eWatchers.org

EDPB - Décision contraignante n° 01/2021 adoptée le 28 juillet 2021 concernant l’Irlande et la société WHATSAPP IRELAND

Texte original extrait du site edpb.europa.eu.
633 lignes (45 106 mots)

Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR

Adopted on 28 July 2021

The European Data Protection Board

Having regard to Article 63 and Article 65(1)(a) of the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”)[1],

Having regard to the EEA Agreement and in particular to Annex XI and Protocol 37 thereof, as amended by the Decision of the EEA joint Committee No 154/2018 of 6 July 2018[2],

Having regard to Article 11 and Article 22 of its Rules of Procedure,

Whereas:

(1) The main role of the European Data Protection Board (hereinafter the “EDPB” or the “Board”) is to ensure the consistent application of the GDPR throughout the EEA. To this effect, it follows from Article 60 GDPR that the lead supervisory authority shall cooperate with the other supervisory authorities concerned in an endeavour to reach consensus, that the LSA and CSAs shall exchange all relevant information with each other, and that the LSA shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. The LSA shall without delay submit a draft decision to the other CSAs for their opinion and take due account of their views.

(2) Where any of the CSAs expressed a reasoned and relevant objection (“RRO”) on the draft decision in accordance with Article 4(24) and Article 60(4) GDPR and the LSA does not intend to follow the RRO or considers that the objection is not reasoned and relevant, the LSA shall submit this matter to the consistency mechanism referred to in Article 63 GDPR.

(3) Pursuant to Article 65(1)(a) GDPR, the EDPB shall issue a binding decision concerning all the matters which are the subject of the RROs, in particular whether there is an infringement of the GDPR.

(4) The binding decision of the EDPB shall be adopted by a two-thirds majority of the members of the EDPB, pursuant to Article 65(2) GDPR in conjunction with Article 11(4) of the EDPB Rules of Procedure, within one month after the Chair and the competent supervisory authority have decided that the file is complete. The deadline may be extended by a further month, taking into account the complexity of the subject-matter upon decision of the Chair on its own initiative or at the request of at least one third of the members of the EDPB.

(5) In accordance with Article 65(3) GDPR, if, in spite of such an extension, the EDPB has not been able to adopt a decision within the timeframe, it shall do so within two weeks following the expiration of the extension by a simple majority of its members.

HAS ADOPTED THE FOLLOWING BINDING DECISION

1 SUMMARY OF THE DISPUTE

1. This document contains a binding decision adopted by the EDPB in accordance with Article 65(1)(a) GDPR. The decision concerns the dispute arisen following a draft decision (hereinafter “Draft Decision”) issued by the Irish supervisory authority (“Data Protection Commission”, hereinafter the “IE SA”), also referred to in this context as the lead supervisory authority or “LSA” and the subsequent objections expressed by a number of concerned supervisory authorities or “CSAs”, namely: the Federal German supervisory authority (“Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit”), hereinafter the ”DE SA”; the German supervisory authority for Baden- Württemberg (“Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden- Württemberg”), hereinafter the “DE BW SA”; the French supervisory authority (“Commission Nationale de l’Informatique et des Libertés”), hereinafter the “FR SA”; the Hungarian supervisory authority (“Nemzeti Adatvédelmi és Információszabadság Hatóság”), hereinafter the “HU SA”; the Italian supervisory authority (“Garante per la protezione dei dati personali”), hereinafter the “IT SA”; the Dutch supervisory authority (“Autoriteit Persoonsgegevens”), hereinafter the “NL SA” ; the Polish supervisory authority (“Urząd Ochrony Danych Osobowych”), hereinafter the “PL SA”; the Portuguese supervisory authority (“Comissão Nacional de Proteção de Dados”), hereinafter the “PT SA”. The Draft Decision at issue relates to an “own-volition inquiry” (hereinafter, the “Inquiry”) which was commenced by the IE SA on 10 December 2018 concerning whether WhatsApp Ireland Limited, a company with its single establishment located in Dublin, Ireland (hereinafter, “WhatsApp IE”), complied with its obligations pursuant to Articles 12, 13 and 14 GDPR.

2. The Inquiry of the IE SA was limited to WhatsApp IE’s consumer services and does not relate to the “WhatsApp for Business” service[3]. The decision of the IE SA to commence the Inquiry was prompted by the common theme running across a number of complaints received from individual data subjects (both users and non-users[4]) concerning the data processing activities of WhatsApp IE and a mutual assistance request pursuant to Article 61 GDPR from the DE SA, i.e. concerns about transparency[5]. It was however clarified by the IE SA that this inquiry was an own-volition inquiry and did not concern any specific or individual complaint, concern or request, and that those were not taken into account for the purposes of the Inquiry in circumstances where they are subject to separate complaint handling processes[6].

3. The IE SA stated in its Draft Decision that it was satisfied that the IE SA is competent to act as the lead supervisory authority, within the meaning of the GDPR, for the purpose of the cross-border processing activities carried out by WhatsApp IE[7].

4. The following table presents a summary of the events part of the procedure leading to the submission of the matter to the consistency mechanism.

December 2018 - September 2019

The specific procedure followed by the IE SA in this particular Inquiry involved an assessment, firstly, by an investigator within the IE SA (hereinafter, the “Investigator”).

The scope and legal basis of the Inquiry were set out in the notice of commencement of inquiry that was sent to WhatsApp IE on 10 December 2018.

Following exchanges of information and views with WhatsApp IE, the Investigator recorded the proposed findings in a draft inquiry report dated 30 May 2019. WhatsApp IE responded to the content of the draft inquiry report via submissions dated 1 July 2019.

The Investigator issued the final inquiry report (“Final Report”) on 9 September 2019 and passed it on together with the inquiry file to the IE SA’s Decision-Maker, responsible to decide on the existence of infringement(s) of the GDPR as well as on the possible use of corrective powers (hereinafter, the “Decision-Maker”).

October 2019 - October 2020

The IE SA notified WhatsApp IE of the commencement of the decision-making stage on 4 October 2019.

The IE SA shared a Preliminary Draft Decision recording its preliminary views on the existence of one or more GDPR infringements with WhatsApp IE on 21 May 2020.

The IE SA shared a Supplemental Draft Decision on the possible use of corrective powers with WhatsApp IE on 20 August 2020. WhatsApp IE provided submissions in relation to the Preliminary Draft Decision (“WhatsApp Preliminary Draft Submissions”) on 6 July 2020 and in relation to the Supplemental Draft Decision (“WhatsApp Supplemental Draft Submissions”) on 1 October 2020. Both sets of submissions were taken into account by the IE SA when finalising the final versions of the Preliminary and Supplemental Draft Decisions and combining them into the Final Draft Decision (hereinafter, the “Draft Decision”).

December 2020 - January 2021

The Draft Decision was circulated to the CSAs on 24 December 2020.

A number of objections were raised by the CSAs pursuant to Article 60(4) GDPR (specifically, by the DE SA, DE BW SA, FR SA, HU SA, IT SA, NL SA, PL SA and PT SA). Several comments were also exchanged.

January 2021 - March 2021

The IE SA assessed the objections and comments received and invited WhatsApp IE to provide submissions in relation to a specific subset of objections raised concerning the effectiveness of a specific anonymisation process. These submissions were provided by WhatsApp IE on 10 March 2021.

April 2021

The IE SA issued its replies to the objections, including suggestions for compromise positions, and shared it with the CSAs within a single document (hereinafter, “IE SA Composite Response”) on 1 April 2021. WhatsApp IE’s submissions concerning the anonymisation process were also shared with the CSAs on the same date. The IE SA requested the relevant CSAs to share their views by 20 April 2021. Upon request of the NL SA, the IE SA provided on 19 April 2021 a provisionally revised version of Part 1 of the Draft Decision with the CSAs, to provide more clarity as to how the suggestions for compromise positions could have been translated in practice.

Within its reply to the IE SA Composite Response, the IT SA withdrew one of its objections. According to the IE SA, the replies of the CSAs made it clear that no single proposed compromise position was agreeable to all of the relevant CSAs. The IE SA decided to not follow any of the objections and to refer them to the EDPB for determination pursuant to Article 65(1)(a) GDPR.

On 23 April 2021 WhatsApp IE was invited to exercise its right to be heard in respect of all the material that the IE SA proposed to refer to the Board, and on 28 May 2021 it provided its submissions (the “WhatsApp Article 65 Submissions”).

5. The IE SA triggered the dispute resolution process using the Internal Market Information system (IMI)[8] on 3 June 2021. Following the submission by the LSA of this matter to the EDPB in accordance with Article 60(4) GDPR, the EDPB Secretariat assessed the completeness of the file on behalf of the Chair of the EDPB in line with Article 11(2) of the EDPB Rules of Procedure. The EDPB Secretariat contacted the IE SA asking for additional documents and information to be submitted in IMI and requesting the IE SA to confirm the completeness of the file. The IE SA provided the documents and information and confirmed the completeness of the file. A matter of particular importance that was scrutinized by the EDPB Secretariat was the right to be heard, as required by Article 41(2)(a) of the Charter of the Fundamental Rights. On 11 June 2021, the Secretariat contacted the IE SA with additional questions in order to confirm, inter alia, whether WhatsApp IE had been given the opportunity to exercise its right to be heard regarding all the documents that were submitted to the EDPB for making its decision. On the same day, the IE SA confirmed that this was the case by also providing a confirmation as to all the documents that were submitted to the right to be heard of the company and further evidence of the correspondence between WhatsApp IE and the IE SA[9]. Further details on this are available in Section 3 below.

6. On 14 June 2021, after the IE SA and the Chair of the EDPB confirmed the completeness of the file, the EDPB Secretariat circulated the file to the EDPB members.

7. The Chair of the EDPB decided, in compliance with Article 65(3) GDPR in conjunction with Article 11(4) of the EDPB Rules of Procedure, to extend the default timeline for adoption of one month by a further month on account of the complexity of the subject-matter.

2 CONDITIONS FOR ADOPTING A BINDING DECISION

8. The general conditions for the adoption of a binding decision by the EDPB are set forth in Articles 60(4) and 65(1)(a) GDPR[10].

2.1 Objection(s) expressed by CSA(s) in relation to a draft decision

9. The EDPB notes that CSAs raised objections to the Draft Decision via the internal information and communication system mentioned in Article 17 of the EDPB Rules of Procedure. The objections were raised pursuant to Article 60(4) GDPR.

10. More specifically, objections were raised by CSAs in relation to the following matters: the infringement of Article 13(1)(d) GDPR; the conclusion reached in the Draft Decision as to the qualification of non-users’ data subject to a specific process as anonymised data, and the consequences of a different qualification thereof; the absence of finding an infringement of Article 13(2)(e) GDPR; the scope of the inquiry and/or potential additional infringements of the GDPR; the compliance order set forth by the IE SA; the calculation of the proposed fine, and specifically: preliminary matters, the interpretation of Article 83(3) GDPR, and the consideration of the factors listed by Article 83(1) and (2) GDPR.

2.2 The LSA does not follow the relevant and reasoned objections to the draft decision or is of the opinion that the objections are not relevant or reasoned

11. On 1 April 2021, the IE SA provided to the CSAs a Composite Response, setting out the IE SA’s assessment on the objections raised by the CSAs, including whether it considered them to be “relevant and reasoned”, and suggesting some compromise positions.

12. In the context of its reply to the IE SA Composite Response, the IT SA withdrew one of its objections since it considered the explanations provided by the IE SA in the Composite Response to be persuasive. This objection is therefore not considered to be part of the dispute at hand.

13. According to the IE SA, the responses received from the CSAs in relation to the remaining objections showed that there was no single proposed compromise position that was agreeable to all of the relevant CSAs. In accordance with Article 60(4) GDPR, the IE SA submitted the matter to the consistency mechanism EDPB for dispute resolution pursuant to Article 65(1)(a) GDPR. The IE SA clarified in its Letter to the EDPB Secretariat concerning the Article 65 GDPR referral of the dispute to the EDPB[11] that it decided not to “follow” the objections raised by the CSAs.

2.3 Conclusion on the competence of the EDPB

14. The case at issue fulfils the elements listed by Article 65(1)(a) GDPR, since several CSAs raised objections to a draft decision of the LSA pursuant to Article 60(4) GDPR, and the LSA did not follow the objections or rejected them as not relevant or reasoned.

15. The EDPB is therefore competent to adopt a binding decision, which shall concern all the matters which are the subject of the relevant and reasoned objection(s), in particular whether there is an infringement of the GDPR[12].

3 THE RIGHT TO GOOD ADMINISTRATION

16. The EDPB is subject to Article 41 of the EU Charter of fundamental rights (right to good administration). This is also reflected in Article 11(1) EDPB Rules of Procedure[13]. Further details were provided in the EDPB Guidelines on Article 65(1)(a) GDPR[14].

17. Article 65(2) GDPR provides that the EDPB’s decision “shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them”. Article 65(2) GDPR reflects the fact that the binding decision of the EDPB aims to resolve a dispute emerged among two or more national supervisory authorities[15]. It is not aiming to address directly any third party. However, as the decision adopted by the EDPB shall be binding on the LSA in this case and can be decisive for the outcome of the procedure at national level, it may affect the interests of persons who were part of the procedure that gave rise to the draft decision, such as the controller who is addressed by the final decision of the LSA[16].

18. In order to address the possibility that WhatsApp IE might be adversely affected by the EDPB decision, the EDPB assessed if it was offered the opportunity to exercise its right to be heard in relation to the procedure led by the LSA and in particular whether WhatsApp IE was given the opportunity to make its views effectively known in relation to the subject matter of the dispute to be resolved by the EDPB, as well as all documents received in this procedure to be taken into account by the EDPB to take its decision[17].

19. Considering that WhatsApp IE has been heard by the IE SA in relation to the subject matter of the dispute to be resolved by the EDPB, as well as all documents received in this procedure and used by the EDPB to take its decision, including the objections raised in relation to the draft decision[18], and the LSA has shared with the EDPB the written observations of WhatsApp IE, in line with Article 11(2) EDPB Rules of Procedure[19], in relation to the issues raised in this specific Draft Decision, the EDPB is satisfied that the Article 41 of the EU Charter of fundamental rights has been respected.

4 STRUCTURE OF THE BINDING DECISION

20. For each of the objections raised, the EDPB assesses first whether they are to be considered as a “relevant and reasoned objection” within the meaning of Article 4(24) GDPR as clarified in the Guidelines on the concept of a relevant and reasoned objection[20].

21. Where the EDPB finds that an objection does not meet the requirements of Article 4(24) GDPR, the EDPB does not take any position on the merit of any substantial issues raised by that objection in this specific case. The EDPB will analyse the merits of the substantial issues raised by all objections it deems to be relevant and reasoned[21].

22. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSA(s).

5 ON THE INFRINGEMENTS OF THE GDPR FOUND BY THE LSA

5.1 On the findings of an infringement of Article 13(1)(d) GDPR on information about the legitimate interests pursued by the controller or by a third party

5.1.1 Analysis by the LSA in the Draft Decision

23. In its Draft Decision, the IE SA analysed the information provided by WhatsApp IE insofar as it refers to reliance on the legal basis set out in Article 6(1)(f) GDPR in the context of assessing compliance with Article 13(1)(c) GDPR[22]. The IE SA then also assessed the information against the requirements of Article 13(1)(d) GDPR[23]. The IE SA identified the excerpts of the Legal Basis notice with regard to the legal basis set out in Article 6(1)(f) GDPR (legitimate interests) as follows[24]:

“The other legal bases we rely on in certain instances when processing your data are: …

Our legitimate interests or the legitimate interests of a third party, where not outweighed by your interests or fundamental rights and freedoms ("legitimate interests"):

For people under the age of majority (under 18, in most EU countries) who have a limited ability to enter into an enforceable contract only, we may be unable to process personal data on the grounds of contractual necessity. Nevertheless, when such a person uses our Services, it is in our legitimate interests:

- To provide, improve, customize, and support our Services as described in Our Services;

- To promote safety and security; and

- To communicate with you, for example, on Service-related issues.

The legitimate interests we rely on for this processing are:

- To create, provide, support, and maintain innovative Services and features that enable people under the age of majority to express themselves, communicate, discover, and engage with information and businesses relevant to their interests, build community, and utilize tools and features that promote their well-being;

- To secure our platform and network, verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, and keep our Services and all of the Facebook Company Products free of harmful or inappropriate content, and investigate suspicious activity or violations of our terms or policies and to protect the safety of people under the age of majority, including to prevent exploitation or other harms to which such individuals may be particularly vulnerable.

For all people, including those under the age of majority:

- For providing measurement, analytics, and other business services where we are processing data as a controller. The legitimate interests we rely on for this processing are:

o To provide accurate and reliable reporting to businesses and other partners, to ensure accurate pricing and statistics on performance, and to demonstrate the value our partners realise using our Services; and

o In the interests of businesses and other partners to help them understand their customers and improve their businesses, validate our pricing models, and evaluate the effectiveness and distribution of their services and messages, and understand how people interact with them on our Services.

- For providing marketing communications to you. The legitimate interests we rely on for this processing are:

o To promote Facebook Company Products and issue direct marketing.

- To share information with others including law enforcement and to respond to legal requests. See our Privacy Policy under Law and Protection for more information. The legitimate interests we rely on for this processing are:

o To prevent and address fraud, unauthorised use of the Facebook Company Products, violations of our terms and policies, or other harmful or illegal activity; to protect ourselves (including our rights, property or Products), our users or others, including as part of investigations or regulatory inquiries; or to prevent death or imminent bodily harm.

- To share information with the Facebook Companies to promote safety and security. See our Privacy Policy under "How We Work with Other Facebook Companies" for more information. The legitimate interests we rely on for this processing are:

o To secure systems and fight spam, threats, abuse, or infringement activities and promote safety and security across the Facebook Company Products.”

24. As to the manner of providing such information, the Draft Decision pointed out that it was provided by way of a series of bullet points, under identified objectives, and that in this way the user can clearly identify which legitimate interests are being pursued under each identified objective[25].

25. The Investigator expressed that in her view that the Article 13(1)(d) GDPR requirement was: “a cumulative requirement, which results in Articles 13(1)(c) and 13(1)(d) operating together to place upon the data controller a requirement to set out the purposes of the processing in relation to the legitimate interests legal basis, along with the legitimate interests being pursued in carrying out the processing operations”[26].

26. The Investigator proposed a finding of an infringement of Article 13(1)(d) GDPR along with the finding of an infringement of Article 13(1)(c) GDPR[27]. At the decision-making stage, the IE SA adopted a more formulaic approach (compared to the investigation stage[28]) to the assessment of the extent to which WhatsApp IE complied with the requirements of Article 13 GDPR by individually assessing the information provided against the requirements of each paragraph of Article 13 GDPR. By reference to this approach, the Decision-Maker made a finding of non-compliance with Article 13(1)(c) GDPR, but rejected a finding of an infringement of Article 13(1)(d) GDPR. The Draft Decision acknowledged that the objectives need to be detailed with greater specificity, within the assessment of compliance with Article 13(1)(c) GDPR[29].

27. In the Draft Decision, the IE SA noted that the information itself has been provided in a meaningful manner allowing the user to understand the legitimate interests being pursued. The IE SA found that there was sufficient clarity as to whether the legitimate interests being pursued were those of WhatsApp IE or of a third party, since the information provided included indications as to the “owner” of the legitimate interests (e.g. “…it is in our legitimate interests…”)[30]

28. In the Draft Decision, the IE SA explained that WhatsApp IE has fully complied with its obligations under Article 13(1)(d) GDPR and considered the information provided to be clear and transparent and to provide the data subject with a meaningful overview of the legitimate interests being relied upon when processing their personal data[31]

5.1.2 Summary of the objections raised by the CSAs

29. The DE SA raised an objection stating that the Draft Decision does not appropriately address the infringement of Article 13(1)(d) GDPR. The objection claims that the Draft Decision fails to examine the question whether the content of the description of each legitimate interest provided by WhatsApp IE is clear and understandable enough for adult data subjects under Article 13(1)(d) GDPR, since the IE SA mainly concentrated on whether the information is clear enough for children. According to the DE SA, it is not sufficient to rely on a variety of different legitimate interests and to present these in an abstract manner. Rather, the controller also needs to make sure that the description of the legitimate interests is clear and transparent enough for the data subject to understand. The DE BW SA raised an objection which merely expressed support for the objections raised by the DE SA.

30. In its objection, the PL SA argues that “a nonspecific reference to a widely understood controller’s ‘legitimate interest’ or ‘interests of business and other partners’ does not meet [the] requirement” of Article 13(1)(d) GDPR. According to the PL SA, the Transparency Guidelines[32] explicitly state that, in order to fulfil the obligations stipulated in Article 13(1)(d) GDPR, the controller has to describe “the specific interest”. Furthermore, it is unclear which legitimate interest of which third parties is being described[33].

31. The objection raised by the IT SA refers to a lack of clarity in the information provided, which conflates the purposes of the processing of the personal data with the legitimate interests referred to in relation to the processing of such personal data, without any specific information being provided as to the processing involved. It is also argued that the language used with regard to the legitimate interests impacting people under the age of majority is not appropriate since the vocabulary, tone and style of the information utilised in the relevant section are not different from those of the remaining sections.

5.1.3 Position of the LSA on the objections

32. As mentioned, the final position of the IE SA was that of not following these objections[34]. In its Composite Response, concerning all three objections, the IE SA noted that the subject-matter of the objections is within the scope of Article 4(24) GDPR. The IE SA considered, however, that the objections are not sufficiently reasoned, at least not enough to reverse its position from the Draft Decision, given that it is required to support its findings with an adequate explanation of the supporting rationale[35]. The IE SA also argued that it was incumbent upon objecting CSAs to adequately support its different conclusions to allow the LSA to consider replacing its views and rationale with that of the CSA.

33. With regard to the objection of the DE SA, the IE SA considered that because it is not sufficiently reasoned, the objection of the DE SA would introduce an unnecessary and unacceptable element of risk, as regards the defensibility of such amended finding in the event of a legal challenge before the Irish Courts[36].

34. Concerning the objection of the PL SA, the IE SA argued that the findings of the Investigator cannot be reinstated as this would create a position whereby WhatsApp IE is found to have infringed Article 13 GDPR twice, but in respect of the same conduct as there is already a finding of infringement of Article 13 (1)(c) GDPR[37].

35. Regarding the IT SA’s objection, the IE SA stressed that it has clearly set out its reasons for its proposed finding of compliance with Article 13(1)(d) GDPR and the objection does not have enough reasoning to support a contrary finding[38].

5.1.4 Analysis of the EDPB

5.1.4.1 Assessment of whether the objections were relevant and reasoned

36. The EDPB considers that the objection of the DE SA concerns “whether there is an infringement of the GDPR” as it argues that the IE SA should have found an infringement of Article 13(1)(d) GDPR. As it demonstrates that, if followed, the objection would lead to a different conclusion as to whether there is an infringement of the GDPR or not, the objection is to be considered as “relevant”[39]. The objection is also considered to be “reasoned” since the objection puts forward several factual and legal arguments for the proposed change in legal assessment. Specifically it argues that there is a lack of intelligibility because WhatsApp IE relies upon a variety of different legitimate interests, yet WhatsApp IE fails to make sure that all of the legitimate interests listed are described in a manner that is clear and transparent enough for the data subject to understand. The objection provides several examples where the legitimate interests are not described in a transparent and intelligible form, which fails to ensure the purpose of the right to information. The objection also points out that the Draft Decision incorrectly focused on whether the information was clear enough for children.

37. As to the requirement for the objection to be “reasoned”, WhatsApp IE submitted that the DE SA objection did not meet this requirement because its statements “are not accurate” and “cannot be sufficient to satisfy the […] threshold”, the objection “relies on unsupported descriptions of the information provided by” WhatsApp IE and on “two misplaced understandings of the requirements of Article 13(1)(d)”[40]. The EDPB considers the objection to be adequately reasoned and recalls that the assessment of the merits of the objection is made separately, after it has been established that the objection satisfies the requirements of Article 4(24) GDPR[41]. As for the criterion of demonstrating the significance of the risks posed for the rights and freedoms of individuals, WhatsApp IE submitted that the objection did not meet this threshold, stating that there was no evidence provided for this[42]. The EDPB finds that the objection raised by the DE SA clearly demonstrates the significance of the risks posed for the rights and freedoms of individuals as it points out consequences for the data subjects, such as not being able to fully exercise their other data subject rights due to the lack of information under Article 13(1)(d) GDPR.

38. The EDPB took note of the objection raised by the DE BW SA but decides that as it merely supported the objection raised by the DE SA, the objection does not meet the requirements of Article 4(24) GDPR.

39. Since the objection of the PL SA disagrees with the finding of the IE SA that there has been no infringement of Article 13(1)(d) GDPR, the EDPB considers it to be relevant as it concerns “whether there is an infringement of the GDPR”[43]. The objection is also sufficiently reasoned as it argues that a nonspecific reference to a widely understood controller’s “legitimate interest” or “interests of business and other partners” does not meet the requirement under Article 13(1)(d) GDPR as stated in the Transparency Guidelines and furthermore refers to the original findings of the Investigator as opposed to those of the Decision-Maker. WhatsApp IE stated that the objection “fails to engage with the substance of the Composite Draft and the assessment carried out by the decision-maker”[44] and “fails to explain why it disagrees”[45]. The EDPB finds that the objection clearly sets out a disagreement as to the conclusions reached by the IE SA in the Draft Decision and does so by putting forward sufficient motivation. Regarding the requirement to demonstrate the significance of the risks posed by the Draft Decision to the rights and freedoms of data subjects, WhatsApp IE argued that the objection of the PL SA does not provide any evidence to support their claim that a consequence of the Draft Decision would be that “data subjects cannot exercise other rights provided by the GDPR and are not able to control the flow of their personal data”[46]. The EDPB finds that the objection of the PL SA clearly demonstrates the significance of the risks posed by the Draft Decision to the rights and freedoms of data subjects, who due to the inadequate information are placed in a position where they cannot exercise other rights provided by the GDPR and have control over their personal data.

40. The objection of the IT SA considers that the Draft Decision does not appropriately address the situation of infringement of Article 13(1)(d) GDPR and is therefore deemed to be relevant similarly to the objections above. WhatsApp IE argued in its submissions that the objection is not relevant, as it is “based in part on a statement that has not been made by” the IE SA in its Draft Decision[47], and not reasoned[48]. The fact of mistakenly referring to a sentence that is not present in the Draft Decision[49] in any event cannot be considered sufficient to make the objection not relevant, and this is even more so where the objection is only relying on this “in part”, and is clearly stating a disagreement as to the conclusion reached by the Draft Decision in respect of the infringement of Article 13(1)(d) GDPR. The EDPB also considers the objection to be reasoned, since it argues that there is a lack of clarity in the information provided, as there is no specific information being provided as to the processing activities involved. The objection states that the IT SA disagrees with the arguments relied upon by the IE SA. Concerning the requirement to demonstrate the significance of the risks posed by the Draft Decision to the rights and freedoms of data subjects, WhatsApp IE submitted that there was no evidence put forward by the IT SA to support their argument that the consequence of the Draft Decision would be that there would be a serious impairment of users’ fundamental right to be informed[50]. The EDPB finds that the objection raised by the IT SA clearly demonstrates the significance of the risks posed for the rights and freedoms of individuals as it points out that if the Draft Decision was not amended in this instance it would lead to an impairment of the users’ fundamental right to be informed.

41. On this basis, the EDPB considers that the objections raised by the DE SA, PL SA, and IT SA on the existence of an infringement of Article 13(1)(d) GDPR qualify as relevant and reasoned objections pursuant to Article 4(24) GDPR.

5.1.4.2 Assessment on the merits

42. In accordance with Article 65(1)(a) GDPR, in the context of a dispute resolution procedure the EDPB shall take a binding decision concerning all the matters which are the subject of the relevant and reasoned objections, in particular whether there is an infringement of the GDPR.

43. The EDPB considers that the objections found to be relevant and reasoned in this subsection[51] require an assessment of whether the Draft Decision needs to be changed in respect of the finding on compliance with Article 13(1)(d) GDPR. When assessing the merits of the objections raised, the EDPB also takes into account the position of the IE SA on the objections and the submissions of WhatsApp IE.

