assessing the size of the fine. The issue - principally played out in the objections of the federal German supervisory authority and the responses from the DPC - is whether the turnover of an offending entity is relevant only to the maximum allowable fine, or whether it also plays a role in the calculation of the fine itself. The EDPB came down on the side of the German supervisory authority taking the view that the turnover of an undertaking is not exclusively relevant for the determination of the maximum fine amount in accordance with Article 83(4)-(6) GDPR. It may also be considered for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Article 83(1) of the GDPR. The EDPB concluded that, in order to be effective, a fine must reflect all the circumstances of the case. These circumstances not only relate to the specific elements of the infringement, but also those of the controller or processor that committed the infringement, including its financial position. In order to meet the Article 83(1) requirement of being dissuasive, the fine must be large enough to deter even the largest undertakings. Parallels with the field of EU competition law, where turnover related fines are accepted, were considered to be relevant, as with other elements of the EDPB's decision.

Which entities and when?

If turnover is relevant to the fine itself, then the next two questions - how turnover is calculated and what period is applicable - are now extremely important. In answering both of these questions the EDPB again departed from the more lenient approach suggested by the DPC. On the question of which entities count for the purpose of calculating turnover, the DPC took the view that this should be restricted to the turnover of Facebook Inc. and WhatsApp IE only. Relying again on principles of EU competition law, the EDPB decided that instead the total turnover of all component companies within the Facebook group should determine the financial capacity of the single undertaking. In other words, the consolidated turnover of the group headed by Facebook Inc. is the relevant figure - in Facebook's case this is in the region of $80 billion for the 2020 period. Clearly this is significantly greater than the DPC considered appropriate, and signals a warning to global organisations that handle data in the EU that fines are on the increase.

The relevant period for the calculation of turnover is not, as thought by the DPC, to be determined by reference to the date of the infringements, but instead the relevant date is when the final decision is reached by a supervisory authority. Given that a final decision can only be reached after investigations have been completed, after notifications to other concerned supervisory authorities and after (as happened here) the dispute resolution mechanism involving the EDPB has been completed, it follows that a considerable period of time may have elapsed during which turnover may have increased. The event from which to determine the previous year in Article 83(5) is the final fining decision of the supervisory authority. In Facebook's case this means the turnover of the entire group in 2020, which was approximately 15% higher than the 2019 figure used by the DPC in the draft decision.

Multiple infringements from the same processes

The next question of significance relates to the interpretation of Article 83(3) and the issue of how fine levels should be assessed in situations where multiple infringements of the GDPR are generated by similar and simultaneous processing operations. The approach of the DPC was to calculate the fine only by reference to the most serious of the infringements (Article 14), disregarding other less serious breaches. Objections were submitted by Germany, France and Portugal, arguing that it was wrong in principle to reject other infringements as if they had not factually happened, pointing out that if the DPC's approach were followed it would not matter if a controller committed one or numerous infringements of the GDPR, as only one single infringement, the most serious infringement, would be taken into account when assessing the fine. Perhaps unsurprisingly, the EDPB concluded that WhatsApp should be "explicitly found guilty" of each infringement and that the fine, subject to the legal maximum, should take into account each and every infringement. Again, the effect of this decision and this broad interpretation of Article 83(3) will inevitably push fines higher where multiple infringements are involved.

Intent v negligence

The final pivotal decision made by the EDPB relates to the circumstances in which an offender may be viewed as having acted intentionally in the infringements. In this respect the EDPB followed the draft decision of the DPC and concluded that on the available evidence WhatsApp could only be regarded as having been negligent. This view was not shared by all supervisory authorities: Italy and Hungary found it difficult to accept that the conduct was merely negligent, given that WhatsApp had faced a similar investigation in 2012 by the Dutch authorities. They argued that the Dutch investigation ought to have put WhatsApp on notice as to the legality of its processing activities, and the fact that WhatsApp pursued and obtained significant profit from the activities. The EDPB's view involved a restricted interpretation that 'intent' within the meaning of Article 83(2) requires both knowledge that the processing activity infringes the GDPR and a wilfulness to act in a manner that results in infringements. The EDPB noted that some objective elements indicating intentionality need to be present, and that these were not observed in the case of WhatsApp. Furthermore, the EDPB pointed to WhatsApp's efforts towards achieving compliance, including engaging external experts and conducting research as "indicating the absence of a wilfulness to act in breach of the law". These findings will give a considerable degree of comfort to most responsible data controllers and processers who engage in meaningful compliance activities that, save in exceptional circumstances, they will be fined on the basis of negligence only.

What next?

While there is not a great deal of good news for controllers and processors in this decision, it nevertheless does provide some clarity on many of the key topics that influence the level of financial penalty.

Perhaps most critically among these is the way in which the turnover of the undertaking will be taken into account when assessing whether a fine will be of dissuasive effect. It is clear that a pure top down approach focussing on 4% or 2% of turnover as a starting point was rejected. The EDPB instead favoured a hybrid approach - starting with a detailed bottom-up analysis of the Article 83(2) factors combined with an evaluation of the undertaking's financial position as one of the circumstances of the case and in relation to the question of whether a fine would be dissuasive. This approach differs from the top-down approach in the UK Information Commissioner's Office provisional guidance on regulatory action and will almost certainly trigger a re-think.

An important area for future argument remains open by virtue of the EDPB's emphasis on the relationship between financial position of the infringer and dissuasiveness. In Facebook's case turnover and profits were large, and it was in the business of profiting from data. Few organisations have this business model and financial profile. The percentage of turnover required to achieve dissuasiveness will vary considerably from company to company and will depend on its own individual financial circumstances and business model. Ensuring that the full financial circumstances and business model are analysed and evidenced could be critical when determining the size of fines in the future.

That said, any fine imposed must respect the overarching principles in Article 83(1) that any fine must be effective, proportionate and dissuasive. And for a fine to be dissuasive, especially for those who thrive through the processing of data, it must bear some direct relationship to its turnover. In other words size matters

Read the original article here: www.globaldatareview.com