44. In its submissions, WhatsApp IE argued that it provides clear and transparent descriptions of the legitimate interests being relied on[52] and describes them in detail[53], that it had no obligation to further specify the third parties in its public facing transparency documents, nor did it have to explain its business practices to data subjects or explain why the legitimate interests relied on prevail over those of the data subjects[54]. WhatsApp IE also submitted that it has been mindful of providing all of its user- facing information in as simple a manner as possible, using a high standard of clarity capable of being understood by those who are 16 and over and using user-friendly, plain, and clear language[55].

45. The EDPB recalls that the Investigator originally found an infringement of Article 13(1)(d) GDPR in conjunction with an infringement of Article 13(1)(c) GDPR because of a conflation of the purposes of the processing with the legitimate interests relied upon to process the personal data as well as a lack of specific information in relation to the processing operation(s) or set of operations involved[56].

46. As described above in section 5.1.1, the IE SA found no infringement of Article 13(1)(d) GDPR and noted in its Draft Decision that the information provided by WhatsApp IE allowed the user to understand which and whose legitimate interests were being pursued[57].

47. In its Draft Decision, the IE SA relied mainly on the findings of the Investigator with regard to the information as to the “owner” of the legitimate interest were provided and the manner in which those descriptions were presented[58], rather than how the information provided related to specific processing operations. The IE SA referred to elements within the Article 13(1)(c) assessment but did not further engage with the statements of the Investigator concerning the view on the possible conflation of the purposes of the processing with the legitimate interests relied upon to process the personal data as well as a lack of specific information in relation to the processing operation(s) or set of operations involved.

48. In the view of the PL SA[59] and IT SA[60], the original finding of the Investigator – that the described lack of relation of the legitimate interests to specific processing activities leads to an infringement of Article 13(1)(d) GDPR – is to be agreed with.

49. The DE SA submitted that the IE SA did not properly examine whether the description of each legitimate interest is clear for adult data subjects, and put forward examples of parts of the Legal Basis Notice considered as not in line with the requirements of Article 13(1)(d) GDPR[61]. According to the DE SA, the legitimate interests described under “measurement, analytics, and other business services” are not described in a transparent and intelligible form. The first white bullet point in this section states the interest to “provide accurate and reliable reporting to businesses and other partners”, while it is unclear who these “other partners” are. In addition, according to the DE SA, the description of the interest “to demonstrate the value our partners realise using our Services” is too abstract[62].

50. The EDPB recalls that where legitimate interest (Article 6(1)(f) GDPR) is the legal basis for the processing, information about the legitimate interests pursued by the data controller or a third party has to be provided to the data subject under Article 13(1)(d) GDPR.

51. As recalled in the Transparency Guidelines, the concept of transparency under the GDPR is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles[63]. The Transparency Guidelines go on to explain that the practical (information) requirements are outlined in Articles 12 - 14 GDPR and remark that the quality, accessibility and comprehensibility of the information is as important as the actual content of the transparency information, which must be provided to data subjects[64].

52. With regard to Article 13(1)(d) GDPR the Transarency Guidelines state that the specific interest[65] in question must be identified for the benefit of the data subject.

53. In this light, the EDPB recalls the wording of Article 13(1)(d) GDPR, which reads that information shall be provided to the data subject “where the processing is based on point (f) of Article 6(1) GDPR” - about “the legitimate interests pursued by the controller or by a third party”.

54. The EDPB notes that the nature of Article 13(1)(d) GDPR (like Article 13(1)(c) GDPR) expressis verbis relates to the specific processing[66]. In this context the EDPB also recalls the broad wording with which Recital 39 GDPR describes transparency obligations.

55. Furthermore, the EDPB considers that the purpose of these duties of the controller is to enable data subjects to exercise their rights under the GDPR[67], such as the right to object pursuant to Article 21 GDPR, which requires the data subject to state the grounds for the objection relating to his or her particular situation. This is elaborated on in the Draft Decision by the IE SA with regard to the requirements of Article 13(1)(c) GDPR. There the IE SA correctly identifies that:

“(a) a data controller will usually collect different categories of personal data from an individual data subject at different times, in different ways and for different purposes […];

(b) a data controller will always need to carry out more than one processing operation in order to achieve the stated purpose of a processing operation; and

(c) a data controller might collect a particular category of data for a number of different purposes, each supported by a different legal basis”[68].

56. The EDPB is of the view, as outlined in the draft decision,[69] that providing full information on each and every processing operation respectively is the only approach that will ensure that the data subjects can:

(a) exercise choice as to whether or not they might wish to exercise any of their data subject rights and, if so, which one(s);

(b) assess whether or not they satisfy any conditionality associated with the entitlement to exercise a particular right;

(c) assess whether or not theyare entitled to have a particular right enforced by the data controller concerned; and

(d) assess whether or not they have a ground of complaint such as to be able to meaningfully assess whether or not they wish to exercise their right to lodge a complaint with a supervisory authority.

57. However, the EDPB notes that these same arguments also are to be considered when assessing the information under Article 13(1)(d) GDPR. With regard to the information provided under Article 13(1)(d) GDPR the EDPB therefore agrees with the objections insofar as in order for the data subject to properly exercise their rights under the GDPR, specific information about what legitimate interests relate to each processing operation, and about which entity pursues each legitimate interest, is necessary[70]. Without this information, the data subject is not properly enabled to exercise his or her rights under the GDPR.

58. The provided information therefore has to meet these requirements in order to be compliant with Article 13(1)(d) GDPR.

59. The EDPB notes that overall the Legal Basis Notice consists of a list of several objectives under which WhatsApp IE has provided several legitimate interests, usually in the manner of bullet points, as was identified by the IE SA. The EDPB considers that in the Legal Basis Notice WhatsApp IE has not specified the provided information with regard to the corresponding processing operation such as information about what categories of personal data are being processed for which processing pursued under basis of each legitimate interest respectively. The Legal Basis Notice does not contain such specific information in relation to the processing operation(s) or set of operations involved[71].

60. This is in line with the arguments brought forward by the CSAs’ relevant objections, and the EDPB notes that this described lack of information negatively impacts data subjects’ ability to exercise their rights under the GDPR, such as the Right to Object under Article 21 GDPR[72].

61. Furthermore, the EDPB notes that several passages from the Legal Basis Notice, including those with regard to persons under the age of majority, some of which were referred to in the objection of the DE SA (like “For providing measurement, analytics, and other business services”), do not meet the necessary threshold of clarity and intelligibility that is required by Article 13(1)(d) GDPR in this case[73].

62. The EDPB notes the similarities between the examples of non-transparent (“poor practice”) information put forward in the Transparency Guidelines[74] and the Legal Basis notice of WhatsApp IE, which includes for example: “For providing measurement, analytics, and other business services where we are processing data as a controller […]”[75]; “The legitimate interests we rely on for this processing are: […] In the interests of businesses and other partners to help them understand their customers and improve their businesses, validate our pricing models, and evaluate the effectiveness and distribution of their services and messages, and understand how people interact with them on our Services”[76].

63. Under these circumstances the data subjects are not in a position to exercise their data subject rights, since it is unclear what is meant by “other business services”, as WhatsApp IE does not disclose this information or provide a relation to the specific legitimate interest. The EDPB also notes that it is unclear which businesses or partners WhatsApp IE refers to.

64. The EDPB also takes note of the fact that descriptions of the legitimate interest as the basis of a processing like “[t]o create, provide, support, and maintain innovative Services and features […]”[77] do not meet the required threshold of clarity required by Article 13(1)(d) GDPR, as they do not inform the data subjects about what data is used for what “Services” under the basis of Article 6(1)(f) GDPR, especially regarding data subjects under the age of majority.

65. WhatsApp IE further relies on the legitimate interest to “secure systems and fight spam, threats, abuse, or infringement activities and promote safety and security across the Facebook Company Products”. It therefore “share[s] information with the Facebook Companies to promote safety and security”[78]. As is the case with the above example, the data subject has no information about the specific processing operation which would enable a data subject to properly exercise his or her data subject rights[79].

66. In conclusion, the EDPB considers that the finding of the IE SA in the Draft Decision that WhatsApp IE has complied, in full, with the requirements of Article 13(1)(d) GDPR does not correspond to the information that WhatsApp IE has provided to the data subjects, as stated in the relevant objections raised by the CSAs. The EDPB instructs the IE SA to alter its finding concerning the absence of an infringement of Article 13(1)(d) GDPR and to include such infringement in its final decision on the basis of the shortcomings identified by the EDPB.

6 ON THE LOSSY HASHING PROCEDURE

6.1 Analysis by the LSA in the Draft Decision

67. In Part 1 of its Draft Decision the LSA focuses on the transparency in the context of non-users, establishes observations regarding the Contact Feature and its functionality and presents the factual framework on which it bases its assessment[80]. In this context, the IE SA notes that WhatsApp IE is the controller for the processing[81]. It further establishes that for the purpose of the Lossy Hashing procedure WhatsApp IE is processing the phone numbers of non-users, and that the phone number of a non-user constitutes personal data[82][83].

68. The LSA established in the Draft Decision (in contrast to the previous findings)[84] that due to the updated information and additional elements provided[85], and particularly the clarification of the existence and use of a “Notification hash”, the result of the Lossy Hashing procedure does not constitute personal data. The finding that WhatsApp IE failed to comply with its obligation under Article 14 GDPR remained unaffected by this new conclusion, but the scope of such infringement was reduced, which led the LSA to reduce the relevant fine from a range between €75 million and €100 million to a range between €30 million and €50 million. 6.2 Summary of the objections raised by the CSAs

69. In its objection, the DE SA disagrees with the LSA’s finding of the Draft Decision referenced above in paragraph 68. Contrary to the LSA’s finding, the DE Federal SA argues that the phone number of non- users constitutes an item of personal data even after lossy hashing.

70. The DE SA argues that it is not comprehensible in what way the new facts put forward by WhatsApp IE concerning the Notification Hash led the IE SA at the decision-making stage to overturn the previous finding made at the investigation stage, where it concluded that it is possible for third parties to make an indirect identification of the non-user.

71. The DE SA argues that the LSA incorrectly focused on the subjective elements presented by WhatsApp IE as “the legal assessment of whether a personal data exists does not only depend here on how the controller determines the use of the existing data for itself at that moment”[86].

72. The objection raises that not all computationally possible numbers are indeed assigned. Therefore, the lossy hash refers not to at least 16 numbers but to a maximum of 16 numbers. Furthermore, if additional data is stored along with the lossy hash, the number of individuals represented by the associated phone numbers can be reduced as data subjects not matching this additional data can be excluded. If e.g., so the DE SA, the gender is also stored, it is possible to at least divide these 16 in half.

73. The objection raises that the non-user number could be reconstructed by matching it with comparative values, by resolving it back via rainbow tables or by combining a lot of particulars with the same hash value.

74. The DE SA states that hashes are inherently lossy, the existence of “lossless” hashing cannot be applied to the concept of a hash. Further, the role of the salt described in the Lossy Hashing procedure is unclear. A fixed salt, once disclosed, would not increase the brute-forcing difficulty, should not be called “salt”, and plays no discernible role in increasing the security of the process.

75. The DE SA argues that the Decision-Maker’s examination is based solely on the lossy hash while other relevant parameters are stored in the list. Therefore, it causes incompleteness of the assessment and therefore a false result. In contrast, according to the DE SA the procedure does not lead to non- personal data, since the lossy hashes are stored in the non-user list.

76. Further, it is raised that the notification hash remains unexamined by the LSA. At the same time, according to the DE SA, the notification hash is sufficient to identify contacts without the need of the lossy hashes list. Instead, personal data is sent to up to 15 uninvolved users.

77. The correct assessment, according to the DE SA, would lead to the question of whether data is processed lawfully. It argues that no legal basis under Article 6(1) GDPR requiring necessity would be applicable. Therefore, the correct assessment would most likely lead to a higher fine level. With respect to necessity, the DE SA argues that the procedure is not necessary for the sync function, nor is it “data protection friendly”, as the data is stored for an indefinite amount of time with no tangible benefit for users and non-users. Additionally, it is unclear when lossy hash lists are deleted.

78. Finally, the DE SA argues in its objection that the decision creates a high risk of a significant gap in the protection of data subjects, as the interference with the rights of non-users due to the Contact Feature is already intense (also considering that non-users are de facto hardly enabled to exercise their rights) and if the processing remained without consequences, it would encourage other parties to introduce similar procedures.

***

79. The FR SA in its objection raises that in spite of the details provided in the Draft Decision regarding the submissions of WhatsApp IE responding to the Draft Report, and the information summarised above in paragraph 68, the lossy hash of the phone number still constitutes personal data and thus is subject to the GDPR.

80. According to the FR SA, the process described is a pseudonymisation processing in the sense of Article 4(5) GDPR and does not amount to anonymisation to the extent that by using additional information WhatsApp IE could identify the data subject to which the lossy hash refers. The storing of the lossy hash in connection with the details of the user from whom the contact list was collected could lead to infer the user’s social graph and to retrieve the phone number of the non-user or to establish a link between users when the non-user creates an account.

81. Additionally, the FR SA raises that the amount of numbers linked, described as a minimum of 16, is theoretical. In reality, this figure will be significantly lower, taking into account that WhatsApp IE has additional information to retrieve the data subject attached to the lossy hash. It also points out that the […] algorithm has been regarded as obsolete.

82. Further, the objection raises that the consideration of the LSA that found the data to be anonymous led it to decrease the amount of the intended fine[87] and thus has an impact on the decision’s dissuasive effect.

83. Lastly, the FR SA states that the draft decision poses a risk to the fundamental rights and freedoms of data subjects. The decision cannot ensure the effective respect of the protection of European residents’ personal data, as it lead to a decrease of the fine. Additionally, it would exclude the lossy hash from the material scope of the GDPR and prevent any control on its use in the subsequent processing, in particular, in the event of the data being transmitted to a third party.

***

84. In its objection, the PT SA disagrees with the LSA’s finding referenced above in paragraph 68, that the non-user’s phone number after the lossy hashing procedure no longer constitutes personal data, and its interpretation of the application of Article 4(1) GDPR to the list of non-users after the lossy hashing procedure differs from the one of the IE SA.

85. In reaction to the submissions of WhatsApp IE, the PT SA states that the purpose of the processing does not determine whether data qualifies as personal data. Analogously, it does not matter if WhatsApp IE pursues any interest in identifying non-users. Rather it is necessary to look at whether the piece of information meets the conditions laid down in Article 4(1) GDPR. In this case, according to the PT SA, it is personal data because it is possible to single-out non-users by rebuilding their phone number with a relatively low degree of uncertainty.

86. The PT SA first raises that the lossy hash maintains a level of identifiability that is not at all negligible. The lossy hash has a potential match with a maximum of 16 numbers and not with a minimum of 16 numbers. Also, the process is repetitive and the salt is constant, thus the process applied repeatedly to the same phone number will always result in the same lossy hash with no randomness.

87. According to the PT SA, if WhatsApp IE gets to know the 15 phone numbers that share the same lossy hash, the remaining phone number is totally revealed, particularly as the volume of information already held by the company enables this without having to resort to third parties to redo many of the phone numbers initially deleted. Therefore, it is possible to single out some non-users by rebuilding their phone number.

88. The PT SA argues that for this reason the lossy hashing does not effectively guarantee the anonymization of the data also considering that the above-mentioned means are reasonable, within the meaning of Recital 26 GDPR, as they are immediately available to WhatsApp IE without requiring excessive time and costs.

89. Additionally, the PT SA highlights that the vast contact network among users and between users and non-users which WhatsApp IE has at its disposal represents a significant additional source of information that increases the possibilities of identifiability. It highlights further that as mentioned by the LSA, the possibility of access by law enforcement authorities to this informational source of interpersonal relationships, once the lossy hashing procedure is applied to phone numbers, confirms the identifiability.

90. Finally, the PT SA understands that lossy hashes are personal data “(…) because they contain a high identifiability component, considering the enormous amount of information held by [WhatsApp IE], to the extent that they enable with reasonable use of means, to remake phone numbers that had been deleted.”[88]

91. Following this, the PT SA argues that the data at stake is subject to GDPR also with respect to the obligations of Articles 12 and 14 GDPR. It therefore disagrees with the conclusions of the LSA as to the absence of infringement of Article 14 GDPR as regards phone numbers converted into lossy hash and as to the reduction of the fine in paragraph 747(c) of the Draft Decision. According to the objection, the infringement of Article 14 GDPR would also be extended to the processing carried out after the lossy hashing procedure, with particular emphasis on the retention period of the list of non-users.

92. Lastly, the PT SA states that the finding in the draft decision creates a serious risk for the rights and freedoms of data subjects as it excludes the data from the application of the GDPR, particularly when the processing raises concerns of lawfulness that were due to be addressed in a near future. Additionally, the decision would set a very disturbing precedent related to the core of the data protection legal framework.

***

93. In its objection, the HU SA states that the Draft Decision details that non-users’ phone numbers are considered personal data before and after the lossy hashing procedure, in contrast to the LSA’s conclusion referenced above in paragraph 68.

94. Therefore, the HU SA argues that the scenario outlined in the Draft Decision whereby WhatsApp IE could, if requested, achieve the indirect identification of the non-user[89] remains valid as the phone number stored in hashed form (with WhatsApp IE knowing the hash key, therefore being able to decrypt it) is pseudonymous personal data. Thus, this allows the contact with a specific person to be re-created. While, according to the HU SA, the phone number is merely technical data, the contact with others makes it personal data for WhatsApp IE.

95. Further, the HU SA recalls that in order for the data to not be anonymous the controller does not need to have all the data necessary for re-identification, as long as it can have access to data which allows the re-identification. It argues that with anonymous data, it is not possible to make decisions targeted at individual users. If this is possible in the case at hand, it is incorrect to conclude the data to be anonymous. Therefore, it would be a serious mistake to conclude that the GDPR does not apply to data used for an operation that ultimately allows for the unique identification of users. Due to the above, the HU SA states that following the lossy hashing procedure, the phone numbers of non-users constitute personal data.

96. Additionally, the HU SA argues that providing information pursuant to Article 14 GDPR to non-users on WhatsApp IE’s website is not appropriate, since they might have no knowledge of the existence of the service and it is not possible to prove that the non-users are fully informed that they are affected by WhatsApp IE’s processing, as they cannot be expected to be interested in WhatsApp’s website.

97. Further, the HU SA raises that the processing of non-users’ data is excessive and thus violates the principle of data minimisation. Only once a non-user becomes a user the processing has a purpose, i.e. only at that point does WhatsApp IE have a real purpose to store the non-users’ phone number. At the same time, according to the objection, the same could be achieved if WhatsApp IE periodically compared the hash database of users’ phone numbers with the contact list to see if the user knows a person that has registered since the previous check. Thereby WhatsApp IE would not need to continuously store all non-users’ data. Therefore, the HU SA proposes to declare an additional infringement of Article 5(1)(c) GDPR.

98. Finally, the HU SA argues that not establishing this would undermine the data protection rights of data subjects as setting a false precedent would impair the possibility for individual rights to be enforced and exercised.

***

99. In its objection, the NL SA disagrees with the conclusion that non-user data after the hashing procedure method are no longer personal data, contesting the finding of the Draft Decision referenced above in paragraph 68. In its view, the process results in pseudonymised data rather than anonymised data.

100. According to the NL SA, the technical part of the draft decision contains errors and relies overly on statements by WhatsApp IE concerning the assumed technical difficulty to regain a phone number from a lossy hash. The NL SA notes that the Draft Decision mistakenly refers to a single hash value being shared by at least 16 numbers, whereas it should read “at most”, and raises for instance that in many cases, only a single phone number out of the 16 possible ones will be processed by WhatsApp IE. In the case where indeed multiple numbers are in the same range, a multitude may already be known in the Contact Feature.

101. Further, the NL SA argues that the hashing scheme applied by WhatsApp IE is vulnerable to a brute force attack. For example, in the Netherlands, 54 million mobile phone numbers are issued. Constructing a look-up table takes around three minutes with hardware released in 2017, which, according to the NL SA, is well within the capabilities of WhatsApp IE. The NL SA is also concerned that a constant single salt value is used in all operations, which makes the brute-force attack “cheap to perform”. Therefore, according to the NL SA, it is possible for WhatsApp IE to go from the hash value to one or more mobile phone numbers, without unreasonable effort.

102. The NL SA also argues that WhatsApp IE is very likely to be aware of the fact that the lossy hash is a pseudonymous identifier because a practice is described whereby it matches data from customers that have the app with data from the phone book of its customers’ device to find other phone numbers that match with users.

103. Further, according to the objection, a law enforcement authority could as part of a criminal investigation request WhatsApp IE to apply the lossy hashing process to a phone number. It could then request WhatsApp IE to provide all the associated users linked to that hash (as potential known associates). These potential associates could then be further investigated.

104. Additionally, the NL SA argues that given recent advancements in social network graph analysis, augmentation or re-identification may prove possible. If multiple phone numbers belong to a single hash, this graph can be used to separate the identical hashes into different persons.

105. The NL SA concludes that the erroneous assessment leads to the findings that the impact of the processing activities on non-users is fairly limited and that, even though a compliance deficit regarding transparency towards non-users is established, only a slight amendment of policies would suffice to remedy the infringement. On the contrary, according to the NL SA, the processing of non-user data does not stop after applying said lossy hashing methods and the GDPR must continue to apply (also in light of relevant CJEU case law), which may well entail more amendments to the privacy policy than envisaged in Appendix C to the Draft Decision. The NL SA therefore expresses concerns that the LSA may not envision appropriate action towards WhatsApp IE to enforce transparency towards non-users.

106. The NL SA states that consequently, amending the conclusion in the Draft Decision referenced above in paragraph 68 would mean that the subsequent processing is covered by the GDPR and that WhatsApp IE must make sure it complies with the GDPR and that the risks to the rights and interests of non-users are reduced. In particular, it would influence the scope of obligations upon WhatsApp IE under the LSA’s proposed order, since in light of Article 14 GDPR it should be noted that also non-users should receive information about the processing of their data by WhatsApp IE even though they are not customers of the service.

107. Additionally, the NL SA raises that WhatsApp IE should also inform non-users of the subsequent processing of their data, in accordance with Article 12 GDPR. For example, if the hashed non-user data were to be used by a third party, Article 14(1) GDPR would prescribe that this must be reflected in the information to data subjects.

108. Further, following the NL SA’s objection, the potential circle of affected data subjects is significantly larger than envisaged by the LSA. It raises that the conclusion above also affects the scope of corrective measures proposed by the LSA. The NL SA argues that it may add to the impact and gravity of the infringements and thereby may justify higher sanctions.

109. The NL SA highlights that the draft decision creates the risk that the personal data of non-users after the lossy hashing would no longer be protected by the application of the GDPR. Non-users would have a very limited window of opportunity to exercise their data subjects rights and any legal restrictions, which are provided by the GDPR, to store, transfer or use after the lossy hashing would not apply.

110. The NL SA argues that it would further create a legal precedent for other organisations and circumstances on what de facto would be sufficient to anonymise personal data. Other controllers may process personal data without complying with the GDPR, because they assume they hold anonymous data following the procedure above, while they actually process personal data.

***

111. In its objection, the IT SA expresses a disagreement with the conclusion reached by the IE SA at the decision-making stage (departing from those reached at the investigation stage) that there is no infringement of Article 14 GDPR with regard to the processing of non-users’ data following the application of the so-called Lossy Hashing procedure.

112. According to the IT SA, non-users’ data collected by WhatsApp IE through access to users’ address books with users’ consent is to be considered personal data both at the time of their storage in clear text and after the application of the so-called lossy hashing. It argues that encrypted data is to be regarded as being pseudonymised, not anonymised, therefore it is unquestionably personal data.

113. This conclusion, according to the IT SA, is not affected by the WhatsApp IE’s submission that “reverse engineering decryption used by [WhatsApp IE] to present users with the numbers of non-users who have joined the service does not allow identifying an individual number as yields a set of sixteen phone numbers”[90], nor by the statement that users are notified via notification hashing rather than via the lossy hashing. Rather, according to the IT SA, this amounts to an additional reason to argue that personal data is indeed processed.

114. The IT SA argues that these considerations are relevant to the existence of an infringement of Article 14 GDPR and to calculating the amount of the administrative fine (as the fine was reduced by the IE SA in light of the conclusions reached in this regard).

115. Finally, the IT SA states that the decision poses a significant risk for the rights and freedoms of the data subjects as it impairs their right to be informed as well as due to the disproportionate corrective measure.

6.3 Position of the LSA on the objections

116. The final position taken by the IE SA was to not follow any of the objections[91]. However, in the Composite Response the IE SA indicated that it considered the objections relevant and reasoned. It acknowledges the common issue, i.e. that the data is to be regarded as pseudonymous rather than anonymous, and takes account of the proposed ways in which identification might be achieved. The LSA further takes stock of the concerns raised by the CSAs regarding the salt, that the number of 16 numbers being represented by the lossy hash is in practice not a minimum, but rather a maximum and that WhatsApp IE has at its disposal a vast network of contacts among users and non-users[92].

117. Considering the above, the LSA argues that while it is theoretically possible to consider the 39-bit hash Value as being anonymous, viewing the hash value in isolation disregards the risks that are present in the processing environment that might enable the re-identification of the data subjects[93]. Further, in reaction to WhatsApp IE’s submissions refuting the objections as theoretical and raising that the objections fail to identify why WhatsApp IE might want to re-identify the non-users, the LSA states that it is not unusual to rely on hypothetical scenarios to identify the re-identification risks and that the motivation does not affect the technical ability to re-identify a data set. However, it states that the motivation will be relevant when assessing whether the means identified are reasonably likely to be used.

118. Further, the LSA refers to the WP29 Opinion 05/2014[94] and points out that, since the retained dataset contains links from the hash value to users of the service, it presents a “greater-than-zero risk that some non-users could be re-identified by inference, linking or singling out”[95]. However, it also points out that in many of the scenarios presented by the CSAs, the auxiliary data is the phone number of the non-user itself, thereby creating a somewhat circular argument. It argues as well, that a zero-risk approach is likely to result in very few, if any, processes achieving anonymisation. The LSA questions that such an outcome was envisaged by the legislator.

119. Finally, following the above, the LSA concludes that neither the CSAs have provided solid arguments to conclude that the process is insufficient to anonymise data, nor are WhatsApp IE’s responses sufficiently developed to support a finding that the process is sufficient to anonymise data in every case[96]. Therefore, it agrees with the concerns expressed by the CSAs in relation to the potential finding having a very significant impact as a precedent, but remains concerned whether the reversed finding according to the varying hypotheses proposed by the CSAs would be sustained if challenged in court.

120. Further, it is to be noted that before referring the dispute to the Board, the LSA proposed as a compromise to amend the draft decision to only retain the finding that WhatsApp IE processes the personal data of non-users, thus being subject to Article 14 GDPR, and to remove all references to the Lossy-Hashing procedure, including any associated findings.

6.4 Analysis of the EDPB

6.4.1 Assessment of whether the objections were relevant and reasoned

121. The objection of the DE SA disagrees with the finding of the Decision Maker that the Lossy Hashing procedure applied to the phone number of a non-user does not constitute personal data, due to the presence of several factors that allow identification of the data subjects. The DE SA states that, if followed, this objection would lead to a different conclusion as to the nature of the aforementioned data, and would also raise questions as to the lawfulness of the processing, which may lead to the finding of an additional infringement of Article 6(1) GDPR, as well as most likely to different administrative measures. Therefore, as there is a direct link between the objection and the substance of the draft decision at issue, the EDPB considers the objection to be relevant.

122. In addition, the DE sets out factual and legal mistakes concerning the analysis of the Lossy Hashing procedure in the Draft Decision. Further, the DE SA’s objection refers to how the Draft Decision ought to be changed, arguing that, as it considers that “[n]one of [the] legal bases of Article 6(1) GDPR requiring necessity would be applicable” to the processing of the pseudonymised data, this would lead “to a different outcome and thus most likely to different administrative measures and a higher level of fine”[97].

123. The objection argues that if the Draft Decision was not amended in this instance, it would entail a high risk for data subjects’ fundamental rights and freedoms as incorrectly not finding the data to be personal data would create “a significant gap in protection for the data subjects throughout Europe”. Further, it “would encourage other providers/responsible parties to introduce similar procedure” and thus prevent the data subjects from exercising their rights[98]. Therefore, the EDPB considers the objection to be reasoned.

124. On this basis, the EDPB considers that the objection raised by the DE SA is a relevant and reasoned objection pursuant to Article 4(24) GDPR.

125. WhatsApp IE considers all the objections concerning Lossy Hashing procedure neither relevant nor sufficiently reasoned to meet the threshold of Article 4(24) GDPR. Regarding the reasoning of the above objections, WhatsApp IE reiterates what it has already explained in its submissions as to why the phone numbers of non-users cannot be re-identified[99]. As to the demonstration of the significance of the risk in these objections, WhatsApp IE argues that the objections raise only "vague and unfounded concerns", as lossy hashed data is not considered as personal data. Nonetheless, the EDPB considers these objections, instead, to be adequately reasoned and recalls that the assessment of the merits of the objection is made separately, after it has been established that the objection satisfies the requirements of Article 4(24) GDPR[100]. Therefore, as the arguments presented address the merits of the objection, the EDPB is not swayed as far as the assessment of whether the Article 4(24) threshold itself is met. This is relevant for all the objections analysed in this subsection.

126. The objection of the FR SA states that it disagrees with the conclusion of the LSA referenced above in paragraph 68. It raises that the finding that Lossy Hash was not personal data led the LSA to reduce the amount of the fine initially stipulated, and therefore expresses concerns as to whether the envisaged action proposed by the LSA complies with the GDPR. As there is a direct link between the objection and the substance of the draft decision at issue, the EDPB considers the objection to be relevant.

127. The EDPB also considers the objection “reasoned”, since it points to factual errors in the Draft Decision. In this regard, the FR SA’s objection highlights that the Draft Decision considered that the GDPR did not apply insofar as the Lossy Hash procedure resulted in the anonymisation of data, whereas it should be qualified as pseudonymised data. Additionally, the EDPB finds that the objection of the FR SA clearly demonstrates the significance of the risks to the fundamental rights and freedoms of the data subjects posed by the Draft Decision as the FR SA argues that, if not followed, this decision would jeopardize “the effective respect of data subjects’ rights”. In addition, the objection refers to the absence of the dissuasive effect of the fine. Lastly, the FR SA considers that the issuing of this decision would exclude this data from the material scope of the GDPR and consequently prevent any future control on this type of data[101].

128. On this basis, the EDPB considers that the objection raised by the FR SA is a relevant and reasoned objection pursuant to Article 4(24) GDPR.

129. The objection of the PT SA considers that, as the data undergoing the lossy hash procedure is not anonymised this would lead to a further infringement of Article 14 GDPR due to the lack of information regarding the processing of non-users’ data after the Lossy Hashing procedure. The PT SA states that it disagrees with the conclusions reached by the LSA in the Draft Decision. This objection therefore concerns “whether there is an infringement of the GDPR”. Further, as there is a direct link between the objection and the substance of the draft decision at issue, the EDPB considers the objection to be relevant.

130. In addition, the EDPB notes that the objection of the PT SA refers to legal mistakes in the Draft Decision, namely that the LSA finds the result of the Lossy Hashing procedure not to constitute personal data, and therefore that there is no breach of Article 14 GDPR after the Lossy Hashing procedure has been applied. Further, the PT SA explains how the finding that the Lossy Hashing does not guarantee the anonymization of data would lead to a different conclusion (namely, an additional infringement of Article 14 GDPR). Furthermore, the EDPB finds that the objection of the PT SA clearly demonstrates the significance of the risks posed to the fundamental rights and freedoms of the data subjects by the Draft Decision, as in this regard, the PT SA explains that this will amount to “removing the legal protection and guarantees of the data subjects who might be identified”, as well as to “a very disturbing precedent related to the core of the data protection legal framework which is the concept of personal data”[102].

131. On this basis, the EDPB considers that the objection raised by the PT SA is a relevant and reasoned objection pursuant to Article 4(24) GDPR.

132. The objection of the HU SA concerns both “whether there is an infringement of the GDPR” and “whether the envisaged action proposed by the LSA complies with the GDPR”. The HU SA’s objection refers to the lack of findings of Article 5(1)(c) and objects to the conclusions made in the Draft Decision on the appropriate method to be used by WhatsApp IE for providing information to non-users. As there is a direct link between the objection and the substance of the draft decision at issue, the EDPB considers the objection to be relevant.

133. Moreover, the EDPB notes that the HU SA adequately justified the need to amend the Draft Decision. In this regard, the HU SA pointed out that the data is incorrectly assessed as anonymous data, that there is no evidence that non-users are informed about the processing of their phone number, and that the processing of this data is excessive in regards to the purpose for which they are processed. Thus, the HU SA explains how the finding that the Lossy Hashing procedure does not guarantee the anonymization of data would lead to a different conclusion (namely, an additional infringement of Article 5(1)(c) GDPR and the need to appropriately inform non-users about this processing). Further, the EDPB finds that the objection of the HU SA clearly demonstrates the significance of the risks posed by the Draft Decision, as the HU SA explains that this would undermine the enforceability of data subject rights under the GDPR, make it impossible for non-user data subjects to exercise their rights under the GDPR, as well as explains that “it could set a false precedent (…) for an unforeseeable number of data subjects”[103].

134. On this basis, the EDPB considers that the objection raised by the HU SA is a relevant and reasoned objection pursuant to Article 4(24) GDPR.

135. The objection of the NL SA claims that WhatsApp IE failed to inform non-users of the processing operations carried out after the Lossy Hashing procedure, as well as points out the lack of corrective measures issued in the Draft Decision. Therefore, this objection concerns both “whether there is an infringement of the GDPR” and “whether the envisaged action complies with the GDPR”. As there is a direct link between the objection and the substance of the draft decision at issue, the EDPB considers the objection to be relevant.

136. Moreover, the EDPB notes that the NL SA adequately justified the need to amend the Draft Decision. In this regard, the NL SA’s objection states that the Draft Decision insufficiently assessed the statement made by WhatsApp IE concerning the presumed technical difficulty to regain a phone number from a Lossy Hash. Thus, the NL SA explains how the finding that the Lossy Hashing procedure does not guarantee the anonymization of data would lead to a different conclusion as regards both the scope of the obligations under Articles 12 and 14 GDPR and the corrective measures (order to bring processing into compliance and administrative fine). Finally, the EDPB finds that the objection of the NL SA clearly demonstrates the significance of the risks posed by the Draft Decision, as it explains how this decision would prevent non-user data subjects to enforce their rights under the GDPR and would create a legal precedent[104].

137. On this basis, the EDPB considers that the objection raised by the NL SA is a relevant and reasoned objection pursuant to Article 4(24) GDPR.

138. The objection of the IT SA concerns both “whether there is an infringement of the GDPR” and “whether the envisaged action complies with the GDPR”. In this objection, the IT SA indeed considers that the Draft Decision should be amended to include an additional infringement of Article 14 GDPR as regards the processing of lossy-hashed data, as well as suggest to re-examine the corrective measures envisaged which were initially reduced due to the qualification of these data as non-personal. Considering that there is a direct link between the objection and the substance of the draft decision at issue, the EDPB considers the objection to be relevant.

139. In addition, the EDPB notes that the IT SA adequately justified the need to amend the Draft Decision by referring to the mischaracterisation of lossy hashed data as anonymised data. Thus, the objection of the IT SA explains how the finding that the Lossy Hashing procedure does not guarantee the anonymization of data would lead to a different conclusion (namely, the corrective measures taken in the Draft Decision and an additional infringement of Article 14 GDPR). Finally, the EDPB finds that the objection of the IT SA clearly demonstrates the significance of the risks posed to the fundamental rights and freedoms of the data subjects by the Draft Decision, as it explains that this decision would lead to a “serious impairment of non-users’ fundamental right to be informed, as well as the inadequate and disproportionate corrective measures and fining that are envisioned vis-a-vis the controller”[105].

140. On this basis, the EDPB considers that the objection raised by the IT SA is a relevant and reasoned objection pursuant to Article 4(24) GDPR.

6.4.2 Assessment on the merits

141. The EDPB considers that the objections found to be relevant and reasoned in this subsection[106] require an assessment of whether, in the case at hand, the Lossy Hashing procedure indicated by WhatsApp IE achieves the anonymisation of personal data so as to render the GDPR no longer applicable. In this context, the EDPB already notes that a lossy hashed non-user phone number is stored by WhatsApp IE in a table (hereinafter called “Non-User list”), linking a lossy hash to mobile phone numbers of those users who uploaded numbers via the Contact Features that fall into the group of different phone numbers that would have generated that same lossy hash[107].

142. The procedure of lossy hashing is detailed by WhatsApp IE as consisting of the following steps: […][108]

143. WhatsApp IE explains that this table is used to select the existing users to which a so-called ‘notification hash’ is sent when a new user joins the service. This selection is done by performing the Lossy Hashing procedure with the phone number of the new user and then sending the ‘notification hash’ to all those users who have uploaded any one of the pool of numbers which are represented by the lossy hash, that are linked to it in the above-mentioned table. Once WhatsApp IE’s application on a user’s device receives a notification hash, it will create an equivalent notification hash of the users in its address book to compare whether the new user is part of the contacts in its address book, in which case it will initiate a sync request[109].

144. For the purpose of assessing whether the data described above amounts to personal data, and also in consideration of WhatsApp IE’s submissions in relation to the draft decision and the objections, the EDPB recalls the definition provided in Article 4(1) GDPR[110] and the clarifications provided by Recital 26 GDPR[111].

145. In other words, WhatsApp IE needs to analyse whether data has been processed in such a way that it can no longer be used to directly or indirectly identify a natural person using “all the means likely reasonably to be used” by either the controller or a third party[112]. Such analysis needs to take account of objective factors as required by Recital 26 GDPR but can and should rely on hypotheticals allowing the understanding of the likelihood for re-identification to occur.

146. In the case at hand, on the basis of the information available, the risk for non-users to be identifiable by inference, linking or singling out is not just “greater-than-zero” as acknowledged by the IE SA[113], but is such that it can be concluded that those non-users are identifiable for the purposes of the definition in Article 4(1) GDPR. The EDPB takes note of the statement by WhatsApp IE that “there is zero risk of re-identifying the original phone numbers from which they were generated” and “[e]ven if there was any re-identification risk, the factors applicable to the Anonymisation Process and creation of the Lossy Hash clearly demonstrate that any such risk has been reduced to below what the law sets as an acceptable risk level”[114]. However, the EDPB considers, as detailed below, that given the means and the data which are available to WhatsApp IE and are reasonably likely to be used, its capacity to single out data subjects is too high to consider the dataset anonymous.

147. The EDPB notes that, within its submissions, WhatsApp IE argued that the objections fail to identify why WhatsApp IE might want to single-out the non-users whose phone numbers have been deliberately subjected to a process that is designed to achieve anonymisation[115]. The EDPB highlights that neither the definition nor Recital 26 GDPR as such provide any indication that the intention nor the motivation of the controller or of the third party are relevant factors to be taken into consideration when assessing whether the dataset at hand is to be considered personal data or not[116]. The EDPB concurs with the IE SA, that what is relevant for the GDPR to apply, i.e. for data to be considered as “personal”, is rather whether the data relate to a person who can be identified, directly or indirectly, and whether the controller or a third party have the technical ability to single out a data subject in a dataset[117]. This possibility may materialise irrespective of whether such technical ability is coupled with the motivation to re-identify or single out a data subject.

148. In addition, the EDPB stresses that the whole context of the processing needs to be considered, as “all objective factors” affect “whether means are reasonably likely to be used to identify the natural person”[118]. In the specific situation at hand, the creation of the Lossy Hashing procedure is only one step in the process and cannot be considered in isolation. Rather, the phone number of any user that activated the Contact Feature and that had at least at that moment one non-user contact will be linked to the lossy hash created from the number of this non-user[119]. The result is a “Non-User List” which is stored by WhatsApp IE[120].

149. As noted by the IE SA, viewing the hash value in isolation disregards the “risks present in the processing environment that might enable the re-identification of the data subjects concerned”[121]. Therefore, it is important to assess if the result of the entire process allows for singling out, rather than assessing an individual step of the process. For the possibility of re-identification, all the data and resources available to the controller or a third party needs to be considered. In this context, the EDPB does not consider that WhatsApp IE has conclusively shown that the processing environment is subject to such organisational and technical measures that the risks of re-identification are purely speculative[122].

150. In its submission, WhatsApp IE indicates that each lossy hash represents a pool of at least 16 phone numbers[123]. However, in the view of the EDPB and as maintained by several objections raised by the CSAs, this is incorrect. While it cannot be ruled out that there will be cases where 16 phone numbers are connected to a lossy hash, in many cases a lossy hash will be connected to fewer phone numbers, even only one[124].

151. There is for example no certainty, nor is it likely, that all the theoretically available phone numbers in a range are indeed assigned to a data subject. Further, WhatsApp IE correctly points out in line with the NL SA’s objection that the number of mobile phone numbers in the Netherlands exceeds the actual population. This leads to a situation where even though a lossy hash may refer to a set number of mobile phone numbers, the number of associated data subjects can be lower.

152. Additionally, considering that WhatsApp IE processes all the phone numbers that are contacts of the user that enables the Contact Feature, the EDPB notes that it is highly likely that a user will have at least one non-user phone number as a contact[125]. Therefore, the phone number of each user will be retrievable from the “Non-User lists” and these numbers can be used to exclude numbers that could be possibly represented in a lossy hash[126]. For example, if all but one phone number that would lead to a specific lossy hash are found to be users of the service, as they are part of at least one Non-User list, the remaining phone number is identified. Therefore, the proposed k-anonymity is not based on a k of 16 as indicated by WhatsApp IE, as that would require this value to be accurate for the entire data set.

153. For completeness, the EDPB refers to the Article 29 Working Party Opinion on anonymisation techniques[127], which clarified that k-anonymisation on its own merely avoids singling out, but does not necessarily address the risks of linkability or inference. In addition, it is to be noted that WhatsApp IE is even able to make use of the information on the devices of the users of its services, including the address book[128].

154. Further, the EDPB also notes that evidently the result of the Lossy Hashing procedure allows inferring information about a non-users or a set of non-users in relation to the phone number(s) to which the specific lossy hash correlates. For each of the user phone numbers in the Non-User list, it is provided that this user had at least one of the non-users’ phone number, which is part of the set of non-user phone numbers represented by the lossy hash, in its address book when the user had activated that Contact Feature.

155. Lastly, considering the amount of users of the service, the “Non-User List”, which links each lossy hash and those users of the service that have at least one contact in their address book that would create this lossy hash, forms an extensive network of associations of users to various lossy hashes[129]. This network of connections between users and non-users, and thereby indirectly among users, constitutes a sort of topological signature of lossy hashes which becomes fairly unique as the dimension of the network and the number of connections grows[130]. This is the circumstance for the case at stake and the availability of the social graph among users and non-users can substantially increase the re- identification risk of data subjects[131].

156. Therefore, based on the analysis done and the information available to it, the EDPB concludes that the table of lossy hashes together with the associated users’ phone numbers as Non-User List constitutes personal data[132] and instructs the IE SA to amend its decision accordingly.

157. As the consequences of the aforementioned conclusion which the CSAs proposed in their objections are diverse, they are addressed below in sections 7.4.4.1 (Infringement of Art (6)(1) GDPR), 7.4.4.2 (Infringement of Art 14 GDPR), 7.4.4.3 (Infringement of Art 5(1)(c) GDPR) and 9.4 (Impact on the administrative fine).

7 ON POTENTIAL FURTHER (OR ALTERNATIVE) INFRINGEMENTS OF THE GDPR IDENTIFIED BY THE CSAS

7.1 Objections relating to the scope of the Inquiry

7.1.1 Analysis by the LSA in the Draft Decision

158. In the introductory part of its Draft Decision, the LSA states that the Inquiry relates to WhatsApp IE’s transparency obligations pursuant to Articles 12, 13 and 14 GDPR[133]. The LSA also clarified that, since this Draft Decision concerns an own-volition inquiry, it is not based on any specific or individual complaint, concern or request, including those submitted though mutual assistance, which will be addressed by way of separate processes under the 2018 Act (as might be required)[134].

7.1.2 Summary of the objections raised by the CSAs

159. The objection raised by the DE SA refers to the limited scope of the investigation and to the failure by the IE SA to consider, before analysing compliance with Articles 13-14 GDPR, which data processing took place. The DE SA considers that “consensus on the scope of the investigation should be reached at an earlier stage by the competent supervisory authorities than in the current stage of the draft decision. Therefore, before providing the draft decision of the ex officio procedure the DPC should have sought consensus regarding the scope of the procedure prior to initiating the procedure formally”[135]. Particularly, the DE SA argues that the Draft Decision omits the first step of the review of Articles 13 and 14 GDPR, which should be on the factual level. According to the DE SA, the assessment on the manner in which the information is provided can only take place after determining the factual elements of the processing operation in question. The DE SA refers, in particular, to the factual requirements of the legal bases and the existence of data transfers to third countries. It is argued that incorrect information is worthless for data subjects and deceives them. In addition, the DE SA considers that the imposition of a fine for lacking information pursuant to the infringement of Articles 12 to 14 GDPR can result in the impossibility to apply sanctions for the provision of incorrect information for the same period. This would risk the right of data subjects to effective judicial protection, since they will not be able to complain against the decision of the IE SA, since it is not communicated to them. The DE SA considers that “a (further) fine against WhatsApp would no longer be possible due to the discontinuance of criminal proceedings”[136]. The DE SA also argues that the limited scope of the investigation and the fact that the assessment of the factual bases was insufficient or lacking increases the risk of non-uniform application of EU law.

160. In addition, the DE SA raises another objection whereby it considers that “the question of whether and which data of WhatsApp users and non-users is disclosed to Facebook was not sufficiently investigated either in factual terms or at the normative level”[137]. The DE SA considers that there are “obvious contradictions” in WhatsApp IE’s statements regarding the existence or not of data transfers to Facebook and, therefore, “it would be necessary to examine in detail what data processing takes place”[138]. The DE SA considers that, without a thorough investigation of these issues, “it makes no sense to check transparency issues and the right to be informed”[139] and, therefore, they should have been investigated.

***

161. The HU SA raised an objection arguing that since consent needs to be informed, and the LSA found that WhatsApp IE had failed to properly inform data subjects, the Draft Decision should include that in case of consent-based processing, consent was invalid and WhatsApp IE had been processing personal data without a legal basis for years.

7.1.3 Position of the LSA on the objections

162. The LSA considered that the objections raised by the DE SA regarding the scope of the investigation were not relevant and reasoned, since they fall outside the scope of the Inquiry[140]. The IE SA emphasises that the Inquiry underpinning the Draft Decision was purposefully focused on WhatsApp IE’s transparency obligations[141].

163. The IE SA further states that, as expressed in the Draft Decision, “the findings and outcome of the inquiry are without prejudice to any assessment of the legal bases being relied upon to support the processing of personal data”[142], and that a separate inquiry regarding that matter is underway[143]. Thus, the IE SA highlights that the Draft Decision does not prevent further inquiries on the legitimacy of the processing[144]. Likewise, the IE SA underlines that the Inquiry did not assess WhatsApp IE’s obligations regarding international data transfers and that the IE SA has commenced an inquiry examining the legality of Facebook’s data transfers to the United States of America[145].

164. Concerning the involvement of the CSA(s) in the determination of the own-volition inquiry, the IE SA notes that, while the DE SA relies on the RRO Guidelines to make that claim, the Inquiry commenced well before the preparation and adoption of the RRO Guidelines[146]. In addition, the IE SA considers that “the entitlement of the LSA to determine the scope of its own inquiries reflects the entitlement of each supervisory authority to manage its own resources and to regulate its own procedures” and “the fact that the LSA is primarily responsible for defending the adopted decision […] in the event of an appeal”[147]. The IE SA further notes that the approach adopted regarding the scope of the Inquiry does not entail any risk of non-uniform application of EU law, since the GDPR does not establish any particular requirement as to the scope of the investigations carried out by the SAs[148].

165. As to the lack of investigation of the factual level, the IE SA argues that, given the findings on the deficiency of the information provided, the outcome of the transparency assessment would not change regardless of what processing takes place[149]. The IE SA also notes that the Draft Decision represents an assessment of the materials relied upon by WhatsApp IE at a particular point in time and does not purport to be determinative of all WhatsApp IE transparency issues into the future[150]. Additionally, regarding the contradictions on the information on the sharing of data with Facebook, the IE SA notes that the Draft Decision contains the order to WhatsApp IE to remedy the information deficits identified[151].

166. Regarding the impact of the Draft Decision on the data subjects’ effective judicial protection, the IE SA stresses that no complaint is displaced by the existence of the Inquiry and that the assessments and outcomes recorded in the Draft Decision will not impact upon the unique circumstances of an individual complainant[152].

***

167. The LSA considered that the objection raised by the HU SA on the finding of an additional infringement due to the invalidity of the consent obtained by WhatsApp IE is not "relevant and reasoned", since it falls outside of the scope of the investigation, that only focused on WhatsApp IE’s transparency obligations. The IE SA also clarified that a separate investigation was pending on the issue of the legal grounds relied upon by WhatsApp IE[153].

7.1.4 Analysis of the EDPB

7.1.4.1 Assessment of whether the objections were relevant and reasoned

168. The EDPB is of the opinion that the objections raised by the DE SA, relating respectively to the incomplete scope of the investigation regarding the factual level of the processing and the lack of investigation regarding data transfers to Facebook, are not "relevant and reasoned" as required by Article 4(24) GDPR.

169. In this respect, the EDPB first notes that the Guidelines on RRO address the situation in which an objection identifies gaps in the draft decision justifying the need for further investigation[154]. When such objection is raised, it would be sufficient for the CSA to present the arguments in a conclusive and substantiated manner[155].

170. As stated in the Guidelines on RRO, an objection is relevant when, if followed, it would entail a change leading to a different conclusion as to the existence of an infringement of the GDPR or the compliance of the envisaged action with the GDPR. Thus, there needs to be a link between the content of the objection and such potential different conclusion[156]. Likewise, an objection is reasoned when, inter alia, it demonstrates how the change would lead to a different conclusion[157].

171. In this case, the EDPB considers that the objections raised by the DE SA fail to clearly identify how the objection, if followed, would entail a change leading to a different conclusion as to whether there is an infringement of the GDPR. Regarding the first objection on the incompleteness of the scope, while the DE SA states that “crucial questions of fact and legal issues have been omitted and not examined" and that "when reviewing Art. 13, 14 GDPR it is necessary to determine in a first step which data processing actually takes place (factual level)"[158], it does not specify which questions and issues should have been examined. Likewise, with regard to the objection on the lack of investigation of data transfers to Facebook, the DE SA argues that a more thorough investigation should have taken place[159], albeit it does not clearly set out which elements should have been considered. The EDPB recalls that abstract or broad concerns cannot be considered relevant[160]. Therefore, although the DE SA explained to the satisfaction of the EDPB the reasons why it considers a change in the Draft Decision to be necessary, as well as the significance of the risk posed by the Draft Decision if it were to be issued unchanged, the EDPB considers that it did not identify with sufficient detail how the objection, if followed, would entail a change leading to a different conclusion as to whether there is an infringement of the GDPR. Since this is one of the elements that needs to be fulfilled in order to consider an objection relevant and reasoned, the EDPB considers these objections to not be relevant and reasoned.

Although the objection of the HU SA relating to the invalidity of the consent obtained by WhatsApp IE is relevant and includes justifications for the changes proposed in the objection and how the proposed change would lead to a different conclusion in the Draft Decision, it does not satisfy all the requirements stipulated by Article 4(24) GDPR. In particular, the objection raised does not explicitly motivate why the Draft Decision itself, if left unchanged, would present risks for the fundamental rights and freedoms of data subjects. In addition, the EDPB notes that the HU SA’s objection does not explicitly elaborate why such a risk is substantial and plausible[161]. Therefore, the EDPB concludes that the objection of the HU SA does not provide a clear demonstration of the risks as specifically required by Article 4(24) GDPR.

7.2 Objections relating to the additional infringement of Articles 5(1)(a) / 5(2) GDPR

7.2.1 Analysis by the LSA in the Draft Decision

172. In light of the aforementioned Inquiry’s scope, the Draft Decision draws conclusions regarding WhatsApp IE’s compliance with its obligations under Articles 14 and 12(1) GDPR in the context of personal data processing of non-users and Articles 13 and 12(1) GDPR in the context of processing personal data of users. The Draft Decision makes several references to Article 5(1)(a) GDPR and the principle of transparency[162]. Likewise, the accountability principle under Article 5(2) GDPR is also mentioned in several passages[163]. However, the Draft Decision does not address whether Articles 5(1)(a) and 5(2) GDPR have been infringed.

7.2.2 Summary of the objections raised by the CSAs

173. The HU SA raised an objection stating that the Draft Decision should be amended to include findings of infringement of Articles 5(1)(a) and 5(2) GDPR. The HU SA is of the view that, given “the intentional nature", as well as the severity of the infringements for the data subjects, the finding of a violation of Article 12, 13 and 14 GDPR also gives rise to a breach of the principle of transparency set out in Article 5(1)(a) GDPR. Furthermore, the HU SA considers that a demonstrable failure to comply with the principle of transparency leads to a breach to demonstrate compliance with the principle of accountability as required by Article 5(2) GDPR, as these principles are closely interlinked. According to the HU SA, the breach of the accountability principle is, in addition, supported by the intentional nature of the infringement committed by WhatsApp IE. Therefore, the HU SA argues that the Draft Decision should also find a breach of the principle of accountability set out in Article 5(2) GDPR.

***

174. The IT SA raised an objection arguing that the Draft Decision should also contain a finding of an infringement of Article 5(1)(a) GDPR. The objection claims that, even though the Draft Decision refers to Article 5(1)(a) GDPR several times, it does not draw a conclusion of an infringement of such provision. The IT SA observes that, given that transparency is the focus of the Inquiry and consequently of the Draft Decision, and that Article 5(1)(a) GDPR has a general, overarching nature, the Draft Decision should include a finding of infringement of that provision. 7.2.3 Position of the LSA on the objections

175. The LSA considered that the objection raised by the HU SA with regard to the possible infringement of Articles 5(1)(a) and 5(2) GDPR was not relevant and reasoned, since it fell outside the scope of the Inquiry[164]. Nonetheless, the LSA acknowledged that the objection regarding the possible infringement of Article 5(1)(a) GDPR could be followed considering that it is consistent with the scope and findings of the Draft Decision, subject to allowing WhatsApp IE the right to be heard before taking a final decision on the matter[165]. Furthermore, the IE SA also expressed its intention to follow the objection raised by the HU SA with regard to the possible infringement of Article 5(2) GDPR, should an infringement of Article 5(1)(a) GDPR be found, considering that the accountability principle is closely interconnected with the obligation of the controller to comply with the principle of transparency[166]. As before, this would be subject to allowing WhatsApp IE the right to be heard before taking a final decision on the matter.

176. Despite this, the responses received from the CSAs showed that there was no single proposed compromise position that could be agreed upon by all of the relevant CSAs. The IE SA clarified that the Article 65 GDPR referral was made under the circumstances where the objections made by the CSAs were not “followed”[167].

177. The LSA considered that the objection raised by the IT SA with regard to the infringement of Article 5(1)(a) GDPR was not relevant and reasoned, since it fell outside the scope of the Inquiry[168]. Nonetheless, the LSA acknowledged that it would be consistent with the scope and findings of the Draft Decision to follow the objection, subject, as mentioned above, to allowing WhatsApp IE to exercise its right to be heard before taking a final decision on the matter[169].

178. Despite this, as explained above, the responses received from the CSAs showed that there was no single proposed compromise position that was agreeable to all of the relevant CSAs. For the sake of completeness, the EDPB takes note that the IT SA welcomed the proposal by the IE SA in its response. The IE SA clarified that the Article 65 GDPR referral was made in circumstances where it does not propose to “follow” the objections raised by the CSAs[170].

7.2.4 Analysis of the EDPB

7.2.4.1 Assessment of whether the objections were relevant and reasoned

179. Although the objection of the HU SA relating to the additional infringements of Articles 5(1)(a) and 5(2) GDPR is relevant and includes justifications concerning why and how issuing a decision with the changes proposed in the objection is needed and how the change would lead to a different conclusion in the draft decision, it does not satisfy all the requirements stipulated by Article 4(24) GDPR. In particular, the objection raised does not explicitly motivate why the Draft Decision itself, if left unchanged, would present risks for the fundamental rights and freedoms of data subjects. In addition, the EDPB notes that the HU SA’s objection does not explicitly elaborate why such a risk is substantial and plausible[171]. Therefore, the EDPB concludes that the objection of the HU SA does not provide a clear demonstration of the risks as specifically required by Article 4(24) GDPR.

***

180. The EDPB notes that the objection of the IT SA concerns “whether there is an infringement of the GDPR” as it states that the Draft Decision should include an additional infringement of Article 5(1)(a) GDPR[172]. The EDPB considers that the objection is to be considered “relevant” since if followed, it would lead to a different conclusion as to whether there is an infringement of the GDPR[173]. More specifically, it includes a “disagreement as to the conclusions to be drawn from the findings of the investigation”, since it states that the “findings amount to the infringement of a provision of the GDPR […] in addition to […] those already analysed by the draft decision”[174]. The EDPB is thus not swayed by the arguments put forward by WhatsApp IE which stated that this objection is not relevant because it does not refer to the “specific legal and factual content of the draft decision” and relates to “a matter that have not formed part of the Inquiry”, since the objection clearly sets out a disagreement as to the conclusions reached by the IE SA[175].

181. The EDPB also considers the objection “reasoned” since it puts forward several legal arguments for the proposed additional infringement, clearly explaining the reasons for the objection[176] : the additional infringement stems from the scope and findings of the Draft Decision, which also mentions Article 5(1)(a) GDPR[177], and the overarching nature Article 5(1)(a) GDPR. Additionally, the EDPB finds that the objection of the IT SA clearly demonstrates the significance of the risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects, since it would create a dangerous precedent that would jeopardize the effective protection of the data subjects and thus entail flawed corrective actions. WhatsApp IE argues that the objection is “unsupported by clear reasoning”, as it is based on “the assumption that an infringement of Articles 12 to 14 GDPR must automatically qualify as an infringement of Article 5(1)(a) GDPR”[178], and considers that the objection does not adequately demonstrate the risk, since Article 5(1)(a) GDPR was outside the scope of the Inquiry and the findings of infringements in the Draft Decision address the concerns of the IT SA[179]. Nonetheless, the EDPB considers the objection, instead, to be adequately reasoned and recalls that the assessment of merits of the objection is made separately, after it has been established that the objection satisfies the requirements of Article 4(24) GDPR[180].

182. On this basis, the EDPB considers that the objection raised by the IT SA on the infringement of Article 5(1)(a) GDPR qualifies as a relevant and reasoned objection pursuant to Article 4(24) GDPR.

7.2.4.2 Assessment on the merits

183. The EDPB now analyses the relevant and reasoned objection of the IT SA on Article 5(1)(a) GDPR - as well as the LSA’s Composite Response to those objections and WhatsApp IE’s submissions.

184. The IT SA argues that, given that transparency has been identified by the IE SA as the core of the Inquiry, and the Draft Decision contains findings of infringements of Articles 12 to 14 GDPR, the Draft Decision should also contain a finding of non-compliance with article 5(1)(a) GDPR. The IT SA argues that “Article 5(1)a. is a provision of a general nature setting forth one of the seven key principles underlying the whole framework of the Regulation”[181]. The IT SA also observes that the Draft Decision refers “cursorily to Article 5(1)a. in various passages […], however it does not ultimately draw the conclusion that there was an infringement of that provision as well”[182]. Finally, the IT SA considers that the finding of an infringement of such provision would not undermine WhatsApp IE’s right to be heard, given that “this is a provision of a general, overarching nature compared to Articles 12 to 14 GDPR, so that WhatsApp’s defence regarding those Articles may be automatically relayed back to the general principle as well”[183].

185. In the Composite Response, the IE SA acknowledges that “[h]aving considered this objection against the backdrop of the existing scope, facts identified and provisional findings previously notified to WhatsApp concerning various infringements of Articles 12, 13 and 14, IE SA considers, on a preliminary basis, that a finding that WhatsApp has infringed Article 5(1)(a) insofar as it concerns transparency potentially may arise from the various findings of infringement of the more specific transparency obligations which are set out in the Composite Draft[184].

186. In its submissions, WhatsApp IE outlined two different possible approaches. First, if the objections are premised on the assumption that a finding of non-compliance with Articles 12 to 14 GDPR must equate automatically to non-compliance with Article 5(1)(a) GDPR, they are insufficiently relevant and reasoned and from a procedural perspective the controller cannot be punished twice for the same conduct[185]. In this regard, WhatsApp IE agrees with the statement by the FR SA (which “fails to see on which facts, not already covered by the breach to article 12, the breach to article 5(1)(a) would be based” and “wonders if [the addition of fines in respect of such additional infringements] would be compatible with the principle according to which the same facts should be punished only one time”[186]).

187. Second, WhatsApp IE argues that according to the second approach, compliance with Article 5(1)(a) GDPR addresses something different to the provision of prescribed information in an appropriate manner, and would be a “more expansive principle, holistically encapsulating transparency, fairness and lawfulness,” and arguably concerned with the justifiability of a processing operation rather than with whether prescribed items of information have been provided[187]. Therefore, it would be possible for a processing operation to comply with Articles 12-14 GDPR and fall short of Article 5(1)(a) GDPR or vice versa[188]. More specifically, “a technical contravention of Articles 12 to 14 GDPR would not necessarily give rise to a “transparency” failure under Article 5(1)(a) GDPR, if the controller has nonetheless made data subjects aware of the processing in question”[189]. WhatsApp IE submits that it complied with the obligations under Article 5(1)(a) GDPR in full, as it is a controller that has committed considerable resources to engaging with its users “and that publishes comprehensive information on its processing: therefore, even if it was found that information provided to data subjects was insufficiently granular or could have been provided in a different manner (such that there has been a technical contravention of Articles 12 to 14 GDPR), it would not necessarily follow that such a controller could be considered to be acting in an unfair or non-transparent manner which infringes Article 5(1)(a) GDPR”[190]. Also, if Article 5(1)(a) GDPR imposes a separate and distinct obligation, WhatsApp IE states that it meets these obligations, and this did not fall within the scope of the Inquiry, which means that WhatsApp IE needs to speculate as to what the case against it might be and is not in a position to exercise its full right to be heard[191]. According to WhatsApp IE, it would be procedurally unfair to incorporate a finding on this issue at this stage, also because it should have a proper opportunity to reply to fully reasoned arguments as to why there has been an alleged distinct infringement of Article 5(1)(a) GDPR[192].

188. The EDPB notes that the concept of transparency is not defined as such in the GDPR. However, Recital 39 GDPR provides some elements as to its meaning and effect in the context of processing personal data. As stated in the Transparency Guidelines, this concept in the GDPR “is user-centric rather than legalistic and is realised by way of specific practical requirements on data controllers and processors in a number of articles”[193]. The key provisions concretising the specific practical requirements of transparency are in Chapter III GDPR. However, there are other provisions that also realise the transparency principle, for example, Article 35 (data protection impact assessment) and Article 25 GDPR (data protection by design and by default), to ensure that data subjects are aware of the risks, rules and safeguards in relation to the processing, as stated in Recital 39 GDPR[194].

189. The EDPB also notes that transparency is an expression of the principle of fairness in relation to the processing of personal data and is also intrinsically linked to the principle of accountability under the GDPR[195]. In fact, as noted in the Transparency Guidelines, a central consideration of the principles of transparency and fairness is that “the data subject should be able to determine in advance what the scope and consequences of the processing entails” and should not be taken by surprise about the ways in which their personal data has been used[196].

190. Thus, it is apparent that, under the GDPR, transparency is envisaged as an overarching concept that governs several provisions and specific obligations. As stated in the Transparency Guidelines, “[t]ransparency is an overarching obligation under the GDPR applying to three central areas: (1) the provision of information to data subjects related to fair processing; (2) how data controllers communicate with data subjects in relation to their rights under the GDPR; and (3) how data controllers facilitate the exercise by data subjects of their rights”[197].

191. This being said, it is important to differentiate between obligations stemming from the principle of transparency and the principle itself. The text of the GDPR makes this distinction, by enshrining transparency as one of the core principles under Article 5(1)(a) GDPR on the one hand, and assigning specific and concrete obligations linked to this principle, on the other one. The concretisation of a broad principle in specific rights and obligations is not a novelty in EU law. For example, with regard to the principle of effective judicial protection, that CJEU has stated that it is reaffirmed in the right to an effective remedy and to a fair hearing, enshrined in Article 47 of the Charter[198]. Nonetheless, that does not imply that principles as such cannot be infringed. In fact, under the GDPR the infringement of the basic principles for processing is subject to the highest fines of up to 20.000.000€ or 4% of the annual turnover, as per Article 83(5)(a) GDPR.

192. On the basis of the above considerations, the EDPB underlines that the principle of transparency is not circumscribed by the obligations under Articles 12-14 GDPR, although the latter are a concretisation of the former. Indeed, the principle of transparency is an overarching principle that not only reinforces other principles (i.e. fairness, accountability), but from which many other provisions of the GDPR derive. In addition, as stated above, Article 83(5) GDPR includes the possibility to find an infringement of transparency obligations independently from the infringement of transparency principle. Thus, the GDPR distinguishes the broader dimension of the principle from the more specific obligations. In other words, the transparency obligations do not define the full scope of the transparency principle.

193. That being said, the EDPB is of the view that an infringement of the transparency obligations under Articles 12-14 GDPR can, depending on the circumstances of the case, amount to an infringement of the transparency principle.

194. In this particular case, the question that the EDPB is confronted with is whether the infringements of specific transparency obligations by WhatsApp IE amount to an infringement of the overarching principle of transparency under Article 5(1)(a) GDPR.

195. In the draft decision, the IE SA considers that WhatsApp IE has not complied with the following obligations under the GDPR with regard to the information provided to users of the service: obligations pursuant to Articles 13(1)(c) and 12(1)[199]; 13(1)(e) and 12(1)[200]; 13(1)(f) and 12(1)[201]; 13(2)(a)[202]; and 13(2)(c) and 12(1) GDPR[203]. With regard to non-users, the IE SA considers that WhatsApp IE has infringed its obligations under Article 14 GDPR, albeit noting that the personal data undergoing processing is very limited[204]. Finally, with regard to the transparency obligations in the context of sharing user data between WhatsApp IE and Facebook Companies, the IE SA considers that Articles 13(1)(c), 13(1)(e) and 12(1) have been infringed[205].

196. On the contrary, the IE SA did not find any infringement with regard to Articles 13(1)(a)-(b), 13(1)(d) and 13(2)(d) GDPR. With regard to Article 13(1)(d) GDPR, the EDPB reached the conclusion described in paragraph 66 above.

197. The EDPB also notes that, in its Composite Response, the IE SA recalls that the Draft Decision contains a finding whereby “the information provided by WhatsApp , in relation to its data processing operations and the legal basis/bases being relied upon to support any such processing, is so inadequate that it is not possible to identify: i) the specific processing operations taking place; (ii) the purpose of those processing operations; or (iii) the legal basis being relied upon to ground those processing operations”[206]. Indeed, the Draft Decision recalls that “it is impossible [for the IE SA] to understand which legal basis might be relied on for any particular act of processing”[207], and that “it is self-evident […] that there is a significant information deficit” which is exacerbated by the inaccessibility of the information[208]. This inaccessibility is also reflected in the Draft decision, with the IE SA stating that the assessment of the material “was a needlessly frustrating exercise that required the extensive and repeated search of the Privacy Policy and related material to try and piece together the full extent of the information that had been provided”[209]. The IE SA considers that the deficiencies identified are such that the users “cannot make informed decisions in relation to whether or not they wish to continue using the service”[210] and that they may also be “deprived of the information they need to exercise their data subject rights”[211]. In fact, the IE SA’s assessment is that WhatsApp IE failed to provide 41% of the information required by Article 13 GDPR[212]. With regard to non-users, the IE SA considers that there has been a “total failure” to provide them with the required information. This information is “vitally important so as to enable the non-user to make an informed choice, in the event that he/she might consider joining the Service”[213].

198. In short, the IE SA considers that the infringements found in the Draft Decision “reflect a significant level of non-compliance” which impact on all of the processing carried out by WhatsApp IE[214].

199. Taking all the above into consideration, the EDPB is of the view that, in this particular case, there has been an infringement of the transparency principle under Article 5(1)(a) GDPR, in light of the gravity and the overarching nature and impact of the infringements, which have a significant negative impact on all of the processing carried out by WhatsApp IE.

200. Furthermore, the EDPB considers that WhatsApp IE has been provided the right to be heard on this issue, contrary to its claims, since it had the opportunity to express its point of view on the objections raised by the CSA on this matter[215].

201. Therefore, the EDPB decides that the IE SA is required to amend its Draft Decision in order to include a finding of an infringement of the transparency principle enshrined in Article 5(1)(a) GDPR.

7.3 Objections relating to the additional infringement of Article 13(2)(e) GDPR

7.3.1 Analysis by the LSA in the Draft Decision

202. The Draft Decision notes that the Investigator did not propose or confirm any finding or conclusion with regard to the potential infringement of Article 13(2)(e) GDPR[216]. In its assessment, the Decision- Maker considers that the language used to provide the information “does not clearly identify the data that must be provided or the consequence of failure to provide that data”[217]. However, to the extent that compliance with the requirements of Article 13(2)(e) GDPR does not appear to have been pursued by the Investigator, the Draft Decision proposes no finding on this matter[218], although it recommends that WhatsApp IE consider its position in relation to the extent to which it has incorporated the information required by Article 13(2)(e) into its Privacy Policy (and Legal Basis Notice)[219]. The Draft Decision specifies that this recommendation is “on an obiter dicta basis and solely for the purpose of assisting WhatsApp to achieve compliance with its transparency obligations”[220].

7.3.2 Summary of the objections raised by the CSAs

203. The DE SA raised an objection stating that no finding was made regarding an infringement of Article 13 (2)(e) GDPR although this was covered by the scope of the investigation. The DE SA does not consider appropriate the justification in the Draft Decision whereby, given to the fact that the Investigator did not cover this issue within the investigation, the IE SA recommends WhatsApp IE to consider its position in relation to the extent to which it has incorporated the information prescribed by Article 13(2)(e) GDPR into its Privacy Policy .

204. Additionally, the DE SA underlines that the Draft Decision exposes “obvious ambiguities and confusion” regarding the provision of information on the extent of the minimum amount of personal data required to provide the service and the consequences of failure to provide data. The DE SA therefore considers that a finding should have been included concerning this provision in the Draft Decision in order to avoid the creation of a dangerous precedent (as “other controllers could see it as a sign of possibility to circumvent an administrative order regarding one specific data protection aspect, as long as the (first) inspection did not include investigations on that matter”[221]) and to ensure the protection of data subject rights on information and transparency. Finally, the DE SA points out that a sufficient investigation into this topic would have also been reflected in the amount of the fine as an independent infringement.

7.3.3 Position of the LSA on the objections

205. Regarding the required finding of an infringement of Article 13(2)(e) GDPR, the IE SA explains that the Decision-Maker was unable to conclude a finding on this aspect of matters in circumstances where it was not specifically examined by the Investigator. The making of any finding in the circumstances would have breached WhatsApp IE’s procedural rights under EU and Irish law[222]. Furthermore, it is unclear to the IE SA how the Draft Decision gives rise to risk, as regards the fundamental rights and freedoms of data subjects, as the IE SA had specifically addressed how WhatsApp IE should remedy the deficiencies in this context[223]. Finally, the IE SA states that it is unclear what meaningful impact a finding of infringement of Article 13(2)(e) GDPR would have made on the fine to be imposed given that it would only have resulted in a slight increase in the extent of overall non-compliance with Article 13 GDPR and the fine that has been proposed reflects the finding of infringement of Article 14 GDPR (this being the “gravest infringement” for the purpose of Article 83(3) GDPR)[224].

7.3.4 Analysis of the EDPB

7.3.4.1 Assessment of whether the objections were relevant and reasoned

206. The DE SA’s objection concerning the infringement of Article 13(2)(e) GDPR is relevant as it concerns “whether there is an infringement of the GDPR” by specifically disagreeing with the failure by the Draft Decision to include a finding of an infringement of Article 13(2)(e) GDPR, which would also have been reflected in the amount of the fine. The EDPB also considers the objection “reasoned” as it points to the elements that would have, according to the CSA, required a different conclusion. The objection clearly demonstrates the significance of the risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects by expressing the view that the Draft Decision creates a dangerous precedent as other controllers could see it as a sign of possibility to demand certain violations be ignored by supervisory authorities. The EDPB considers that this objection raised by the DE SA meets the threshold set by Article 4(24) GDPR.

207. As to the requirement for the objection to be “reasoned”, WhatsApp IE expressed the view that the DE SA’s objection is, inter alia, “speculative and premised on an incorrect presumption of infringement”, “does not identify legal arguments or factual evidence on the infringement of Article 13(2)(e) GDPR”, as well as relies on “unsubstantiated and theoretical risks”[225]. However, as outlined above the EDPB considers the objection to be adequately reasoned and recalls that the assessment of the merits of the objection is made separately, after it has been established that the objection satisfies the requirements of Article 4(24) GDPR[226].

7.3.4.2 Assessment on the merits

208. The EDPB now analyses the DE SA’s objections on Article 13(2)(e) GDPR found being relevant and reasoned as well as the LSA’s response to those objections and the submissions by WhatsApp IE.

209. Regarding the objection on Article 13(2)(e) GDPR, the EDPB notes that the IE SA indeed makes an assessment of WhatsApp’s Privacy Policy “Information We Collect” section, the “contractual necessity” section and the “About Our Services” section. Inter alia, the IE SA - in the view of the EDPB, rightfully - concludes that "[…] the language used does not clearly identify the data that must be provided or the consequences of failure to provide that data" and that certain parts of the cited Privacy Policy sections were confusing[227].

210. However, the IE SA does not make use of its corrective powers stipulated in Article 58(2) GDPR but (merely) recommends that "[…] WhatsApp consider its position in relation to the extent to which it has incorporated the information prescribed by Article 13(2)(e) into its Privacy Policy (and Legal Basis Notice)”[228]. According to the IE SA, the reason for this approach was that “[…] the requirements of Article 13(2)(e) GDPR does not appear to have been pursued by the Investigator (notwithstanding that it is covered by the scope of the within Inquiry, as set out in the Notice of Commencement)”[229].

211. The EDPB welcomes the IE SA’s initiative to provide WhatsApp IE with recommendations in order to provide data subjects with clearer and more transparent information concerning the processing of personal data at stake. Nonetheless, it has to be noted that, according to the IE SA, the Inquiry concerned "[…] the question of compliance or otherwise by WhatsApp Ireland Limited (“WhatsApp”) with its obligations pursuant to Articles 12, 13 and 14 of the GDPR"[230] without excluding Article 13(2)(e) GDPR from the Inquiry.

212. Furthermore, the EDPB stresses the importance of the information obligations as only full compliance with all aspects of Article 13 GDPR enables data subjects to be aware of, and verify, the lawfulness of the processing and to effectively exercise their rights as guaranteed by the GDPR.

213. Additionally, the EDPB notes that the IE SA in the Draft Decision stated that while “[i]t stands to reason that WhatsApp needs to process a certain, minimum amount of personal data in order to provide the Service”, “[t]he extent of the minimum required […] is not clear” from the Privacy Policy, nor are the possible consequences of the failure to provide data clearly set out, except for a reference within the section of the Legal Basis Notice dedicated to contractual necessity: “if you choose not to provide certain data, the quality of your experience using WhatsApp may be impacted”[231]. The IE SA found this to be “further confusing in circumstances where processing is either necessary for the purpose of administering a contract or it is not”[232].

214. Indeed, controllers should make sure to avoid any confusion as to what the applicable legal basis is. This is particularly relevant where the appropriate legal basis is Article 6(1)(b) GDPR and a contract regarding online services is entered into by data subjects. Depending on the circumstances, data subjects may erroneously get the impression that they are giving their consent in line with Article 6(1)(a) GDPR when signing a contract or accepting terms of service[233].

215. The EDPB takes note of the arguments put forward in WhatsApp IE’s submissions concerning whether Article 13(2)(e) GDPR was infringed. WhatsApp IE disagreed that an infringement of this provision took place, first of all, because the language of Article 13(2) GDPR makes clear that the requirements listed in this provision inherently depend on context and are only mandatory to the extent “necessary to ensure fair and transparent processing”[234]. The EDPB recalls that, instead, “there is no difference between the status of the information to be provided under sub-articles 1 and 2 of Articles 13 and 14 GDPR respectively, as all of the information across these sub-articles is of equal importance and must be provided to the data subject”[235]. WhatsApp IE also argued that the information to be provided pursuant to Article 13(2)(e) GDPR was adequately provided in the privacy policy and user-facing information, as well as in the sign-up flow[236]. Nevertheless, it appears from the observations made by the IE SA, as well as from the sentence quoted above from the Legal Basis Notice that such information was not provided in a way that clearly allows the user to understand what is necessary and what consequences arise from the failure to provide certain information, nor the nature of the “optional features”.

216. The EDPB sees no justification in excluding Article 13(2)(e) GDPR from the formal decision since the scope of the investigation inter alia covered compliance with Article 13 GDPR as such. The EDPB indeed considers that a stance of a SA where it displays that it will not exercise corrective powers impairs the position of data subjects to be fully aware of the processing at stake as a mere recommendation cannot be enforced and WhatsApp IE is not obliged to follow the view of the IE SA in this regard.

217. Furthermore, the EDPB considers that a finding of an infringement instead of a recommendation concerning Article 13(2)(e) GDPR does not undermine WhatsApp IE’s right to be heard, and in any case there is no right that certain aspects are excluded from an investigation. As outlined above, the investigation covered, inter alia, compliance with Article 13 GDPR as such, meaning the finding relates to the same subject-matter and not a completely different provision or chapter of the GDPR. Apart from this and as mentioned above, WhatsApp IE was given the opportunity to reflect on a potential finding of an infringement, clearly setting out its arguments, and took the stance that it had not infringed Article 13(2)(e) GDPR[237].

218. Therefore, in the view of the EDPB, it is a mere legal assessment whether the relevant sections of the Privacy Policy of WhatsApp are in compliance with the GDPR or not as the factual findings (the use of the Privacy Policy of WhatsApp) are undisputed in this context and are sufficient to reach a legal conclusion. Therefore, the EDPB instructs the LSA to include in its final decision a finding of an infringement of Article 13(2)(e) GDPR, which it deems necessary as it considers a mere recommendation to be insufficient to ensure effective enforcement of the GDPR against WhatsApp IE and to fully protect the rights of natural persons as stipulated in Article 8 of the Charter of Fundamental Rights of the EU. 7.4 Objections relating to the lossy hashing procedure

7.4.1 Analysis by the LSA in the Draft Decision

219. The EDPB refers to the summary of the Draft Decision in section 6.1 above.

7.4.2 Summary of the objections raised by the CSAs

220. The EDPB refers to the summary of objections raised by the CSAs in section 6.2 above.

7.4.3 Position of the LSA on the objections

221. The EDPB refers to the summary of the position of the LSA on the objections in section 6.3 above.

7.4.4 Analysis of the EDPB

222. The EDPB refers to the assessment of whether the objections were relevant and reasoned in section 6.4.1 above.

7.4.4.1 Assessment on the merits - Objection relating to the additional infringement of Article 6(1) GDPR

223. In the view of the DE SA, the pseudonymised data regarding non-users is not processed lawfully by WhatsApp IE[238]. The DE SA argues that no legal basis under Article 6(1) GDPR requiring necessity would be applicable and, therefore, the correct assessment would most likely lead to a higher fine level[239]. The EDPB understands the concerns expressed by the DE SA. However, the file submitted to the EDPB does not contain sufficient elements that would allow the EDPB to establish the existence of an infringement of Article 6(1) GDPR.

224. The EDPB recalls that a relevant and reasoned objection may refer to the finding of additional infringements[240]. The information included in the file and the reasoning provided in the objection should be taken into account by the EDPB when determining whether or not there has been an infringement of the GDPR[241]. In this regard, the EDPB is aware that, as a general matter, the limited scope of the Inquiry by the IE SA - focused since the outset only on whether there were infringements by WhatsApp IE of Articles 12-14 GDPR - directly affects the remit of the investigation and further fact finding, which may therefore impact on the ability for CSAs to substantiate their objections in such a way that would allow the EDPB to make a final determination on the matter.

225. In any case, the EDPB notes that the DE SA has raised relevant concerns in its objection as to the lawfulness of the processing of personal data of non-users and underlines the importance of taking them into consideration in the context of any current or future investigation of the IE SA. The EDPB recalls the obligation of the LSA to cooperate with the CSAs with an “endeavour to reach consensus”, and the mutual obligation to exchange all relevant information[242]. The EDPB also recalls that, even in case of an own-volition inquiry, the LSA should seek consensus regarding the scope of the procedure[243] and should anyway frame the scope in such a way that permits the CSAs to effectively fulfil their role, alongside the LSA, when determining whether there has been an infringement of the GDPR[244]. Moreover, the EDPB underlines that every CSA has the possibility to submit to the LSA a request for mutual assistance under Article 61 GDPR to ask that their concerns regarding the lawfulness of the processing be addressed. Therefore, due regard should be given to the concerns of the DE SA by the IE SA. In light of the above, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised by the DE SA with respect to the lawfulness of the processing of non-users data.

7.4.4.2 Assessment on the merits - Objection relating to the additional infringement of Article 14 GDPR

226. The EDPB notes that the objections issued by the IT SA, the NL SA, and the PT SA, as they consider the data resulting from the Lossy Hashing procedure to be personal data, argue that the infringement of

Article 14 GDPR must referred also to such data[245]. These objections also point out that, due to the change made by the LSA in its finding, the proposed fine[246] was also changed.

227. As elaborated in Section 6.4.2, the EDPB concurs with the position of the CSAs that the data resulting from the Lossy Hashing procedure, which is stored as Non-User lists, is personal data. Furthermore, as pointed out in multiple objections, the EDPB notes that in the Draft Decision the LSA has changed its original finding as to whether the non-user data after the application of the Lossy Hashing procedure constitute personal data (compared to those reached in the investigation stage), and that also the following sections of the previously shared version of the Draft Decision[247] were amended on the basis of such modified finding.

228. As a consequence, the EDPB points out that the existence of an infringement of Article 14 GDPR is stipulated in the Draft Decision[248] and was not challenged in any of the objections submitted by the CSAs. The only aspect that needs to be assessed is whether, as a consequence of the conclusion concerning the nature of the non-user data after the application of the Lossy Hashing procedure, the infringement of Article 14 GDPR extends to such data, too, and whether this needs to be reflected in the choice of corrective measures and amount of the administrative fine.

229. In this regard, the EDPB agrees with the CSAs’ objections that the infringement of Article 14 GDPR extends as well to the processing of non-users’ data in the form of Non-User Lists after the Lossy Hashing procedure was applied, and instructs the LSA to amend its Draft Decision accordingly.

230. It is important to note at this point that neither the LSA nor WhatsApp IE provided elements that refer to the CSAs position that the extent of the infringement of Article 14 GDPR needs to be reassessed in case the result of the Lossy Hashing procedure is personal data[249].

231. Finally, the IT SA, NL SA and the PT SA considered that if the extent to which Article 14 GDPR is infringed changes, this this should be reflected in the considerations for the sanctions (NL SA) or the administrative fine (IT SA and PT SA). Analogously, the FR SA noted in its objection that the incorrect finding regarding the Lossy Hashing procedure lead to a decrease of the fine by the LSA regarding Article 14 GDPR.

232. With respect to the need for the enlarged infringement of Article 14 GDPR to be reflected in the corrective measures, as brought up by the aforementioned objections, please see section 9.4, for the considerations on the sanctions as a general matter, see sections 8 and 9.

7.4.4.3 Assessment on the merits - Objection relating to the additional infringement of Article 5(1)(c) GDPR

233. In its objection, the HU SA raised that it does consider the processing of non-users’ data excessive in view of the purpose of the processing. It argued that the same result can be achieved if WhatsApp IE periodically compares the hash database of users’ phone numbers with the contact list to see if the user knows a person who has registered since the previous check. This way, according to the HU SA, WhatsApp IE does not need to continuously store all non-users’ data, but still provides the Contact

Feature offered. Therefore, while acknowledging that this aspect was not covered by the investigation, the HU SA proposes to declare an infringement of Article 5(1)(c) GDPR.

234. The EDPB notes that WhatsApp IE has in its view not provided a full submission dedicated to this aspect, as it deems that (i) the issues have not been investigated and it has not had an opportunity to respond to them during the course of the Inquiry, (ii) it was not able to respond to provisional findings of the LSA in relation to this issue and (iii) that the objections are insufficiently reasoned to allow it to adequately exercise its right to be heard[250]. According to WhatsApp IE, including these allegations at this late stage would violate the right to fair procedure as a matter of EU law and Irish law, and the decision would thereby be unlawful.

235. However, WhatsApp IE still states that, as far as it is able to understand the objections, they are unfounded in substance and that it can confirm that its processing of personal data does not infringe Article 5(1)(c) GDPR.

236. Further, both the LSA, in its Composite Response, and WhatsApp IE, in its Article 65 Submissions, argue that it is unclear how the HU SA reached the conclusion that the same end result can be achieved with less processing of personal data.

237. Additionally, WhatsApp IE argues that it is processing the minimum amount of information required for the purpose pursued, which is the quick and efficient update of the WhatsApp contact list. It argues that this is demonstrated by only accessing the phone numbers stored in the address book of a user’s mobile phone, submitting it to the Lossy Hashing procedure and using that data exclusively for this purpose.

238. Further, the EDPB notes that the objection by the HU SA stipulates a general approach on how the updating of the WhatsApp contact list could be done using less personal data.

239. The EDPB considers that the file does not contain sufficient elements to allow the EDPB to establish the existence of an infringement of Article 5(1)(c) GDPR, in particular having regard to the purpose and nature of the processing at issue. The EDPB recalls that each CSA has the possibility to submit to the LSA a request for mutual assistance under Article 61 GDPR to ask that their concerns be addressed.

8 ON THE CORRECTIVE MEASURES DECIDED BY THE LSA - IN PARTICULAR, THE PROPOSED ORDER TO BRING PROCESSING INTO COMPLIANCE

8.1 Analysis by the LSA in the Draft Decision

240. Among the proposed corrective measures, the Draft Decision includes an order to bring processing operations into compliance, pursuant to Article 58(2)(d) GDPR. The aim of the order is to bring about the required remedial action, in conjunction with the reprimand which serves to formally identify and recognise the fact of infringement[251].

241. The order is set out in Appendix C of the Draft Decision and includes seven actions requiring WhatsApp IE to provide information in compliance with Articles 12-14 GDPR as assessed in the Draft Decision. For each action, the deadline for compliance is set to a period of six months, commencing on the day following the date of service of the order[252].

8.2 Summary of the objections raised by the CSAs

242. The HU SA objected to the six-month deadline for compliance specified in the order to bring processing operations into compliance (Appendix C of the Draft Decision, hereinafter ‘compliance order’), which the HU SA characterised as a “grace period”. The HU SA argued that the deadline for compliance is too long for the corrective measure to be considered appropriate, recalling that “the applicable legal sanction must be chosen in a way for it to be effective, proportionate and dissuasive”[253], and that it was not in line with Recital 148 GDPR which requires that the nature, gravity and consequences of the infringement must be taken into account. In the present case, the HU SA considers in particular the number of data subjects affected and the nature of the infringement pertinent. For this reason, the HU SA argues that the Draft Decision should not have included a period of six months as a deadline for compliance, or that it should have been shorter.

243. In addition, with regard to the part of the proposed order in the Draft Decision relating to the provision of the information prescribed by Article 14 to non-users[254], the HU SA also raised an objection whereby it argued that providing the information on WhatsApp’s website is not appropriate for providing information to non-users, since non-users may not know of the existence of the service and, therefore, are not expected to look for the information on the website. As this objection also relates to the Lossy Hashing procedure, it is summarised in Section 6.2 of the present decision.

244. The NL SA raised concerns in its objection that the Draft Decision seems to consider that only a slight amendment of policies would suffice to remedy the infringement of Article 14 GDPR, whereas if non- user data after the application of the Lossy Hashing procedure are found to be personal data, more amendments to WhatsApp’s privacy policy than currently envisaged in Appendix C of the Draft Decision may be necessary (see paragraph 105 above - as this objection also relates to the Lossy Hashing procedure, it is summarised in Section 6.2 of the present decision).

8.3 Position of the LSA on the objections

245. In its Composite Response, the IE SA considered that while an objection to the terms of an order is a subject matter captured by the scope of Article 4(24) GDPR, the objection raised by the HU SA - requesting to either remove or minimize the period of six months as a deadline for compliance - was not “relevant and reasoned”[255].

246. On the merits of the objections, the IE SA explained that it had initially proposed a three-month compliance deadline for all actions save for those in connection with non-users, for which a six-month deadline was proposed. The IE SA added that “WhatsApp, by way of its Supplemental Draft Submissions, explained that it could not make the required changes within the deadlines proposed” and “[i]n light of WhatsApp’s position and the detailed explanations put forward by WhatsApp as to the implementation timeframe, IE SA adjusted the deadlines for compliance proposed in the order to the shortest deadline possible, by reference to the constraints identified by WhatsApp”[256].

247. The Composite Response summarises WhatsApp IE’s submissions on the initial proposal of a three- month deadline for all actions save for those in connection to non-users as follows:

“… the implementation of changes to [WhatsApp’s] Privacy Policy and other user facing information is an involved and resource intensive process that requires sufficient lead in time for preparing the relevant changes, internal cross-functional engagement as well as of course engagement with the Supervision Team in [IE SA], localisation and translation of the information for countries in the European Region, and implementing technical changes in the WhatsApp app across five different operating systems. Accordingly, and without prejudice to WhatsApp’s position that it has not infringed [the] GDPR and that any order is unnecessary, if [IE SA] was to require WhatsApp to make further changes over and above those it is voluntarily aiming to make this year, WhatsApp would require at least six months to implement these changes, with the ability for WhatsApp and [IE SA] to have potential flexibility around that period in order, for example, to allow WhatsApp to engage with the Supervision Team in [IE SA] as it usually does or deal with unforeseen technical issues”[257].

248. The IE SA further pointed out that “non-compliance with the order would constitute a separate infringement of the GDPR and would give rise to the risk of further action being taken against WhatsApp. In the circumstances, it would be unfair for IE SA to impose an order, the terms of which cannot be complied with by WhatsApp”[258].

249. While the final position taken by the IE SA was to not follow any of the objections[259], in the Composite Response the IE SA had made a compromise proposal to take into consideration the concerns expressed by the HU SA in the follow-up of WhatsApp IE’s compliance with the actions set out in the order. In particular, the IE SA stated that it would require that “the time line for implementation of the order requires full compliance by WhatsApp within an absolute maximum timeframe of 6 months” and it would include additional text in the order “to emphasise that the interests of data subjects require expeditious implementation” and “that, in its supervision of implementation of the order, [it would] be driving for early implementation and testing any assertions made by WhatsApp as to the relevant time frames required in respect of each corrective implementation measure”[260].

8.4 Analysis of the EDPB

8.4.1 Assessment of whether the objections were relevant and reasoned

250. In its objection, the HU SA disagrees with the deadline for compliance provided for in the compliance order (Appendix C of the Draft Decision) and thus concerns “whether the action envisaged in the draft decision complies with the GDPR”[261]. There is a direct connection between the objection and the substance of the draft decision at issue, therefore the EDPB considers the objection to be relevant.

251. The HU SA sets out legal and factual arguments, namely the nature, gravity and consequences of the infringement as well as the number of affected data subjects, as reasons for objecting to the deadline for compliance. Further, the HU SA sets out their view on how the Draft Decision ought to be changed (non-application or minimization of the period of six months as a deadline for compliance). The HU SA argues that if the Draft Decision was not amended in this instance it would “[undermine] confidence in the institution of data protection within the EU, which could cause a serious crisis of confidence among the concerned data subjects” since the Draft Decision would lead to processing to continue a further 6 months under circumstances that “severely restricts the fundamental rights and freedoms of hundreds of millions of EU citizens”[262], which demonstrates sufficiently clearly the significance of the risks posed by the Draft Decision in the HU SA’s view. Therefore, the EDPB considers the objection to be reasoned.

252. WhatsApp IE considers the objection neither relevant nor sufficiently reasoned to meet the threshold of Article 4(24) GDPR. The arguments presented address the merits of the objection, not whether they are relevant and reasoned[263], therefore the EDPB is not swayed as far as the assessment of whether the Article 4(24) GDPR threshold itself is met.

253. The EDPB concludes that the HU SA’s objection on the deadline for compliance is relevant and reasoned. Additionally, the EDPB recalls that it concluded the same for what concerns the objection of the HU SA raising the fact that it is not appropriate to provide information to non-users via the website and the objection of the NL SA. Consequently, in the following section, the merits of these objections will be assessed[264].

8.4.2 Assessment on the merits

8.4.2.1 On the deadline for compliance

254. The EDPB recalls Recital 129 GDPR on the exercise of powers by supervisory authorities, which recalls the need to adopt measures that are appropriate, necessary and proportionate in accordance with the circumstances of the case[265].

255. The EDPB notes that the HU SA argued that the deadline for compliance suggested in the Draft Decision would not be in line with Recital 148 GDPR and more specifically with the need for the “applicable legal sanction” to be “chosen in a way for it to be effective, proportionate and dissuasive”, taking into account the nature, gravity and consequences of the infringement. It can be acknowledged - as highlighted also by WhatsApp IE[266] - that this recital refers primarily to the imposition of penalties, including administrative fines, which should be imposed in addition to, or instead of appropriate measures imposed by the SA.

256. Nevertheless, it can also be noticed that Recital 148 GDPR also refers, for instance, to the imposition of a reprimand instead of a fine in case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person. Therefore, the indications provided by this Recital can be relevant for the imposition of corrective measures in general and for the choice of the combination of corrective measures that is appropriate and proportionate to the infringement committed. Additionally, the need for the corrective measures and any exercise of powers by supervisory authorities to be tailored to the specific case is more broadly expressed also by Recital 129 GDPR.

257. The EDPB takes note of WhatsApp IE’s statement that “compliance with transparency obligations involves considerable challenges, particularly for controllers who have to explain complex data processing to a wide variety of non-expert users in a way that is nonetheless concise, intelligible, and easily accessible. This is particularly acute in WhatsApp Ireland’s case given the Service - which involves a variety of highly technical processes - is used by a broad demographic”, and that the period for compliance needs to be a time within which WhatsApp can actually comply[267]. WhatsApp IE further adds that “the implementation of changes to its Privacy Policy and other user facing information is an involved and resource intensive process that requires sufficient lead in time for preparing the relevant changes, internal cross-functional engagement as well as of course engagement with the Commission, localisation and translation of the information for countries in the European Region, and implementing technical changes in the WhatsApp app across five different operating systems”[268].

258. The EDPB notes that the HU SA’s objection refers to the number of data subjects affected and the nature of the infringement, both of which are pertinent to determine the appropriate, necessary and proportionate deadline for the order. In its Draft Decision, the IE SA explicitly considers the significance, utility and function of the transparency obligation, as well as the number of data subjects affected[269]. However, the HU SA’s objection emphasises the need to remedy the infringements within a short timeframe in light of their nature, gravity and consequences in terms of restricting the fundamental rights and freedoms of hundreds of millions of EU citizens.

259. In light of the considerable number of individuals affected in the EU, the EDPB shares the concerns of the HU SA as articulated above, highlighting the importance of the interests of the affected data subjects in seeing Articles 12 - 14 GDPR complied within a short timeframe. The EDPB takes note of the challenges highlighted by WhatsApp IE when it comes to implementing changes to its privacy policy, but in light of the circumstances of the case, in particular, due to the type of organisation, its size and the means (including inter alia financial resources but also legal expertise) available to it, finds of primary importance that compliance with transparency obligations is ensured in the shortest timeframe possible. If WhatsApp IE was found to need six months to update its Privacy Policy to implement the LSA’s clear and specific requests, the SAs would be expected to allow for much longer time frames for any smaller organisation, which, in the view of the EDPB, is not appropriate and proportionate in view of ensuring compliance with the GDPR.

260. Moreover, in the circumstances of the present case, the EDPB does not see how a compliance period of three months could be considered disproportionate[270].

261. With respect to WhatsApp IE’s arguments as to the need for sufficient time to allow “engagement with the Commission”, the EDPB notes the IE SA’s Draft Decision contains a comprehensive assessment, guidance and commentary, sufficiently clear and precise to allow WhatsApp IE to fulfil its obligations in accordance with the specific provisions on transparency (Articles 12-14 GDPR) and in view of the accountability principle (Article 5(2) GDPR), with a minimum need to interact with the IE SA in order to implement the request.

262. As regards the argument raised by the IE SA, relating to the fact that non-compliance with the order would constitute a separate infringement of the GDPR and would give rise to the risk of further action being taken against WhatsApp IE, although it is true that non-compliance with an order constitutes a separate infringement of the GDPR (in accordance with Article 83(6) GDPR), it is speculative at this stage whether this situation will occur.

263. In light of the above, the EDPB decides that the IE SA is required to amend its Draft Decision to the effect that the period of six months deadline for compliance is reduced to a period of three months. 8.4.2.2 On other issues concerning the order to bring processing into compliance

264. Regarding the objection of the HU SA raising the fact that it is not appropriate to provide information to non-users via the website, the HU SA raises that including the information on WhatsApp’s website is not the “appropriate method of providing information” since non-users may not know of the existence of the service and, therefore, are not expected to look for the information on the website. Thus, WhatsApp IE “cannot prove […] that non-users will learn about the privacy policy”[271].

265. The EDPB notes that the IE SA has taken into account in its Draft Decision that non-users are “unlikely to have a reason to visit WhatsApp’s website”[272]. Thus, according to the IE SA “WhatsApp should give careful consideration to the location and placement of such a public notice so as to ensure that it is discovered and accessed by as wide an audience of non-users as possible” and that “the non-user transparency information must be presented separately (by way of a separate notice, or a separate section within the existing Privacy Policy, or otherwise) to the user-facing transparency information so as to ensure that it is as easy as possible for non-users to discover and access the information that relates specifically to them"[273].

266. The EDPB acknowledges that many data subjects who do not make active use of WhatsApp services might not visit WhatsApp’s website in order to retrieve information regarding the processing of non- user data. However, given the arguments raised and that the Draft Decision already instructs WhatsApp IE to give careful consideration to the location of placement of the public notice to non- users, the EDPB does not see the need to amend the Draft Decision. This is without prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSA.

267. In light of the above, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised by the HU SA with respect to the order to provide the information to non- users.

268. With respect to the NL SA objection concerning the amendment of policies that would be necessary for WhatsApp IE to remedy the infringement of Article 14 GDPR, the EDPB directs the IE SA to ensure that the order to bring processing into compliance, to the extent that it covers the infringement of Article 14 GDPR, clearly reflects the expanded scope of the infringement of this provision as described in section 7.4.4.2 above (i.e. its connection also to non-user data after the application of the Lossy Hashing procedure).

9 ON THE CORRECTIVE MEASURES - IN PARTICULAR, THE ADMINISTRATIVE FINE

9.1 Preliminary matters: the turnover of the preceding financial year

9.1.1 Analysis by the LSA in the Draft Decision

269. After determining a proposed range for the fine amount, the Draft Decision turns to Article 83(5) GDPR, which sets the maximum amount of any fine that may be imposed in respect of certain types of infringement[274]. The notion of ‘undertaking’ is determined to encompass WhatsApp IE and Facebook, Inc. Accordingly, the relevant fining “cap” is calculated by reference to the worldwide annual turnover of the undertaking as a whole, rather than that of the controller or processor concerned. The Draft Decision concludes that the fine proposed does not exceed the applicable fining “cap” prescribed by Article 83(5) GDPR, calculated with reference to the combined turnover for Facebook, Inc. and WhatsApp IE for the year ending 31 December 2019 (estimated at approximately […])[275].

9.1.2 Summary of the objections raised by the CSAs

270. The DE SA raised an objection concerning different aspects of how the Draft Decision approaches the turnover figure of the preceding financial year in the present case.

271. Firstly, the DE SA considered that “[according] to the IV/2019 quarterly report, Facebook Inc.’s total revenue was USD 70.7 billion. According to Recital 150 of the GDPR, the concept of undertakings laid down in Articles 101 and 102 TFEU is relevant. Therefore, the doctrine of the Single Economic Unit must be applied. Such an undertaking may consist of various legal persons. The overall turnover of the Single Economic Unit is therefore key and reference point for assessing and determining whether a fine is effective, proportionate and deterrent”[276]. This objection considers that the Draft Decision should be amended so that the turnover figure reflected in Part 4 is that of the entire Facebook group.

272. Secondly, the DE SA argued that the turnover figure reflected in Part 4 of the Draft Decision should be amended to the turnover figure for the financial year ending 31 December 2020. The DE SA explained that the “[t]he event from which to determine the “previous year” is the fining decision of the Supervisory Authority, not the event of infringement. The decision of the DPC is expected to be made in 2021. The previous financial year is therefore the calendar year 2020, so its values must be taken into account. Key financial figures communicated by the group in the course of the year indicate that the annual revenue for 2020 could be at least 15% higher than the annual revenue for 2019. Due to such significant differences in the course of the year, older figures cannot be used for practical reasons either”[277].

273. Finally, in its objection, the DE SA argued that the turnover figure should be taken into account for the determination of the fine amount, adding that “[t]he high annual results (profits) and the high profitability of the company are not taken into account discernibly when calculating the fines. However, the sensitivity to punishment is significantly influenced by the level of returns and must be taken into account in order to achieve the goal of specific deterrence. In our opinion, when it comes to setting an effective fine within the meaning of Art. 83(1) GDPR, the sensitivity to punishment must be given a fairly significant weight. This requirement is not sufficiently fulfilled in the draft decision”[278].

274. The DE SA noted that Facebook Group’s “expected annual global revenue of around USD 81 billion in 2020 (USD 70.7 billion + 15%) is well above the estimated USD […]”, adding that referring to incorrect lower figures could impact the effectiveness of measures[279].

9.1.3 Position of the LSA on the objections

275. In its Composite Response, the IE SA noted that the subject-matter of the objection concerning the turnover of the preceding financial year is within the scope of Article 4(24) GDPR and considered it to be relevant and reasoned[280].

276. While the final position taken by the IE SA was to not follow any of the objections[281], in the Composite Response the IE SA agreed with the DE SA in relation to the application of the doctrine of the single economic unit by supervisory authorities when administrative fines are being imposed on an undertaking, pursuant to Article 83 and Recital 150 of the GDPR. Part 4 of the Draft Decision (paragraph 797) referred to the combined turnover of Facebook, Inc. and WhatsApp IE. The IE SA proposed to “amend this figure to reflect the combined turnover of the entire Facebook, Inc. group of companies, as required by the German (Federal) SA’s objection”[282].

277. On the application of the ‘preceding financial year’, the IE SA noted that in the present case, the Draft Decision was circulated to the CSAs on 24 December 2020, therefore the IE SA could not have reflected the 2020 turnover figure in the Draft Decision[283]. The Draft Decision recorded the most up to date financial information available at the date it was circulated to the CSAs pursuant to Article 60(3) GDPR (“the date of commencement of the co-decision-making process”)[284]. The IE SA added that the LSA “is not permitted unilaterally to amend its draft decision once it has been circulated to the CSAs pursuant to Article 60(3)”[285].

278. In the Composite Response, the IE SA proposed the following approach: “To the extent necessary in the [Draft Decision], IE SA will use the most up to date financial information for the purposes of calculating the proposed cap on the proposed penalty. That remains the turnover for the financial year ending 31 December 2019. That figure will operate as a provisional estimate of the turnover for the financial year ending 31 December 2020. In advance of the final decision, IE SA will obtain from WhatsApp the updated turnover figure for the financial year ending 31 December 2020. That figure will be used to calculate the cap in the final decision. Accordingly, at the time that the final decision is adopted, IE SA will apply the turnover figure for the year ending 31 December 2020 for the purpose of its calculations in Part 4”[286].

279. On the matter of considering the turnover figure when determining the fine amount, the Composite Response initially states that the “turnover figure is only relevant for the purposes of the fining cap”, later elaborating that “Article 83(2) does not require account to be taken of the turnover of the undertaking concerned. In fact, turnover is primarily relevant to the calculation of the applicable fining cap, pursuant to Articles 83(4) – (6). ). Increasing the turnover figure recorded in the Composite Draft will not have any effect on the calculation of the fine itself in this case”[287].

280. With reference to the expected annual global revenue mentioned in the objection, the IE disagrees “to the extent that the DE SA is suggesting that IE SA could and/or should identify the relevant turnover by reference to assumptions and estimated figures […]. As a statutory regulator, IE SA is required to adopt an evidence-based approach to its decision-making and to adhere to, and apply, fair procedures. The making or adoption of assumptions, particularly in relation to features of a decision-making process that are prescribed by statute, is not consistent with the GDPR or the general obligation for statutory decision-makers to conduct their inquiries in a fair and transparent manner”[288].

9.1.4 Analysis of the EDPB

9.1.4.1 Assessment of whether the objections were relevant and reasoned

281. The EDPB recalls that the consistency mechanism may also be used to promote a consistent application of administrative fines[289].

282. In its objection on the turnover of the preceding financial year as applied in the Draft Decision, the DE SA considers that the Draft Decision should be amended with respect to the relevant turnover of the undertaking, the determination of the preceding financial year and the consideration of the turnover figure when calculating the fine[290]. This objection concerns “whether the action envisaged in the draft decision complies with the GDPR”[291]. Therefore, the EDPB considers the objection to be relevant.

283. The objection can also be deemed as reasoned, since the DE SA pointed out alleged mistakes in the Draft Decision arising from the revenue figure used and the year considered, which in turn lead the proposed fine to not fulfilling its purpose as a corrective measure. The change proposed by the objection aims to ensure that the fine is effective, dissuasive and proportionate, as required by Article 83(1) GDPR. WhatsApp IE’s position is that the DE SA’s objection is not sufficiently reasoned to meet the threshold of Article 4(24) GDPR, submitting that it (i) is unsupported by any substantiated legal argument and (ii) does not demonstrate a risk to the rights and freedoms of data subjects[292]. The EDPB finds that the objection clearly demonstrates the significance of the risks posed by the Draft Decision as it states that using the wrong revenue figure amounts to a dangerous precedent, jeopardising the effectiveness of sanctions also for future cases[293]. The EDPB considers that this objection raised by the DE SA meets the threshold set by Article 4(24) GDPR.

284. In arguing that the DE SA’s objection is not reasoned, WhatsApp IE states that “turnover is relevant only to determining the maximum fine that can be lawfully imposed and not the fine amount”, therefore the objection concerns only a theoretical maximum amount, which could “not entail a higher fine so even if one would consider that there is a significant risk because the fine is not high enough (which WhatsApp Ireland disputes)”[294]. The EDPB notes that there is a disagreement between the LSA and CSA precisely about whether turnover is relevant only to determine the maximum fine that can be lawfully imposed, or whether it is potentially also relevant in the calculation of the fine amount. Furthermore, the disagreement on the turnover figure could only be set aside as purely hypothetical if:

- no additional infringements were included in any objections accepted as relevant and reasoned; and also

- the calculation and amount of the fine were not included in any objections accepted as relevant and reasoned.

285. The remaining arguments submitted by WhatsApp IE address the merits of the objections, not whether they are relevant and reasoned[295], therefore the EDPB is not swayed as far as the assessment of whether the Article 4(24) GDPR threshold itself is met.

9.1.4.2 Assessment on the merits

Determination of the relevant turnover of the undertaking

286. The DE SA raised an objection stating that as Facebook Inc. and WhatsApp IE were found to be the undertaking by the LSA, the overall turnover of the single economic unit should be used in the context of Article 83 GDPR, instead of the combined turnover of Facebook Inc. and WhatsApp IE only[296]. While the final position taken by the IE SA was to not follow any of the objections[297], in its Composite Response the IE SA expressed its intention to amend this figure to reflect the combined turnover of the entire Facebook, Inc. group of companies[298].

287. The EDPB notes that the IE SA had communicated their assessment of the notion of undertaking to WhatsApp IE, including the application made in the context of Article 83 GDPR. The IE SA requested WhatsApp IE to bring this matter to the attention of “any parent or controlling company as might be required to fully address the matters raised”[299]. WhatsApp IE confirmed having brought the IE SA’s letter and their response to the attention of personnel at WhatsApp Inc. and Facebook, Inc. on a voluntary basis, noting that neither WhatsApp Inc. nor Facebook, Inc. are parties to the Inquiry[300]. WhatsApp IE expressed the view that “the relevant ‘undertaking’ for the purpose of Articles 83(4) to (6) GDPR is WhatsApp Ireland alone”, adding that it “disagrees with the [IE SA]’s approach to the assessment of whether an entity is in a position to exercise ‘decisive influence’ over WhatsApp Ireland’s ‘behaviour on the market’ in the context of the GDPR”[301]. WhatsApp IE put forward that the interpretation and application of competition law concepts of “undertaking” and “decisive influence” over “conduct on the market” in the very different statutory context of the GDPR raises questions likely to require judicial consideration[302].

288. While the qualification of Facebook Inc. and WhatsApp IE as a single undertaking is not contested by the DE SA, the EDPB notes however that there is a disagreement between the LSA and the CSA on the amount of the turnover to be taken into account for this single economic unit.

289. On this specific issue, and in accordance with Recital 150 GDPR, the EDPB considers the case law of the CJEU in the field of competition law relevant when assessing the turnover to be taken into account in the context of Article 83 GDPR, in particular for the verification of the upper limit of the amount of the fine under Article 83(4)-(6) GDPR.

290. Firstly, according to established case law of the CJEU and as recalled by the IE SA in its Draft Decision[303], when a parent company and its subsidiary are found to form a single undertaking within the meaning of Articles 101 and 102 TFEU, this means that the conduct of the subsidiary may be imputed to the parent company, without having to establish the personal involvement of the latter in the infringement. In particular, the parent company may be held liable for the fine[304].

291. Secondly, the CJEU has ruled that when a parent company and its subsidiary form the single undertaking that has been found liable for the infringement committed by the subsidiary, the total turnover of its component companies determines the financial capacity of the single undertaking in question[305]. With regards to the parent company at the head of a group, the CJEU specified that consolidated accounts of the parent company are relevant to determine its turnover[306]. In the present case, this implies the consolidated turnover of the group headed by Facebook Inc. is relevant.

292. In light of the above and bearing in mind that the IE SA qualified Facebook Inc. and WhatsApp IE as a single undertaking in the Draft Decision, the EDPB decides that the IE SA should amend its Draft Decision in order to take into account the total turnover of all the component companies of the single undertaking for the purpose of Article 83 GDPR.

Relevance of the turnover for the calculation of the fine

293. On the disagreement between the IE SA and DE SA concerning the role the turnover figure might play when calculating the fine amount, the EDPB notes that this matter is inextricably linked with the objections revolving around the effective, dissuasive and proportionate nature of the fine pursuant Article 83(1) GDPR. The merits of this aspect of the DE SA’s objection are therefore assessed below in section 9.3.4.2[307].

Preceding financial year

294. The EDPB notes that the IE SA takes into account, for the calculation of the fine, the global annual turnover in the financial year preceding its Draft Decision[308]. In this respect, the DE SA argues that the financial year that should be taken into account is that preceding the final decision of the LSA[309]. Since there is no dispute on the fact that the expression “preceding financial year” refers to the decision of the LSA, the EDPB will therefore focus its assessment on whether such decision shall be the draft or the final one.

295. In the field of competition law, the CJEU has clarified the meaning of “preceding business year” with regards to the power granted to the European Commission to impose fines on undertakings in application of Article 23 of Regulation 1/2003[310]. As a rule, the maximum amount of the fine “should be calculated on the basis of the turnover in the business year preceding the [European] Commission decision”[311].

296. The IE SA points out that in terms of the one-stop-shop procedure, the “LSA is not a sole decision- maker; rather, it is required to engage with CSAs via the process outlined in Article 60 of the GDPR. That process prescribes consultation periods and a further mechanism for the resolution of disagreements on which consensus cannot be reached. The practical consequence of this is the potential for the significant passage of time between the original circulation of the LSA’s draft decision and the adoption of the final decision”[312]. The EDPB concedes the one-stop-shop procedure of Article 60 GDPR is different from the procedure applicable to the European Commission in the field of competition law. However, in both cases it is true that the fine comes into being only at one point in time, namely when the final decision is issued.

297. At the same time, the LSA is required to circulate a complete draft decision, including where appropriate a fine amount, when it launches the consultation procedure in accordance with Article 60(3) GDPR. The IE SA proposed to maintain in its Draft Decision a reference to the turnover for the financial year ending 31 December 2019, which was the most up to date financial information available to determine the relevant turnover, at the time the draft decision was circulated to the CSAs pursuant to Article 60(3) GDPR. The IE SA further elaborated that “[that] figure will operate as a provisional estimate of the turnover for the financial year ending 31 December 2020. In advance of the final decision, IE SA will obtain from WhatsApp the updated turnover figure for the financial year ending 31 December 2020. That figure will be used to calculate the cap in the final decision. Accordingly, at the time that the final decision is adopted, IE SA will apply the turnover figure for the year ending 31 December 2020 for the purpose of its calculations in Part 4”[313].

298. In light of the above, the EDPB decides that the date of the final decision taken by the LSA pursuant to Article 65(6) GDPR, is the event from which the preceding financial year should be considered. The EDPB agrees with the approach taken by the IE SA for the present case to include in the draft decision a provisional turnover figure based on the most up to date financial information available at the time of circulation to the CSAs pursuant to Article 60(3) GDPR[314].

9.2 The interpretation of Article 83(3) GDPR

9.2.1 Analysis by the LSA in the Draft Decision

299. When assessing the fine, the IE SA considered that the infringements concern simultaneous breaches of Articles 12, 13 and 14 GDPR in the context of the same set of processing operations. Therefore, and by reference to Article 83(3) GDPR, the IE SA stated in the Draft Decision that the amount of any consequent fine cannot exceed the amount specified for the gravest infringement. The IE SA considers the infringement of Article 14 GDPR in the context of non-users to be the gravest of the three infringements. For this reason the IE SA decided to impose only a fine for the infringement of Article 14 GDPR, noting that the fine to be imposed is limited to the maximum amount specified for the infringement of Article 14 GDPR[315].

9.2.2 Summary of the objections raised by the CSAs

300. The DE SA raised an objection regarding the IE SA’s interpretation of Article 83(3) GDPR. According to the DE SA, the IE SA’s approach is not in line with the intention of the legislator, since its result is that less serious infringements are factually rejected and only the most serious infringement is sanctioned; although the fine itself may only be calculated based on the legal maximum of the highest fining tier, the offender should still be explicitly found guilty of having infringed several provisions, since not finding the offender guilty of the other provisions infringed has an adverse effect on the effective protection of fundamental rights and freedoms.

***

301. The FR SA raised an objection concerning the calculation of fines in the case of concurrent infringements. According to the FR SA, Article 83(3) GDPR refers to the "total" amount of the fine, resulting from the addition of several amounts, whereas the consequence of the reading proposed by the IE SA is that the fine imposed on an organisation that has committed several breaches is similar to the fine which would be imposed in case of only one breach. The FR SA adds that the Draft Decision implies that the multiplicity of violations committed would never be taken into account when determining the severity of the fine imposed.

***

302. Finally, the PT SA argues that the word "specified" in Article 83(3) GDPR refers to the maximum fine amount for the most serious breach abstractly provided for in the GDPR. The IE SA’s interpretation resulted in the elimination of two fines and imposing only the third. However, in the event of several infringements, several fines should be applied even if the overall amount of the fines altogether shall not exceed the maximum limit prescribed by the GDPR for the most serious frame of those which can be mobilised for each infringement found.

9.2.3 Position of the LSA on the objections

303. While the final position of the IE SA was that of not following the objections, it considers all three objections to be captured by the scope of Article 4(24) GDPR and views them to be sufficiently relevant and reasoned for the purpose of Article 4(24) GDPR. The IE SA notes, however, that there is no agreed position, at EDPB level, as to the manner in which Article 83(3) GDPR should be interpreted and applied. The IE SA further argues that the manner in which other supervisory authorities have interpreted and applied this provision, in the context of earlier Article 60 GDPR decisions, varies significantly[316]. The IE SA argues that the literal meaning as well as the purpose of Article 83(3) GDPR supports their interpretation of the provision[317]. The IE SA argues that the wording suggests that the assessment of whether to impose a fine, and of the amount of any fine, must be carried out in respect of each individual infringement that has been found to have occurred in any given inquiry[318]. The IE SA considers that the assessment of the gravity of the infringement should not be done in an abstract manner (by reference to the placement of the infringement within the Article 83(4)/(5) GDPR hierarchy) but rather by taking into account the individual circumstances of the case in relation to Article 83(2)(a) GDPR[319]. The IE SA argues that, if Article 83(3) were intended as another provision on the maximum fine amount, to apply in complex scenarios, it would have been placed by the legislator after Art. 83(4)-(5) GDPR instead of before[320].

304. As regards the shared concern of the DE, FR and PT SAs that the approach favoured by the IE SA would “limit the possible maximum amount of the total fine in a disproportionate way”, hamper the “imposition of dissuasive fines” or “largely amputate” the high level of sanctions provided for by the GDPR, the IE SA argues that Article 83(3) GDPR is limited in its application and will not apply to every single case in which multiple infringements are found to have occurred, but only to those cases where multiple infringements have arisen from “the same or linked processing operations”[321].

305. The IE SA also argued that there is an overarching requirement on a supervisory authority, pursuant to Article 83(1) GDPR, to ensure that “the imposition of administrative fines pursuant to [Article 83 GDPR] in respect of infringements of [the GDPR] … shall in each individual case be effective, proportionate and dissuasive”[322]. This means that supervisory authorities, regardless of what approach is taken to Article 83(3) GDPR, must always ensure that the resulting fine is, in each case, “effective, proportionate and dissuasive”[323]. The IE SA recalled that the legislator afforded supervisory authorities considerable freedom, within the framework prescribed by Article 83(2) GDPR, to weigh up and quantify what level of fine would satisfy the requirement for the resulting fine to be “effective, proportionate and dissuasive” in any given case[324].

306. According to the IE SA, just as it is possible for a fine to be decreased because (either in and of itself, or when combined with other fines) it is considered by the supervisory authority to be disproportionately high, a supervisory authority has the freedom to increase any proposed fine that it considers is too low to be effective or dissuasive in the circumstances. The approach favoured by the IE SA does not limit the ability of the supervisory authority to increase or decrease any proposed fine if, in the circumstances of the particular case, it is unlikely to be effective, proportionate and dissuasive[325].

307. Further, the IE SA noted that the legislator, by way of Article 58(2) GDPR, has conferred a wide range of corrective powers on SAs. Article 58(2)(i) GDPR makes it clear that an administrative fine can be imposed “in addition to, or instead of” the other available measures. This leaves room for an SA to consider the imposition of other measures (such as a ban on processing) in addition to a fine, in a case where the SA might have doubts as to the deterrent value of a proposed fine[326].

308. The IE SA therefore did not make any proposal for compromise in its Composite Response as, while it acknowledged the concerns raised by the DE, FR and PT SAs, it argued that its analysis of Article 83(3) GDPR already takes account of the rationale underlying those concerns[327].

309. With regard to the DE SA’s objection, the IE SA noted that the suggestion that the IE SA’s approach results in the “factual rejection” of certain infringements is in its view not correct: the proposed findings of several infringements of the GDPR “are not in any way affected by IE SA’s approach to Article 83(3) GDPR, which is directed only to the determination of the administrative fine to be imposed”[328].

9.2.4 Analysis of the EDPB

9.2.4.1 Assessment of whether the objections were relevant and reasoned

310. The DE SA’s objection concerning the interpretation of Article 83(3) GDPR is relevant in that it concerns the compliance of the envisaged action with the GDPR. The EDPB also deems the objection to be reasoned, since the DE SA argues an alleged misinterpretation of the relevant provision, in particular pointing out the intention of the legislator to fully penalise infringements. Furthermore, the objection demonstrates the significance of the risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects. In particular, the DE SA highlights that the Draft Decision creates a dangerous precedent as other controllers could also demand further violations to be ignored by supervisory authorities. As a result, the effectiveness of measures and sanctions would be far lower for future cases, resulting in a significant risk to the fundamental rights and freedoms of the data subjects concerned.

311. The FR SA’s objection concerning the infringement of Article 83(3) GDPR is relevant since a change of the method of calculation would result in each of the infringements identified to be fined. The EDPB also considers the objection reasoned as it points out that the Draft Decision would impose a penalty on only one of the three breaches observed, thus lowering the level of administrative fines and thereby reducing the corrective powers of SAs and consequently their ability to ensure the effective respect of the protection of personal data.

312. Finally, the EDPB also considers the PT SA’s objection concerning the infringement of Article 83(3) GDPR to be relevant as the suggested change on the interpretation of such article would result in the imposition of a fine for each of the infringements identified. Furthermore, the PT SA states that an effective implementation of the GDPR requires that the sanctioning regime of the GDPR must not be undermined and that the deterrent effect of the fine would lose a good part of its effectiveness if in cases of multiple infringements, only the maximum limit specifically established for one of the offences is applied. The EDPB regards that such deterrent effect of administrative fines can ensure compliance with the GDPR thus contributing to a high level of protection for the rights and freedoms of concerned data subjects.

313. WhatsApp IE considers all the objections concerning the interpretation of Article 83(3) GDPR not adequately reasoned and also argues that they do not meet the significant risk threshold of Article 4(24) GDPR. Regarding the reasoning of the objections in this subsection, WhatsApp IE argues that none of them provide enough elaboration or reasoning to support a different interpretation of Article 83(3) GDPR than the one of the IE SA, suggesting such interpretations would be contrary to the literal meaning of Article 83(3) GDPR[329].

314. With regard to the status of all the objections analysed in this subsection, the EDPB considers them to be adequately reasoned and recalls that the assessment of the merits of the objection is made separately, after it has been established that the objection satisfies the requirements of Article 4(24) GDPR[330]. Regarding the arguments presented that address the merits of the objection, the EDPB considers those below in section 9.2.4.2.

9.2.4.2 Assessment on the merits

315. All CSAs argued in their respective objections that not taking into account infringements other than the “gravest infringement” is not in line with their interpretation of Article 83(3) GDPR, as this would result in a situation where WhatsApp IE is fined in the same way for one infringement as it would be for several infringements. On the other hand, as explained above, the IE SA argued that the assessment of whether to impose a fine, and of the amount thereof, must be carried out in respect of each individual infringement found[331] and the assessment of the gravity of the infringement should be done by taking into account the individual circumstances of the case[332]. The IE SA decided to impose only a fine for the infringement of Article 14 GDPR, considering it to be the gravest of the three infringements[333].

316. The EDPB notes that the IE SA identified several infringements in the Draft Decision for which it specified fines, namely infringements of Article 12, 13 and 14 GDPR[334], and then applied Article 83(3) GDPR.

317. Furthermore, the EDPB notes that WhatsApp IE agreed with the approach of the IE SA concerning the interpretation of Article 83(3) GDPR[335]. In its submissions on the objections, WhatsApp IE also raised that the approach of the IE SA did not lead to a restriction of the IE SA’s ability to find other infringements of other provisions of the GDPR or of its ability to impose a very significant fine[336]. WhatsApp IE argued that the alternative interpretation of Article 83(3) GDPR suggested by the CSAs is not consistent with the text and structure of Article 83 GDPR and expressed support for the IE SA’s literal and purposive interpretation of the provision[337].

318. In this case, the issue that the EDPB is called upon to decide is how the calculation of the fine is influenced by the finding of several infringements under Article 83(3) GDPR.

319. Article 83(3) GDPR reads that if “a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.”

320. First of all, it has to be noted that Article 83(3) GDPR is limited in its application and will not apply to every single case in which multiple infringements are found to have occurred, but only to those cases where multiple infringements have arisen from “the same or linked processing operations”.

321. The EDPB highlights that the overarching purpose of Article 83 GDPR is to ensure that for each individual case, the imposition of an administrative fine in respect of an infringement of the GDPR is to be effective, proportionate and dissuasive. In the view of the EDPB, the ability of SAs to impose such deterrent fines highly contributes to enforcement and therefore to compliance with the GDPR.

322. As regards the interpretation of Article 83(3) GDPR, the EDPB points out that the effet utile principle requires all institutions to give full force and effect to EU law[338]. The EDPB considers that the approach pursued by the IE SA would not give full force and effect to the enforcement and therefore to compliance with the GDPR, and would not be in line with the aforementioned purpose of Article 83 GDPR.

323. Indeed, the approach pursued by the IE SA would lead to a situation where, in cases of several infringements of the GDPR concerning the same or linked processing operations, the fine would always correspond to the same amount that would be identified, had the controller or processor only committed one – the gravest – infringement. The other infringements would be discarded with regard to calculating the fine. In other words, it would not matter if a controller committed one or numerous infringements of the GDPR, as only one single infringement, the gravest infringement, would be taken into account when assessing the fine.

324. With regard to the meaning of Article 83(3) GDPR the EDPB, bearing in mind the views expressed by the CSAs, notes that in the event of several infringements, several amounts can be determined. However, the total amount cannot exceed a maximum limit prescribed, in the abstract, by the GDPR. More specifically, the wording “amount specified for the gravest infringement” refers to the legal maximums of fines under Articles 83(4), (5) and (6) GDPR. The EDPB notes that the Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679[339] state that the "occurrence of several different infringements committed together in any particular single case means that the supervisory authority is able to apply the administrative fines at a level which is effective, proportionate and dissuasive within the limit of the gravest infringement"[340]. The guidelines include an example of an infringement of Article 8 and Article 12 GDPR and refer to the possibility for the SA to apply the corrective measure within the limit set out for the gravest infringement, i.e. in the example the limits of Article 83(5) GDPR.

325. The wording “total amount” also alludes to the interpretation described above. The EDPB notes that the legislator did not include in Article 83(3) GDPR that the amount of the fine for several linked infringements should be (exactly) the fine specified for the gravest infringement. The wording “total amount” in this regard already implies that other infringements have to be taken into account when assessing the amount of the fine. This is notwithstanding the duty on the SA imposing the fine to take into account the proportionality of the fine.

326. Although the fine itself may not exceed the legal maximum of the highest fining tier, the offender shall still be explicitly found guilty of having infringed several provisions and these infringements have to be taken into account when assessing the amount of the final fine that is to be imposed. Therefore, while the legal maximum of the fine is set by the gravest infringement with regard to Articles 83(4) and (5) GDPR, other infringements cannot be discarded but have to be taken into account when calculating the fine.

327. In light of the above, the EDPB instructs the IE SA to amend its Draft Decision on the basis of the objections raised by the DE SA, FR SA and PT SA with respect to Article 83(3) GDPR and to also take into account the other infringements – in addition to the gravest infringement – when calculating the fine, subject to the criteria of Article 83(1) GDPR of effectiveness, proportionality and dissuasiveness.

9.3 The application of the criteria under Articles 83(1) and 83(2) GDPR

9.3.1 Analysis by the LSA in the Draft Decision

The application of the criteria under Article 83(2) GDPR

328. The Draft Decision explains how the IE SA considered the criteria in Article 83(2) GDPR in deciding whether to impose an administrative fine and determine its amount[341]. The elements that are currently concerned by the dispute were analysed by the Draft Decision as follows.

329. As regards the calculation of the fine, the Draft Decision analysed, first, the nature, gravity and duration of the infringement, as per Article 83(2)(a) GDPR[342].

330. In terms of nature, the infringement at the heart of the Inquiry concerns the right to information, which the IE SA asserts is the cornerstone of the rights of the data subject, adding that “the provision of the information concerned goes to the very heart of the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this”[343].

331. In terms of gravity, the IE SA takes into account a very significant level of non-compliance with the prescribed information, referring to the finding that none of the information prescribed by Article 14 GDPR has been provided to data subjects who are “non-users” and the finding of wholly insufficient information provided to data subjects who are users of WhatsApp’s service[344].

332. In terms of duration of the infringement, the IE SA takes into account the period of infringement occurring from 25 May 2018 onwards, noting the Privacy Policy under investigation bears a “last modified” date of 24 April 2018[345].

333. The Draft Decision considered that in terms of nature, scope and purposes of the processing that “the processing of personal data by WhatsApp, in the context of both users and non-users, is not extensive”, adding that purpose of the processing is directed towards achieving connectivity for users. The IE SA finds that this factor does not operate to mitigate against the infringement of the right to be informed[346].

334. The Draft Decision also took into account the number of data subjects affected and the level of damage suffered by them by concluding that a very high number of data subjects were affected as user of the service and an extremely high number of data subjects were affected as non-users[347].

335. In relation to the intentional or negligent character of the infringements, as per Article 83(2)(b) GDPR, the IE SA concluded in its Draft Decision that they ought to be classified as negligent. The IE SA considered that the Article 14 GDPR infringement demonstrated a high degree of negligence, and took it into account as an aggravating factor for the purpose of the Article 83(2) GDPR assessment. With regard to the Articles 12 and 13 GDPR infringements, the IE SA noted that for “an organisation of WhatsApp’s size, reach and available internal and external resources, the failure to achieve the required standard of transparency is, in my view, negligent”, which reflected carelessness on the part of WhatsApp IE[348].

336. In relation to the degree of responsibility for the controller or processor, as per Article 83(2)(d) GDPR, the Draft Decision considered the total failure to provide the required information to data subjects in the case of non-users a further aggravating factor. In relation to the Articles 12 and 13 GDPR infringements the Draft Decision finds that “[w]hile the provision of 59% of the prescribed information to users mitigates the position somewhat […] WhatsApp fell significantly short of what it might have been expected to do”[349].

337. With regard to other aggravating or mitigating factors, as per Article 83(2)(k) GDPR, the Draft Decision assesses in particular the potential impact that a more transparent approach could have on the continued growth of WhatsApp IE’s user base. The IE SA notes that, in the Supplemental Draft, it considered that “a more transparent approach to the Contact Feature would represent a risk factor for the continued growth of WhatsApp’s user base”[350]. However, given the explanations provided in the WhatsApp Supplemental Draft Submissions, the IE SA considers that “neither I nor WhatsApp can know, until the contingent event has happened, which one of us is correct in our belief as to the likely impact […] of a more transparent approach”[351]. Thus, the IE SA concludes that it is “unable to determine such impact and, therefore, it is neither an aggravating factor nor a mitigating one”[352].

338. The assessment of the LSA on the criteria in Article 83(2)(c), (e), (f) to (j) GDPR is not subject to dispute between the LSA and the CSAs[353].

The application of the criteria under Article 83(1) GDPR

339. The Draft Decision explains how the IE SA considered the principles of effectiveness, proportionality and dissuasiveness (Article 83(1) GDPR) each in turn. The Draft Decision considered that for any fine to be “effective”, it must reflect the circumstances of the individual case[354]. Further, the Draft Decision considered that in order for a fine to be “dissuasive”, it must dissuade both the controller/processor concerned as well as other controllers/processors carrying out similar processing operations from repeating the conduct concerned[355]. Finally, as regards the requirement for any fine to be “proportionate”, the Draft Decision states the need to “adjust the quantum of any proposed fine to the minimum amount necessary to achieve the objectives pursued by the GDPR”[356]. The Draft Decision also stated that the fines proposed “do not exceed what is necessary to enforce compliance with the GDPR, taking into account the size of WhatsApp’s user base, the impact of the Infringements (individually and collectively) on the effectiveness of the data subject rights enshrined in Chapter III of the GDPR and the importance of those rights in the context of the GDPR and, indeed, the scheme of EU law, as a whole, which makes the right to protection of one’s personal data a Charter-protected and Treaty-protected right”[357].

340. The IE SA proposes in the Draft Decision to impose an administrative fine within the range of 30 million - 50 million euro[358].

9.3.2 Summary of the objections raised by the CSAs

341. The DE SA raised an objection arguing that the fine proposed by the LSA is “hardly noticeable for the undertaking” and “does not meet the requirements of Article 83(1) GDPR of being effective, dissuasive and proportionate”[359].

342. More specifically, the DE SA argued that the fine is not dissuasive. The objection recalled that a sanction can be deemed effective and dissuasive if it is suitable both as a general preventive measure - to deter the other controllers from committing infringements - and as a special preventive measure - to deter the specific controller from committing further infringements. The DE SA expresses the concern that other controllers will orientate their compliance with data protection law taking into account the amount of the fine levied in the present case and may conclude that even total disrespect of data protection laws would not lead to significant administrative fines. The DE SA further argues that the sensitivity to punishment, which is influenced by the level of return of the company, must be given a fairly significant weight.

343. The DE SA goes on to argue that the financial capacity of an undertaking (in terms of turnover and profit) provides an important indication of the amounts required to achieve dissuasiveness. In the present case, the DE SA argues the turnover and profits of the Facebook Group undertaking is such that it could easily absorb “several fines with comparable amounts before rentability shrinks by even 1 percentage point”[360]. The DE SA notes the Facebook Group is an undertaking driven by processing personal data. The DE SA highlights that the fine must have a dissuasive effect, particularly it is necessary to issue a fine that has noticeable impacts on the profits of the undertaking, ensuring that future fines for infringements of data protection law would not be “discounted” into the processing performed by the undertaking. In this respect, the DE SA deems an impact of at least several percent of the annual profit as necessary, not an “impact” in the “low per mille range”, as envisaged in the Draft Decision, and questions the proposed imposition of a fine that is significantly behind the legal maximum and corresponding to such a low percentage of the revenue.

344. Finally, the DE SA disagrees with the weighting given to the criteria listed in Article 83(2) GDPR in the calculation of the fine proposed by the IE SA. The DE SA considers the Draft Decision recognises only limited mitigating factors, while finding there to be a very significant level of non-compliance[361] affecting a large number of data subjects (326 million users plus 125 million non-users are concerned[362]). For these reasons, the DE SA deems a fine in the upper range of the possible level of 4% of the previous year’s revenue would be expected.

***

345. The PL SA raised an objection stating that the amount of the administrative fine proposed in the Draft Decision is insufficient and should not be expressed as a range, but rather as a fixed sum. The objection claims that the range of €30-50 million in the draft decision was modelled by the DPC in light of a fine imposed on Google by the FR SA in 2019. Therefore, the PL SA is of the opinion that the fine issued by the IE SA did not take into consideration the differing factual and legal contexts of the present case. In addition, the PL SA considered the proposed fine to be too low, taking into account the affected number of both WhatsApp’ users and non-users, as well as the impact of the infringements. Therefore, the PL SA concluded that the proposed fine issued in the Draft Decision did not fulfil the GDPR-required standards of effectiveness, proportionality and deterrence of administrative fines.

***

346. The HU SA raised an objection stating that the Draft Decision does not appropriately address the intentional character of the infringement. The HU SA argues that the behaviour of WhatsApp IE should be considered intentional, on the basis of the criteria of knowledge and wilfulness established in the Guidelines on Administrative Fines. The HU SA draws an analogy with the example provided in the Guidelines regarding the trade of personal data for marketing purposes and considers that “it is not a coincidence that [WhatsApp] collects personal data, but a conscious decision to gain profit” and, therefore, the provision of incomplete information to data subjects is “presumably based on an intentional decision”[363]. In the view of the HU SA, the inconsistency of whether to use personal data for profiling and targeted advertising also supports the fact that WhatsApp IE acted in bad faith. The HU SA goes on to argue that the Draft Decision is self-contradictory in this regard, since it considers that WhatsApp IE acted in good faith, while at the same time it recognises that “a more transparent approach to the Contact Feature would represent a risk factor for the continued growth of WhatsApp’s user base”[364]. Therefore, the HU SA considers that WhatsApp IE can clearly see a risk in fully informing data subjects and could intentionally decide to provide incomplete information.

347. In its objection, the HU SA also considers that the proposed fine is ineffective, disproportionate and non-dissuasive, given their view on the intentional character of the infringement, the non-transparent profiling of natural persons, the number of data subjects affected, the lengthy duration of the infringement and the seriousness of the case and its impact for the rights of data subjects. The HU SA also contests the comparison drawn in the Draft Decision with the FR SA’s decision against Google LLC, and considers that, in this case, the number of data subjects affected is significantly higher. For these reasons, the fine should be closer to the 4% of the total worldwide annual turnover.

***

348. The IT SA raised an objection whereby it considered that some of the elements underpinning the calculation of the fine proposed by the IE SA were not appropriately addressed[365]. Firstly, with regard to the character of the infringement, the IT SA argues that the elements taken into account by the IE SA would point to considering that the conduct of WhatsApp IE may not be regarded merely to be negligent. In particular, the IT SA points to a previous inquiry of the NL SA, referred to in the Draft Decision[366], which concluded that non-users’ data were to be regarded as personal data. Given that the notion of personal data has not changed since, the IT SA considers that “WhatsApp was fully aware – well in advance of the entry into force of the GDPR and prior to the changes made in 2018 to its privacy policy – that the data in question could be classed as personal and therefore were subject to the requirement of unambiguous, appropriate information”[367]. The IT SA further argues that, in case that there are no sufficient elements to consider WhatsApp IE’s conduct intentional, they should be taken into account in assessing its degree of responsibility.

349. Concerning the aggravating factors, the objection raised by the IT SA points out that the IE SA does not maintain in the Draft Decision, as an aggravating factor, the conclusion in the Final Report on the relationship between transparency and the impact on WhatsApp’s policies aimed at increasing the number of service users. In this respect, the IT SA considers that, “media reports have shown […] that the changes to the privacy policy introduced unilaterally by WhatsApp are producing exactly the effects mentioned by the IE SA in its Final Report”[368]. Additionally, the IT SA considers that WhatsApp’s decision to delay the application of the new privacy policy is proof of WhatsApp’s concerns on the negative impact. Thus, the objection of the IT SA considers that the two factors raised should be given a different weight, consequently increasing the amount of the fine.

9.3.3 Position of the LSA on the objections

350. In its Composite Response, the IE SA noted that the subject-matter of objections related to the weighing of the Article 83(2) GDPR criteria are within the scope of Article 4(24) GDPR. The IE SA considers however, that the DE, HU, PL, IT SA’s objections are not sufficiently reasoned or the accompanying reasoning is unsound. Thus, the IE SA does not consider any of these objections to meet the threshold of Article 4(24) GDPR[369].

351. Regarding the objection raised by the HU SA on the characterisation of the infringements, the IE SA first clarifies that the question of financial gain was not considered as part of the assessment on the character of the infringement[370]. With respect to the analogy drawn by the HU SA, the IE SA argues that there is nothing in the facts that support the assumption of the HU SA whereby WhatsApp IE processes data purely for the purposes of profiling and targeted advertising[371]. In addition, the IE SA considers that the example cited by the HU SA is not applicable to the circumstances of the case[372].

352. Concerning the HU SA’s statement on the self-contradiction of the Draft Decision, the IE SA argues that the quoted statement has no evidential value since it has been taken out of context and it constituted the preliminary view of the IE SA[373]. In addition, the statement was made as a reply to the abstract question on the potential impact of a more transparent approach and did not entail a subjective assessment of WhatsApp IE’s own thinking in the matter[374].

353. With regard to the reasons raised by the HU SA justifying an increase of the fine, the IE SA considers that the findings do not support the suggestion that WhatsApp IE processes personal data for the purpose of profiling and that the duration of the infringement has already been considered as part of the Article 83(2)(a) GDPR assessment[375]. Regarding the seriousness of the case and its impact on data subject rights, the IE SA is of the view that it has appropriately assessed and weighed it. Concerning the impact of the Article 14 GDPR infringement to the rights of non-users, the IE SA states that “the risks to the rights and freedoms of natural persons are somewhat limited in circumstances where the most significant impact occurs at the point in time at which a non-user decides to subscribe to the Service” and “outside of this specific scenario, the rights that might be exercised by non-users are very limited”[376]. Therefore, even though the infringement of Article 14 GDPR is severe, its impact to non- users should not be overstated[377].

354. Finally, with regard to the reference in the Draft Decision to the FR SA’s decision mentioned by several CSAs, the Composite Response clarifies that it was only considered retrospectively, after the fines were calculated, for the purpose of ensuring the overall consistency of application of the GDPR[378]. In this regard, the IE SA notes that, while the numbers of affected data subjects in this case is higher, the processing examined by the FR SA was far more extensive and had a more significant impact on the rights and freedoms of the data subjects concerned[379].

355. Regarding the objection of the DE SA on the weight given to the Article 83(2) GDPR criteria, the IE SA argues that the Draft Decision contains a detailed assessment of each of the factors and that the IE SA has appropriately assessed and weighted the criteria in the circumstances of the Inquiry[380]. On the DE SA’s claim that the fine is hardly noticeable for the undertaking and other controllers will take that into account when deciding on their data protection compliance practices, the IE SA argues that the DE SA “conflates excessively the roles of the data controller and the undertaking of which the data controller forms part”[381]. As to the sensitivity to punishment, the IE SA argues that it is a principle of German national law and not EU law, and thus it is not appropriate for the IE SA to apply it[382]. In addition, the IE SA underlines that “Article 83(2) GDPR does not identify any requirement for an SA to engage in an assessment of what impact a proposed fine will have on the profit margins of the data controller or processor concerned”[383]. Concerning the amount of the fine, the IE SA further argues that the HU SA and the DE SA have placed greater significance on the turnover of the undertaking than is permitted, or envisaged, by Article 83 GDPR. The IE SA argues that, while the turnover is relevant to calculate the maximum fine amount, the key factors to determine the range of the penalty are those in Article 83(2) GDPR[384]. The IE SA considers that this is consistent with the position whereby infringements under the GDPR are pronounced against controllers and processors, rather than undertakings[385].

356. Regarding the objection raised by the IT SA, the IE SA is of the view that the infringement falls short of the high threshold required in order to classify an infringement as being intentional in character[386]. Consequently, the IE SA considers that no further weight can be attributed to the 2012 Investigation, since that “would introduce an unnecessary element of risk, as regards the legal sustainability and defensibility (in the event of a legal challenge before the Irish Courts) of the decision that will ultimately be adopted”[387].

357. Concerning the other aggravating factor raised by the IT SA, the IE SA firstly sets forth the difficulty to ascertain, from the media reports, the reasons for concerns from individuals, given that WhatsApp IE and WhatsApp Inc. simultaneously announced changes to their privacy policies and terms of service. In addition, the IE SA considers that the assumption that WhatsApp IE’s delayed the application of its privacy policy due to concerns on the negative impact is purely speculative[388]. Finally, on the lack of explanation of the percentage of the fine, the IE SA argues that there is no obligation to provide such explanations and that the Draft Decision already contains detailed explanations on the elements considered for the fine[389].

358. With regard to the PL SA’s objection specifically, the IE SA claimed that the fine proposed in the Draft Decision appropriately weighted each of the Article 83(2) GDPR criteria in light of the particular facts of the case[390]. In this regard, the IE SA explained that the processing of non-users mobile phone number is limited to the scenario where there is an activation of the Contact Feature by an existing user contacts and that the lack of information of these non-users is remedied at the time they join the service. Therefore, the IE SA recalled that, while the infringements can be qualified as severe, the impact of the Article 14 GDPR infringement on WhatsApp’ non-users should not be overestimated[391].

9.3.4 Analysis of the EDPB

9.3.4.1 Assessment of whether the objections were relevant and reasoned

359. In its objection on the proposed amount of the fine, the DE SA considers the fine proposed in the Draft Decision to be ineffective, disproportionate and non-dissuasive in the present case[392]. This objection concerns “whether the action envisaged in the draft decision complies with the GDPR”[393]. Therefore, the EDPB considers the objection to be relevant.

360. The DE SA sets out legal and factual arguments, in particular its views on how the Draft Decision assesses the criteria of Article 83(1) and (2) GDPR and applies them to the facts of the case. In its objection, the DE SA argues that a higher fine ought to be imposed and that without amendment the Draft Decision would set a dangerous precedent with regards to deterrence. In particular, it argues the Draft Decision as it stands would lead to “a significant risk to the rights and fundamental freedoms of data subjects, since the undertaking and other controllers could orientate their abidance of data protection law on such a barely noticeable fine”[394]. In the objection, the DE SA articulates why it proposes amending the Draft Decision and clearly demonstrates its view on the significance of the risks posed by the Draft Decision. Therefore, the EDPB considers the objection to be reasoned.

361. WhatsApp IE’s position is that the DE SA’s objections are not reasoned, arguing inter alia that they are either unsubstantiated in fact, incorrect in law or irrelevant[395]: the EDPB takes the view that these arguments address the merits of the objections, not whether they are relevant and reasoned, therefore the EDPB is not swayed as far as the assessment of whether the Article 4(24) GDPR threshold itself is met.

***

362. Although the objection of the PL SA regarding the amount of the administrative fine is relevant since it outlines a disagreement as to whether the envisaged action in relation to the controller proposed by the LSA complies with the GDPR, the EDPB considers that it fails to meet the Article 4(24) GDPR standard as it is not sufficiently “reasoned”[396]. In particular, the objection does not include any clarification or argument supporting amendments of the Draft Decision leading to a different conclusion. Thus, the objection does not explain how the issuance of the Draft Decision as proposed by the IE SA would impact the fundamental rights and freedoms of data subjects, nor does it demonstrate why such risk is substantial and plausible[397]. Therefore, the EDPB concludes that the objection of the PL SA does not meet the requirements set out by Article 4(24) GDPR as it does not clearly demonstrate the need for amending the Draft Decision, nor of the risks posed by the Draft Decision if it were to be issued.

***

363. In its objection on intentional or negligent character of the infringements, the HU SA disagrees with the application of Article 83(2)(b) GDPR in the Draft Decision (paragraphs 685-692, 745 and 746 in particular)[398]. This objection concerns “whether the action envisaged in the draft decision complies with the GDPR”[399]. Therefore, the EDPB considers the objection to be relevant.

364. The HU SA sets out legal and factual arguments, namely its view that the IE SA incorrectly “drew a conclusion that the controller’s act was negligent, taking into account the fact that WhatsApp claimed that because it does not charge a fee for using the Service, it does not directly get a financial gains in relation to the alleged infringements”[400]. In addition, the HU SA considers that the IE SA’s finding is contradicted by paragraph 731 (d) of the Draft Decision (noting that a more transparent approach to the Contact Feature would represent a risk factor for the continued growth of WhatsApp IE’s user base). In the objection, the HU SA argues that the finding of negligence ought to be changed to one of intention. In terms of risk, the objection argues that, if it is not amended, the Draft Decision would set a precedent that “a serious infringement would be considered as a negligent act in circumstances where the controller fails to inform the data subjects”, which would “infringe data subjects’ fundamental rights and freedoms to data protection and privacy, and undermine the trust regarding data protection”[401]. The HU SA’s objection articulates why it proposes amending the Draft Decision and demonstrates sufficiently clearly its view on the significance of the risks posed by the Draft Decision. Therefore, the EDPB considers the objection to be reasoned.

***

365. In its objection on the proposed amount of the fine, the HU SA considers the fine proposed in the Draft Decision to be ineffective, disproportionate and non-dissuasive in the present case[402]. This objection concerns “whether the action envisaged in the draft decision complies with the GDPR”[403]. Therefore, the EDPB considers the objection to be relevant.

366. The HU SA sets out legal and factual arguments, in particular its views on how the Draft Decision interprets the criteria of Article 83(2) GDPR and applies them to the facts of the case. In its objection, the HU SA argues that a higher fine ought to be imposed and that without this amendment, the Draft Decision would set a precedent that “undermines confidence in the institution of data protection within the EU, which could cause a serious crisis of confidence among the concerned data subjects”[404]. The HU SA articulates why it proposes amending the Draft Decision and demonstrates sufficiently clearly its view on the significance of the risks posed by the Draft Decision. Therefore, the EDPB considers the objection to be reasoned.

367. WhatsApp IE’s position is that the HU SA’s both objections are not reasoned[405]. The arguments presented address the merits of the objections, not whether they are relevant and reasoned[406], therefore the EDPB is not swayed as far as the assessment of whether the Art 4(24) GDPR threshold itself is met.

***

368. In its objection on the proposed amount of the fine, the IT SA considers the fine proposed in the Draft Decision to fall short of the proportionality and dissuasiveness requirements set forth in Article 83 GDPR[407]. This objection concerns “whether the action envisaged in the draft decision complies with the GDPR”[408]. Therefore, the EDPB considers the objection to be relevant.

369. The IT SA sets out legal and factual arguments, in particular its views on how the Draft Decision interprets the criteria of Article 83(2) GDPR and applies them to the facts of the case. The objection argues that a higher fine ought to be imposed. In terms of risk, the objection argues that without this amendment the Draft Decision would lead to the risks for the fundamental rights and freedoms of data subjects due to a lack of proportionality and dissuasiveness[409]. The IT SA’s objection articulates why it proposes amending the Draft Decision and demonstrates sufficiently clearly its view on the significance of the risks posed by the Draft Decision. Therefore, the EDPB considers the objection to be reasoned.

370. WhatsApp IE’s position is that the IT SA’s objections are not reasoned[410]. The arguments presented address the merits of the objections, not whether they are relevant and reasoned[411], therefore the EDPB is not swayed as far as the assessment of whether the Article 4(24) GDPR threshold itself is met.

371. On this basis, the EDPB considers that the objections raised by the DE SA, HU SA, and IT SA on application of the criteria under Article 83(1) and 83(2) GDPR qualify as relevant and reasoned objections pursuant to Article 4(24) GDPR.

372. As the objection raised by the PL SA does not meet the requirements of Article 4(24) GDPR, the EDPB will not consider the merits of the substantial issues raised in the present case[412].

9.3.4.2 Assessment on the merits

373. The EDPB considers that the objections found to be relevant and reasoned in this subsection[413] require an assessment of whether the Draft Decision proposes a fine in accordance with (i) the criteria established by Article 83(2) GDPR and the Guidelines on Administrative Fines and (ii) the criteria provided for by Article 83(1) GDPR.

374. Indeed, the consistency mechanism may also be used to promote a consistent application of administrative fines[414]: where a relevant and reasoned objection challenges the elements relied upon by the LSA to calculate the amount of the fine, the EDPB can instruct the LSA to engage in a new calculation of the proposed fine by eliminating the shortcomings in the establishment of causal links between the facts at issue and the way the proposed fine was calculated on the basis of the criteria in Article 83 GDPR and of the common standards established by the EDPB[415]. A fine should be effective, proportionate and dissuasive, as required by Article 83(1) GDPR, taking account of the facts of the case[416]. In addition, when deciding on the amount of the fine, the LSA shall take into consideration the criteria listed in Article 83(2) GDPR.

The application of the criteria under Article 83(2) GDPR

375. Article 83(2) GDPR considers, among the factors to be taken into account when deciding the imposition and amount of an administrative fine, “the intentional or negligent character of the infringement”. In the same sense, Recital 148 GDPR states that “[i]n order to strengthen the enforcement of the rules of this Regulation, penalties including administrative fines should be imposed for any infringement of this Regulation […]. Due regard should however be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility […]” (emphasis added).

376. The characterisation of the infringement as intentional or negligent may therefore have a direct impact on the amount of the fine proposed. As stated in the Guidelines on Administrative Fines, “intentional breaches, demonstrating contempt for the provisions of the law, are more severe than unintentional ones”[417] and thus may be more likely to warrant the application of a (higher) fine.

377. As the IE SA notes in the Draft Decision, “the GDPR does not identify the factors that need to be present in order for and infringement to be classified as either ‘intentional’ or ‘negligent’”[418]. The Guidelines on Administrative Fines refer to the fact that “in general, ‘intent’ includes both knowledge and wilfulness in relation to the characteristics of an offence, whereas ‘unintentional’ means that there was no intention to cause the infringement although the controller/processor breached the duty of care which is required in the law”[419]. In other words, the Guidelines on Administrative Fines identify two cumulative elements whereby an infringement can be considered intentional: the knowledge of the breach and the wilfulness in relation to such act. On the other hand, an infringement is “unintentional” when there was a breach of the duty of care, without having intentionally caused the infringement.

378. The characterisation of an infringement as intentional or negligent shall be done on the basis of objective elements of conduct gathered from the facts of the case[420]. The Guidelines on Administrative Fines provide some examples of conduct that may demonstrate the existence of intent and negligence[421]. It is worth noting the broader approach adopted with respect to the concept of negligence, since it also encompasses situations in which the controller or processor has failed to adopt the required policies, which presumes a certain degree of knowledge about a potential infringement[422].

379. In this case, the IE SA has considered the infringements by WhatsApp IE reflect carelessness and are therefore the result of a negligent behaviour[423]. With respect to the infringements of Articles 12 and 13 GDPR, the IE SA acknowledges the efforts made by WhatsApp IE towards compliance. However, the IE SA considers that such efforts fell significantly short of what is required, despite the fact that the requirements of those provisions are not complex[424]. Thus, the IE SA considers that the failure to achieve the required standard of transparency amounts to a negligence for an organisation of WhatsApp IE’s size, reach and resources[425]. Likewise, the infringement of Article 14 GDPR is found to be negligent. In particular, the IE SA considers that it shows a “high degree of negligence”[426], since WhatsApp IE “ought to have know, from the outcome of the 2012 Investigation, that its views, as to the status of non-user numbers, would likely not be endorsed by a data protection authority”[427].

380. It stems from the above that WhatsApp IE had (or should have had) knowledge about the infringement of Article 14 GDPR. However, this mere element is not sufficient to consider an infringement intentional, as stated above, since the “aim” or “wilfulness” of the action should be demonstrated. In this respect, the IE SA considers that the infringement of Article 14 GDPR “falls short of the high threshold required in order to classify an infringement as being intentional in character”[428].

381. On this regard, the IT SA argues that the awareness of the outcome of the 2012 Investigation by the NL SA would point to considering the infringement of Article 14 by WhatsApp IE in relation to non- users as not merely negligent, but rather intentional. In this respect, WhatsApp IE argues that the IT SA does not adequately justify why it considers WhatsApp IE’s conduct intentional and that the reliance on the 2012 Investigation is misplaced[429]. In particular, WhatsApp IE considers that the 2012 Investigation is irrelevant since it involved a different set of facts, occurred 8 years ago in relation to another controller, notably before the ruling on Breyer and the processing practices described in the 2012 Investigation are not the same ones subject to the Inquiry[430]. More specifically, WhatsApp IE submits that the findings of the 2012 Investigation “focused primarily on users, rather than non-users, and placed considerable weight on the fact that WhatsApp Inc. (as the service provider at the time) collected other data points about users in addition to phone numbers, thereby making the data readily identifiable. In contrast, this is not the case for non-users”[431]. Therefore, WhatsApp IE argues that the 2012 Investigation is irrelevant and should be disregarded.

382. The HU SA also made reference to elements relevant for the assessment of the “wilfulness” of the action. The objection raised by the HU SA refers to the value of processed data for WhatsApp IE and its conscious choice to obtain profit from it, as well as to the alleged purposes of “profiling and targeted advertising”[432]. Given the value of the data, the HU SA considers that WhatsApp IE presumably intentionally decides to give incomplete information to data subjects.

383. In this regard, WhatsApp IE argues that the HU SA “has no basis to allege an intentional nature to the infringements, and concedes that it relies only on assumptions in this regard. In particular, there is no basis for the Hungarian SA to claim - falsely, and with no supporting evidence - that WhatsApp Ireland engages in ‘non-transparent profiling of natural persons’ or ‘targeted advertising’”[433]. In general, WhatsApp IE’s views on the objections regarding the character of the infringement are that they rely on “misplaced allegations” and that no evidence has been provided to support the claims[434].

384. The EDPB firstly points out that having “conscience” of a specific matter does not necessarily imply having the “will” to reach a specific outcome. This is in fact the approach adopted in the Guidelines on Administrative Fines, where the “consciousness” (which could be understood as equivalent to “knowledge”) and the “wilfulness” are considered two distinctive elements of the intentionality. While it may prove difficult to demonstrate a subjective element such as the “will” to act in a certain manner, there needs to be some objective elements that indicate the existence of such intentionality.

385. On the basis of the available information (including the findings of the IE SA and the objection raised in this regard by the IT SA), the EDPB is not able to identify the will of WhatsApp IE to act in breach of the law. While the objection submitted by the IT SA points at the potential existence of knowledge, it fails to identify other objective elements that would demonstrate the will of WhatsApp IE to infringe the provision.

386. A presumption, as seems to be the case for some of the arguments raised by the HU SA, does not fulfil the high threshold set to consider an act intentional. In fact, even in criminal proceedings the CJEU has acknowledged the existence of “severe negligence”, rather than “intentionality” when “the person responsible commits a patent breach of the duty of care which he should have and could have complied with in view of his attributes, knowledge, abilities and individual situation”[435].

387. It shall be underlined that, in the context of the assessment of Article 83(2)(c) GDPR, the IE SA notes that WhatsApp IE’s position regarding its compliance with GDPR “represents a genuinely held belief of WhatsApp’s part”[436]. In addition, as noted above, the IE SA acknowledges WhatsApp IE’s efforts towards achieving compliance, albeit clearly insufficient. Some of those efforts included engaging with experts and carrying our research on how to meet the transparency obligations. These are objective elements mentioned in the Draft Decision that, in the view of the EDPB, would indicate the absence of wilfulness to act in breach of the law with regard to the infringements of Articles 12 to 13 GDPR. As regards the infringement of Article 14 GDPR, the EDPB refers to the reasoning above.

388. Therefore, the EDPB considers that the arguments put forward by the HU and the IT SAs fail to provide objective elements that indicate the intentionality of the behaviour. Accordingly, the EDPB is of the view that the Draft Decision does not need to be changed with respect to the findings on the character of the infringements.

***

389. As regards the nature, gravity and duration of the infringements, Article 83(2)(a) GDPR requires to take into consideration, inter alia, the nature, scope and purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them.

390. Regarding the nature and scope of the processing, the IE SA acknowledges that the processing of personal data by WhatsApp IE is not extensive, as it covers a limited number of categories of personal data of users and the mobile phone numbers of non-users, being the latter processed for a very short period[437]. As for the purpose, the IE SA considers that “the processing only serves the interests of users and WhatsApp”[438].

391. With regard to the data subjects affected, the IE SA highlights that the infringements of Article 12 and 13 GDPR “appear to affect approximately 63% of the population of the EEA”, and estimates that the corresponding percentage of affected non-users is 24% of the EEA population[439]. As to the level of damage, the IE SA recalls that users “have only been provided with 59% of the information they are entitled to receive” and “non-users have not been provided with any of the information they are entitled to receive”. This represents, in the view of the IE SA, “a very serious information deficit” that “can only equate to a significant (in the case of users) and total (in the case of non-users) inability to exercise control over personal data”[440].

392. The EDPB notes that, according to the IE SA, the infringements are very serious in nature and severe in gravity, since they concern a very significant information deficit and thus go to the heart of the fundamental right of data protection[441]. In particular, the IE SA considers Article 14 GDPR infringements as particularly serious[442]. Due to the seriousness of the infringements, the IE SA considers that the limited nature and scope of the processing cannot be attributed a significant weight[443].

393. In this respect, the HU SA considers that, in the determination of the fine, the IE SA has not taken into account that “the risks due to the non-transparent profiling of natural persons are considered serious”[444]. In addition, the HU SA is of the view that “the long standing of the unlawful processing [since 24 April 2018] must be taken into account as an aggravating factor, in view of which it is necessary to set the amount of the fine at a higher amount”[445].

394. In its Composite Response, the IE SA argues that “there are no findings of fact to support the suggestion that WhatsApp processes personal data for the purpose of profiling”[446]. WhatsApp IE also argues that the objection is based on “unsubstantiated allegations”[447] and that there is no supporting evidence for such claim[448]. In this respect, the EDPB considers that the objection did not conclusively show that, on the basis of the findings, “non-transparent profiling” is taking place.

395. With regard to the duration of the infringement, the IE SA argues that it has already been taken into account[449]. As for the dies a quo, the IE SA takes the 25 May 2018[450], instead of 24 April 2018 as argued by the HU SA. In keeping with the principle of legal certainty[451], in the circumstances of this case the EDPB considers the dies a quo to determine the duration of the infringement is the 25 May 2018, as it is the day where the GDPR became applicable and, therefore, its application could be enforced. As to the consideration of the duration as an aggravating factor, the EDPB notes that it is mentioned in the Draft Decision as one of the elements taken into account to consider the infringements serious[452]. Therefore, the EDPB is of the view that the Draft Decision does not need to be amended regarding the consideration of the duration as an aggravating factor.

396. The HU SA also considers that “the amount of the fine does not reflect either the importance or seriousness of the case or the specific circumstances of the case”[453]. The HU SA further recalls that users and non-users have not been able to exercise their rights given the situation since 24 April 2018.

397. In its submissions, WhatsApp IE considers that data subjects are provided with clear information and refers to the Draft Decision[454], thus it argues that the claim of the HU SA has no basis in fact[455]. With regard to non-users, WhatsApp IE considers that “the concerns about risk and harm raised […] are unwarranted and based on unsupported speculation”[456] In general, it states that “neither the [IE SA] nor the CSAs have put forward any evidence to support claims of any harm or risk to users or non-users arising from the infringements alleged, and certainly not the kind of harm that would warrant an increase to the proposed very significant fine”[457].

398. The EDPB notes that the HU SA refers to the “circumstances of the case” and its seriousness and importance. However, the EDPB considers that the objection fails to identify which elements relating to the “importance, seriousness or the specific circumstances of the case” have not been considered for the calculation of the amount of the fine, given that the IE SA considers the infringement very serious in nature and severe in gravity[458]. Therefore, the EDPB is of the view that the Draft Decision does not need to be amended regarding the qualification of the seriousness of the infringement as an aggravating factor. With regard to the assessment of whether the fine is proportionate, effective and dissuasive in light of these elements, the EDPB refers to paragraph 405 and following of the present decision.

399. Concerning the weight given to the number of data subjects concerned, the DE SA considers that the IE SA did not give it a sufficiently aggravating effect, also in light of the very significant level of non- compliance[459]. The DE SA further notes that the amount of the proposed fine would be, at most, of 0.11€ per affected data subject. In the Composite Response, the IE SA expressed its views that it has appropriately assessed and weighed the Article 83(2) GDPR criteria[460]. In this respect, the Draft Decision states that “the Infringements (collectively and individually) are very serious, both in terms of the extremely large number of data subjects potentially affected and the severe consequences that flow from the failure to comply with the transparency requirements (with particular reference to the impact of the Article 14 infringement on non-users)”[461].

400. In its submissions, WhatsApp IE argues that this element has already been taken into account by the IE SA. WhatsApp IE further argues that “the number of data subjects is only a relevant factor if this can be linked to damage caused to those data subjects” and that “neither the [IE SA] nor the CSAs have articulated any risk or harm arising from the infringements”[462].

401. The EDPB recalls that the number of data subjects affected should be assessed in order to identify whether this is an isolated event or symptomatic of a more systemic breach or lack of adequate routines in place[463]. The EDPB acknowledges that the Draft Decision adequately qualifies the infringements as very serious in terms of the affected number of data subjects and the consequences of the non-compliance in light of the facts of the case[464]. With regard to the assessment of whether the fine is proportionate, effective and dissuasive in light of these elements, the EDPB refers to paragraph 405 and following of the present decision.

402. With regard to the degree of responsibility of WhatsApp IE (Article 83(2)(d) GDPR), the EDPB notes the subordinate objection raised by the IT SA on the elements related to the character of the infringement, which the EDPB will analyse given its conclusion on the lack of intentionality. In this regard, the EDPB notes that the elements raised by the IT SA are already taken into account by the IE SA in its Draft Decision to consider the degree of negligence high[465]. In addition, the IE SA considers the degree of responsibility of WhatsApp IE as “a further aggravating factor, in the case of non-users, given the total failure to provide the required information” and notes that “WhatsApp fell significantly short of what it might have been expected to do”[466]. Taking into account that the IE SA considered the degree of negligence as high on the basis, inter alia, of the elements mentioned by the IT SA, and that the IE SA finds as an aggravating factor WhatsApp IE’s failure to provide information in the context of its processing of non-users data[467], the EDPB considers that the Draft Decision does not need any amendments on this regard.

403. Concerning other aggravating factors in accordance with Article 83(2)(k) GDPR, the IT SA considers that the Draft Decision does not appropriately take into account the relationship between transparency and the impact on WhatsApp IE’s policies aimed at increasing the number of service users. The IT SA cites some media reports that, in its view, demonstrate the conclusions reached by the IE SA in the Supplemental Draft. While the relationship between compliance with transparency obligations and users’ behaviour, and the consequence on WhatsApp IE’s choices, also from a financial point of view, may be taken into account when assessing potential aggravating factors, the EDPB considers that the specific media reports referred to by the IT SA in this case are not sufficient to provide adequate evidence, also taking into account that they refer to a specific customer behaviour that may have been triggered by different, albeit simultaneous, events[468]. The EDPB also notes that the IT SA assumes the reason for WhatsApp IE’s decision to delay the application of its privacy policy. In this regard, WhatsApp IE claims that such decision “was made in order to allow WhatsApp Ireland the opportunity to clear up misinformation that was circulating and had been causing concern among users, based on misunderstandings of how privacy and security works on WhatsApp”[469]. The EDPB recalls that, when deciding on the imposition of corrective measures in general, and fines in particular, “supervisory authorities must assess all the facts of the case in a manner that is consistent and objectively justified”[470]. Taking the above into account, the EDPB is not in a position to consider, on the basis of the elements provided by the IT SA, that the IE SA should change its conclusion in this matter.

404. On the basis of the above, the EDPB considers that the IE SA has adequately qualified the relevance of the elements of Article 83(2) GDPR. Those elements should therefore be given due regard for the imposition of a fine that is proportionate, effective and dissuasive as per Article 83(1) GDPR. In the following paragraphs, the EDPB assesses whether the proposed fine fulfils the criteria of Article 83(1) GDPR.

The application of the criteria under Article 83(1) GDPR

405. Article 83(1) GDPR provides that “[each] supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive”.

406. As indicated above, there is a disagreement between the IE SA and DE SA about whether the turnover figure is relevant only to determine the maximum fine that can be lawfully imposed, or whether it is also potentially relevant in the calculation of the fine amount.

407. WhatsApp IE’s position is that “[the] sole relevance of turnover for the purpose of Article 83 GDPR is to ensure that any proposed fine - once calculated - does not exceed the maximum fining caps set out in Articles 83(4) to (6) GDPR.” Furthermore, WhatsApp IE states that “turnover is not a relevant factor to take into account as part of the Article 83(2) GDPR assessment” because this provision “prescriptively lists the relevant factors that can be taken into account and the legislature chose not to include turnover as a specific factor”[471]. WhatsApp IE rejects the notion that “sensitivity to punishment needs to be taken into account and that the fine needs to have a noticeable impact on the profits of an undertaking”, as was raised by the DE SA. Moreover, in WhatsApp IE’s view “such an interpretation would be contrary to legal certainty as such a precise factor should have been expressly included in Article 83(2) GDPR”[472].

408. “Turnover” is mentioned explicitly in Article 83(4)-(6) GDPR, in connection with the calculation of the maximum fine amount applicable to undertakings with a total annual turnover in the previous financial year that amounts to more than 500 million EUR (the dynamic maximum fine amount). The aim is clear: to ensure an effective, appropriate and dissuasive fine can be applied to deter even to the largest undertakings. The Guidelines on Administrative Fines state that “[i]n order to impose fines that are effective, proportionate and dissuasive, the supervisory authority shall use for the definition of the notion of an undertaking as provided for by the CJEU for the purposes of the application of Article 101 and 102 TFEU”[473]. The connection is made between the size of the undertaking, measured in terms of turnover, and the magnitude a fine needs to have in order to be effective, proportionate and dissuasive. In other words, the size of an undertaking - measured in terms of turnover - matters.

409. Though it is true that neither Article 83(2) GDPR nor Article 83(3) GDPR refer to the notion of turnover, drawing from this an absolute conclusion that turnover may be considered exclusively to calculate the maximum fine amount is unsustainable in law. Firstly, including a reference to turnover in these provisions is unnecessary, as on the one hand all fines - whether set close to the upper limit or far below it - must be set at a level that is effective, proportionate and dissuasive (cf. Article 83(1) GDPR), and on the other hand the dynamic maximum fine amount sets out the limits within which the SAs may exercise their fining power. Secondly, it would be internally contradictory for the GDPR to introduce a dynamic upper limit to fines, while at the same time prohibiting supervisory authorities from assessing whether a fine might need to be increased or decreased in light of the turnover of a company - again - to ensure it is effective, proportionate and dissuasive (cf. Article 83(1) GDPR).

410. The words “due regard shall be given to the following” in Article 83(2) GDPR by themselves do not indicate the list is an exhaustive one. The wording of Article 83(2)(k) GDPR, which allows for any other aggravating or mitigating factor to be taken into account - even though not explicitly described - supports this view.

411. The application of a dynamic maximum fine amount is not a novelty in EU law, as this is a well- established notion in European competition law. While the EDPB concedes there are differences between both systems, the similarities are such that CJEU case law from the field of competition law may serve to clarify a number of questions on the application of the GDPR. In particular, the EDPB notes that taking into consideration turnover - as one relevant element among others - for the calculation of fines is an accepted practice in the field of competition law[474].

412. In light of all of the above, the EDPB takes the view that the turnover of an undertaking is not exclusively relevant for the determination of the maximum fine amount in accordance with Article 83(4)-(6) GDPR, but it may also be considered for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive in accordance with Article 83(1) GDPR. The EDPB therefore instructs the IE SA to take this into account in the present case in the context of amending its Draft Decision on the basis of this binding decision.

***

413. As stated in the Guidelines on Administrative Fines, the assessment of the effectivity, proportionality and dissuasiveness of a fine has to “reflect the objective pursued by the corrective measure chosen, that is either to re-establish compliance with the rules, or to punish unlawful behaviour (or both)”[475].

414. The EDPB underlines that, in order to be effective, a fine should reflect the circumstances of the case. Such circumstances not only refer to the specific elements of the infringement, but also those of the controller or processor who committed the infringement, namely its financial position.

415. Similarly, the EDPB recalls that the CJEU has consistently held that a dissuasive penalty is one that has a genuine deterrent effect. In that respect, a distinction can be made between general deterrence (discouraging others from committing the same infringement in the future) and specific deterrence (discouraging the addressee of the fine from committing the same infringement again)[476]. Moreover, in order to be proportionate, the severity of penalties must be commensurate with the seriousness of the infringements for which they are imposed[477]. It follows that fines must not be disproportionate to the aims pursued, that is to say, to compliance with the data protection rules and that the amount of the fine imposed on an undertaking must be proportionate to the infringement viewed as a whole, account being taken in particular of the gravity of the infringement[478].

416. Therefore, when determining whether a fine fulfils the requirements of Article 83(1) GDPR, due account must be given to the elements identified on the basis of Article 83(2) GDPR. In this regard, the EDPB notes that, although the Draft Decision contains a detailed assessment on the different elements, it is unclear how those impact the proposed fine. In particular, the EDPB notes that the IE SA refers to the “nature, gravity and duration of the infringement” and “to the potential number of data subjects affected” when determining the fine range[479]. In addition, the IE SA considers that the only mitigating factors (ie. the limited categories of personal data and WhatsApp IE’s willingness to amend its Privacy Policy and related material) cannot be attributed “significant weight” given the “overall seriousness and severity” of the infringements[480].

417. In its objection, HU SA argues that the fine is ineffective, disproportionate and non-dissuasive, since the elements of Article 83(2) GDPR have not been given due regard and that the IE SA cannot rely on the FR SA’s decision on Google LLC in order to determine the amount of the fine, given the higher number of data subject affected in the present case. The IE SA clarifies that the FR SA’s decision was only considered after the fines were calculated, in order to ensure the overall consistency of the application of the GDPR[481] and underlines the differences between both cases. The EDPB takes note of the views expressed by WhatsApp IE, according to which not only the HU SA mischaracterised the IE SA’s reliance on the FR SA’s decision but any such reliance was not appropriate[482]: while the FR SA’s decision was limited to French residents, the scope of the processing at issue was much broader and had a more significant impact on rights and freedoms of data subjects than the one subject to the Inquiry, and included a finding of infringement of Article 6 GDPR in addition to transparency obligations[483]. According to WhatsApp IE, to the extent that the IE SA relies on the FR SA’s decision in determining a fine at the higher end of the proposed range, it should be disregarded[484].

418. As stated above, the DE SA also considers that the amount of the fine does not reflect the seriousness of the infringement, in light of the number of data subjects affected. Further, the DE SA also highlighted in its objection the need for the fine to have a “general preventive effect”, since the envisaged fine will instead lead other controllers to “conclude that even total disrespect [for] data protection laws would not lead to significant administrative fines”[485].

419. The EDPB takes note of the position of WhatsApp IE, which is that the fine set out in the Draft Decision is excessive and therefore inconsistent with Article 83(1) GDPR[486].

420. The EDPB agrees with the argument of the IE SA on the need to ensure an overall consistency in the approach when imposing corrective measures, specifically regarding fines. To this end, even though consideration of other fines imposed by other SAs may be insightful, the EDPB underlines that the criteria in Articles 83(1) and 83(2) GDPR remain the main elements to be considered when determining the amount of the fine. In the present case, the EDPB notes that the IE SA has considered the infringements very serious in nature, severe in gravity, with particular reference to the Article 14 GDPR infringement and amounting to a high degree of negligence, being the degree of responsibility a further aggravating factor. In addition, the IE SA does not attribute significant weight to any mitigating factor[487]. All these elements shall be given due regard when determining the proportionality of the fine. In other words, a fine must reflect the gravity of the infringement, taking into account all the elements that may lead to an increase (aggravating factors) or decrease of the amount. Likewise, as stated above, the turnover of the undertaking is also relevant for the determination of the fine itself. Otherwise, the objective of attaining fines which are effective, proportionate and dissuasive would not be met.

421. In sum, when considering whether the proposed fine is effective, proportionate and dissuasive, the EDPB has taken into account the turnover of the concerned undertaking, the infringements occurred and the elements identified under Article 83(2) GDPR.

422. Considering the global annual turnover, the infringements found and the aggravating factors correctly identified by the IE SA, the EDPB considers that the proposed fine does not adequately reflect the seriousness and severity of the infringements nor has a dissuasive effect on WhatsApp IE. Therefore, the fine does not fulfil the requirement of being effective, proportionate and dissuasive. In light of this, the EDPB directs the IE SA to amend its Draft Decision in order to remedy the issue identified when it proceeds with the overall reassessment of the amount of the administrative fine, in accordance with section 9.4.

9.4 The reassessment of the administrative fine

423. The EDPB instructs the IE SA to re-assess its envisaged corrective measure in terms of administrative fine in accordance with the conclusions reached by the EDPB, namely:

- the relevant turnover is the global annual turnover of all the component companies of the single undertaking (paragraph 292);

- the relevant turnover is the one corresponding to the financial year preceding the date of the final decision taken by the LSA pursuant to Article 65(6) GDPR (paragraph 298).

- the relevant turnover is relevant for the determination of the maximum fine amount and also for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate and dissuasive (paragraph 412).

- the amount of the fine shall appropriately reflect the aggravating factors identified in the Draft Decision under Article 83(2) GDPR, to ensure the fine is proportionate (paragraph 404).

- the identified additional infringements of Articles 5(1)(a), 13(1)(d), 13(2)(e) and the extended scope of 14 GDPR are to be reflected in the amount of the fine, as brought up by several CSAs in their objections[488];

- all the infringements identified in the Draft Decision, as well as the additional ones identified in the present decision, are to be taken into account when calculating the amount of the fine, in accordance with the EDPB’s interpretation of Article 83(3) GDPR (paragraph 327).

424. In light of the above, the EDPB instructs the IE SA to set out a higher fine amount for the infringements identified, in comparison with the administrative fine envisaged in the Draft Decision, while remaining in line with the criteria of effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR.

10 BINDING DECISION

425. In light of the above and in accordance with the task of the EDPB under Article 70(1)(t) GDPR to issue binding decisions pursuant to Article 65 GDPR, the EDPB issues the following binding decision in accordance with Article 65(1)(a) GDPR:

426. On the objections concerning a possible finding of an infringement of Article 13(1)(d) GDPR:

- In relation to the objections of the DE, IT and PL SAs on the possible finding of an infringement of Article 13(1)(d) GDPR, the EDPB decides that they meet the requirements of Article 4(24) GDPR and instructs the IE SA to find in its final decision that there has been an infringement of Article 13(1)(d) GDPR, on the basis of the shortcomings identified by the EDPB.

427. On the objections concerning the Lossy Hashing procedure:

- With regard to the relevant and reasoned objections pursuant to Article 4(24) GDPR of the DE SA, the FR SA, the HU SA, the NL SA, the IT SA and the PT SA, as well as based on the analysis done and the information available to it, the EDPB concludes that the table of lossy hashes together with the associated users’ phone numbers as Non-User List constitutes personal data and instructs the IE SA to amend its Draft Decision accordingly.

428. On the objections relating to the possible further (or alternative) infringements of the GDPR identified by the CSAs:

- With regard to the two objections by the DE SA relating to the limited scope of the investigation and the objections by the HU SA on the possible invalidity of consent and on the possible additional infringements of Articles 5(1)(a) and 5(2) GDPR, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of these objections as they do not meet the requirements of Article 4(24) GDPR.

- In relation to the objection of the IT SA on the possible infringement of Article 5(1)(a) GDPR, the EDPB decides that it meets the requirements of Article 4(24) GDPR and in light of the gravity and the overarching nature and impact of the infringements, the IE SA is required to

include in its final decision a finding of an infringement of the transparency principle enshrined in Article 5(1)(a) GDPR.

- Regarding the objection of the DE SA on the possible further infringement of Article 13(2)(e) GDPR, the EDPB decides that the requirements of Article 4(24) GDPR are fulfilled and requires the IE SA to include in its final decision a finding of an infringement of Article 13(2)(e) GDPR (instead of issuing a mere recommendation).

- In relation to the objection by the DE SA arguing that the pseudonymised data regarding non- users is not processed lawfully and there is therefore an infringement of Article 6(1) GDPR, the file submitted to the EDPB does not contain sufficient elements that would allow the EDPB to establish the existence of an infringement of Article 6(1) GDPR. Therefore, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised by the DE SA with respect to the lawfulness of the processing of non-users data.

- Regarding the objections of the IT SA, the NL SA and the PT SA relating to the additional infringement of Article 14 GDPR, the EDPB decides that they meet the requirements of Article 4(24) GDPR and that the IE SA is required to amend its Draft Decision to reflect that the infringement of Article 14 GDPR extends to the processing of non-users’ data in the form of Non-User Lists after the lossy hashing procedure was applied.

- In relation to the objection of the HU SA regarding the additional infringement of Article 5(1)(c) GDPR, the EDPB decides that, while it meets the requirements of Article 4(24) GDPR, the file does not contain sufficient elements to allow the EDPB to establish the existence of an infringement of Article 5(1)(c) GDPR and, therefore, the IE SA is not required to amend its Draft Decision in this regard.

429. On the objections concerning the proposed order to bring processing into compliance:

- In relation to the objection by the HU SA on the deadline for compliance provided for in the proposed order, the EDPB decides that it meets the requirements of Article 4(24) GDPR and requires the IE SA to amends its Draft Decision to the effect that the period of six months deadline for compliance is reduced to a period of three months.

- In relation to the objection by the HU SA on the provision of information to non-users, the EDPB decides that, while it meets the requirements of Article 4(24) GDPR, given the arguments raised and that the Draft Decision already instructs WhatsApp IE to give careful consideration to the location of placement of the public notice to non-users, there is no need to amend the Draft Decision on that regard.

- With regard to the objection by the NL SA concerning the amendment of policies that would be necessary for WhatsApp IE to remedy the infringement of Article 14 GDPR, the EDPB decides that it meets the requirements of Article 4(24) GDPR and directs the IE SA to ensure that the order to bring processing into compliance, to the extent that it covers the infringement of Article 14 GDPR, clearly reflects the expanded scope of the infringement of this provision as described in section 7.4.4.2 above.

430. On the objections concerning the corrective measures, in particular the administrative fine:

- In relation to the objection by the DE SA regarding the turnover figure of the preceding financial year, the EDPB decides that it meets the requirement of Article 4(24) GDPR and instructs the IE SA to amend its draft decision in order to: (a) take into account the total

turnover of all the component companies of the single undertaking for the purpose of calculating the amount of the fine itself; (b) consider the date of the final decision taken by the LSA pursuant to Article 65(6) GDPR as the event from which the preceding financial year should be considered.

- In relation to the objections of the DE SA, FR SA and PT SA concerning the application of Article 83(3) GDPR, the EDPB decides that they meet the requirements of Article 4(24) GDPR and that the IE SA is required to amend its Draft Decision in respect to Article 83(3) GDPR in order to also take into account the other infringements – in addition to the gravest infringement – when calculating the fine, subject to the criteria of Article 83(1) GDPR of effectiveness, proportionality and dissuasiveness.

- Regarding the objections of the DE SA, the IT SA, and the HU SA, concerning the application of the criteria under Art. 83(1) and 83(2) GDPR, the EDPB considers the objections to be in line with the requirements of Article 4(24) GDPR. With regard to the objections of the IT SA and the HU SA on the intentional character of the infringement, the EDPB considers that the arguments put forward by the IT and HU SAs fail to provide objective elements that indicate the intentionality of the behaviour. With regard to the assessment of the other criteria under Article 83(2) GDPR contested by the DE, IT and HU SAs in their objections, the EDPB considers that the IE SA has adequately qualified the relevance of the elements of Article 83(2) GDPR and, therefore, the Draft Decision does not need to be amended in this regard. However, considering the global annual turnover, the infringements found and the aggravating factors correctly identified by the IE SA, the EDPB decides that the fine does not fulfil the requirement of being effective, proportionate and dissuasive in accordance with Article 83(1) GDPR.

- In light of this, the EDPB instructs the IE SA to re-assess its envisaged corrective measure in terms of administrative fine in accordance with section 9.4 of the present binding decision and to amend its Draft Decision by setting out a higher fine amount for the infringements identified, in comparison with the administrative fine envisaged in the Draft Decision, while remaining in line with the criteria of effectiveness, proportionality, and dissuasiveness enshrined in Article 83(1) GDPR.

- In relation to the objection of the PL SA concerning the decision of the IE SA to issue not a fixed sum but a range when assessing the fine, the EDPB decides that the IE SA is not required to amend its Draft Decision on the basis of the objection raised as it does not meet the requirements of Article 4(24) GDPR.

11 FINAL REMARKS

431. This binding decision is addressed to the IE SA and the CSAs. The IE SA shall adopt its final decision on the basis of this binding decision pursuant to Article 65(6) GDPR.

432. Regarding the objections deemed not to meet the requirements stipulated by Art 4(24) GDPR, the EDPB does not take any position on the merit of any substantial issues raised by these objections. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs.

433. According to Article 65(6) GDPR, the IE SA shall communicate its final decision to the Chair within one month after receiving the binding decision.

434. Once such communication is done by the IE SA, the binding decision will be made public pursuant to Article 65(5) GDPR.

435. Pursuant to Article 70(1)(y) GDPR, the IE SA’s final decision communicated to the EDPB will be included in the register of decisions which have been subject to the consistency mechanism.

For the European Data Protection Board

The Chair

(Andrea Jelinek)

  1. OJ L 119, 4.5.2016, p. 1.
  2. References to “Member States” and “EU” made throughout this decision should be understood as references to “EEA Member States” and “EEA” respectively.
  3. Draft Decision, paragraph 17.
  4. Note: the term “non-user” has been used throughout the inquiry by the IE SA and throughout this decision to denote an individual data subject who does not have an account with WhatsApp.
  5. Draft Decision, paragraph 3.
  6. Draft Decision, paragraphs 3-5.
  7. Draft Decision, paragraph 16.
  8. The Internal Market Information (IMI) is the information and communication system mentioned in Article 17 of the EDPB Rules of Procedure.
  9. Amongst the documents sent by IE SA, there were letters from the controller acknowledging receipt of the relevant documents and furnishing its submissions.
  10. According to Article 65(1)(a) of the GDPR, the Board will issue a binding decision when a supervisory authority has raised a relevant and reasoned objection to a draft decision of the LSA and the LSA has not followed the objection or the LSA has rejected such an objection as being not relevant or reasoned.
  11. The Letter to the EDPB Secretariat was dated 2 June 2021. The submission of the dispute on IMI occurred on 3 June 2021.
  12. Article 65(1)(a) in fine GDPR. Some CSAs raised comments and not per se objections, which were, therefore, not taken into account by the EDPB.
  13. EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020.
  14. EDPB Guidelines 03/2021 on the application of Article 65(1)(a) GDPR, adopted on 13 April 2021 (version for public consultation) (hereinafter, “Guidelines on Art. 65(1)(a)”), paragraphs 94-108.
  15. Guidelines on Art. 65(1)(a), paragraph 97.
  16. Guidelines on Art. 65(1)(a), paragraphs 98;99.
  17. See also Guidelines on Art. 65(1)(a), paragraphs 105;106. In this regard, it was confirmed that WhatsApp IE was afforded its right to be heard against the Preliminary Draft decision, the Supplemental Draft decision, the objections and comments raised by the CSAs, IE SA’s Composite Response, the comments exchanged by the CSAs in response to it, and a provisionally amended extract of Part I of the IE SA’s Draft Decision. The IE SA confirmed it took account of WhatsApp IE’s submissions on the Preliminary Draft decision and on the Supplemental Draft Decision in the process of consolidating them into the Composite Draft. A copy of the Composite Draft was provided to WhatsApp IE on 24 December 2020. Within its submissions in response to the material that would be put to the EDPB for the purpose of the present Article 65 GDPR procedure, WhatsApp IE included also its additional submissions in relation to the Composite Draft. In a letter dated 9 June 2021, WhatsApp IE explicitly confirmed that WhatsApp IE was afforded the opportunity to submit its views on the Composite Draft.
  18. Guidelines on Art. 65(1)(a), paragraph 105.
  19. EDPB Rules of Procedure, adopted on 25 May 2018, as last modified and adopted on 8 October 2020.
  20. EDPB Guidelines 9/2020 on the concept of relevant and reasoned objection, version 2 adopted on 9 March 2021, (hereinafter, “Guidelines on RRO”).
  21. See EDPB Guidelines 03/2021 on the application of Article 65(1)(a) GDPR, adopted on 13 April 2021 (version for public consultation) (hereinafter, “Guidelines on Art. 65(1)(a)”), paragraph 63 (“The EDPB will assess, in relation to each objection raised, whether the objection meets the requirements of Article 4(24) GDPR and, if so, address the merits of the objection in the binding decision.”)
  22. Draft Decision, paragraph 341.
  23. Draft Decision, paragraphs 397 - 399.
  24. The text contains several embedded links (such as under “Facebook Company Products” or “Our Services”) that lead to further information.
  25. Draft Decision, paragraph 398.
  26. Draft Decision, paragraph 392.
  27. Draft Decision, paragraph 393-394.
  28. The Investigator originally proposed a finding of an infringement of Article 13(1)(d) GDPR along with the finding of an infringement of Article 13(1)(c) GDPR, stating that the Legal Basis Notice “[conflated] the purposes of the processing of personal data with the legitimate interests relied upon to process personal data, without setting out any specific information in relation to the processing operation(s) or set of operations involved”. Draft Decision, paragraphs 392-394.
  29. Draft Decision, paragraph 398; paragraphs 345-354.
  30. Draft Decision, paragraph 398. The Decision Maker noted the concerns expressed by the Investigator as to the lack of clarity concerning whether the legitimate interests being pursued were those of the controller or of a third party but did not share such concerns.
  31. Draft Decision, paragraph 399.
  32. Article 29 Data Protection Working Party, Guidelines on transparency under Regulation 2016/679, WP260 rev.01, as last revised and adopted on 11 April 2018 (hereinafter, “Transparency Guidelines”). During its first plenary meeting, the EDPB endorsed the GDPR-related WP29 Guidelines.
  33. Draft decision, paragraph 264.
  34. See paragraph 13 above.
  35. IE SA Composite Response, paragraph 31.
  36. IE SA Composite Response, paragraph 33.
  37. IE SA Composite Response, paragraph 34.
  38. IE SA Composite Response, paragraph 36.
  39. Guidelines on RRO, paragraph 13.
  40. WhatsApp Article 65 Submissions, paragraph 20.5.
  41. See footnote 21 above.
  42. WhatsApp Article 65 Submissions, paragraph 20.9.
  43. Article 4(24) GDPR.
  44. WhatsApp Article 65 Submissions, paragraph 20.2.
  45. WhatsApp Article 65 Submissions, paragraph 20.6.
  46. WhatsApp Article 65 Submissions, paragraph 20.10.
  47. WhatsApp Article 65 Submissions, paragraph 20.3(A). Such statement was: “The terminology utilised with regard to the legitimate interests impacting people under the age of majority refers to individuals above 16 years of age and is accordingly appropriate”.
  48. WhatsApp Article 65 Submissions, paragraph 20.7.
  49. In this respect, it is to be noted that anyway the IT SA objection acknowledged that this specific statement was “the allegation made by WA” and it “does not appear that the DPC has provided sufficient reasoning for its position in this respect”.
  50. WhatsApp Article 65 Submissions, paragraph 20.11.
  51. These objections being those of the DE SA, PL SA and IT SA on the infringement of Article 13(1)(d) GDPR.
  52. WhatsApp Article 65 Submissions, paragraph 21.2(A).
  53. WhatsApp Article 65 Submissions, paragraph 21.3(A).
  54. WhatsApp Article 65 Submissions, paragraph 21.2(B).
  55. WhatsApp Article 65 Submissions, paragraph 21.4(A).
  56. Draft Decision, paragraph 393.
  57. Draft Decision, paragraphs 398-399.
  58. Draft Decision, paragraph 398.
  59. See paragraph 30 above.
  60. See paragraph 31 above.
  61. See paragraph 29 above.
  62. DE SA Objection, p. 6.
  63. Transparency Guidelines, paragraph 4 (page 5). This passage was also recalled by the Draft Decision in paragraph 291.
  64. Transparency Guidelines, paragraph 4 (page 5).
  65. Transparency Guidelines, annex, page 36.
  66. See also Recitals 60 and 61 GDPR.
  67. Transparency Guidelines, paragraph 4 (page 5).
  68. Draft Decision, paragraph 299.
  69. Draft Decision, paragraph 300 (see also 299 f.).
  70. Draft Decision, paragraph 392-393.
  71. This was also initially found by the IE SA at the investigation stage. Draft Decision, paragraph 393.
  72. This also corresponds to the findings with regard to the infringement of Article 13(1)(c) GDPR as elaborated in the Draft Decision.
  73. Draft Decision, paragraph 341.
  74. Transparency Guidelines, p. 9. Examples of “poor practice” mentioned by the Guidelines are: “We may use your personal data to develop new services” (as it is unclear what the “services” are or how the data will help develop them); “We may use your personal data for research purposes (as it is unclear what kind of “research” this refers to); and “We may use your personal data to offer personalised services” (as it is unclear what the “personalisation” entails).
  75. Draft Decision, paragraph 341.
  76. Draft Decision, paragraph 341.
  77. Draft Decision, paragraph 341.
  78. Draft Decision, paragraph 341.
  79. See “Good Practice Examples”, Transparency Guidelines, page 9.
  80. Draft Decision, paragraph 40.
  81. Draft Decision, paragraph 147.
  82. Draft Decision, paragraph 101.
  83. As these findings are not part of the dispute at hand, the EDPB will not reflect on these findings and therefore neither on the position raised by WhatsApp IE.
  84. Draft Decision, paragraph 103.
  85. Draft Decision, paragraph 40.
  86. DE SA Objection, p. 11.
  87. See the Draft Decision, paragraph 747-c.
  88. PT SA Objection, paragraph 46.
  89. This scenario is presented in paragraph 66 of the Draft Decision and refers to the possibility by WhatsApp IE, if requested to do so by a competent authority, to achieve the indirect identification of the non-user concerned by subjecting any mobile phone number provided by the authority to the new user process with a view to identifying those existing users who have the number in their address books.
  90. IT SA Objection, p. 3.
  91. Letter to the EDPB Secretariat, dated 2 June 2021, p. 2.
  92. IE SA Composite Response, paragraph 38 and following.
  93. IE SA Composite Response, paragraph 56.
  94. Article 29 Working Party, Opinion 05/2014 on Anonymisation Techniques (10 April 2014), WP216 ("WP29 Opinion 05/2014").
  95. IE SA Composite Response, paragraph 56.e.
  96. IE SA Composite Response, paragraph 57.
  97. DE SA Objection, p. 11.
  98. DE SA Objection, p. 12.
  99. More specifically, WhatsApp IE claims that the objections of the CSAs are not sufficiently reasoned as they rely “(i) on mischaracterisations of the process, (ii) hypothetical and unsupported scenarios that do not enable identification of the non-user including in a manner that would satisfy the test set out in Breyer, and (iii) inaccurate statements that certain information and means would be available to WhatsApp Ireland to enable the identification of the non-user” (WhatsApp Article 65 Submissions, paragraphs 24.2 to 24.8).
  100. See footnote 21 above.
  101. FR SA Objection, p. 1-2.
  102. PT SA Objection, paragraph 55.
  103. HU SA Objection, p. 5.
  104. NL SA Objection, p. 1-8.
  105. IT SA Objection, p. 2-3.
  106. These objections are those of the DE SA, FR SA, HU SA, IT SA and PT SA.
  107. WhatsApp Article 65 Submissions, paragraph 3.3, step 3.
  108. WhatsApp Submissions in response to the Lossy Hashing objections (hereinafter, “WhatsApp LH Submissions”), paragraph 9.
  109. WhatsApp Article 65 Submissions, paragraph 3.3; WhatsApp LH Submissions, paragraph 9.
  110. Article 4(1) GDPR: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
  111. Recital 26 GDPR: “Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments”.
  112. WP29 Opinion 05/2014, page 5.
  113. IE SA Composite Response, paragraph 56e.
  114. WhatsApp Article 65 Submissions, paragraph 25.9.
  115. WhatsApp LH Submissions, paragraphs 20 and 29.
  116. See also WP29 Opinion 05/2014, page 10 (“for data protection law to apply, it does not matter what the intentions are of the data controller or recipient. As long as the data are identifiable, data protection rules apply.”).
  117. IE SA Composite Response, paragraph 56.d.
  118. Recital 26 GDPR.
  119. Draft Decision, paragraph 40.
  120. WhatsApp Article 65 Submissions, paragraph 3.3 Step 3.
  121. IE SA Composite Response, paragraph 56.
  122. See WhatsApp Article 65 Submissions, paragraph 25.12.; WhatsApp LH Submissions, paragraph 12ff and 17ff.
  123. WhatsApp Article 65 Submissions, paragraph 3.16.
  124. For completeness sake, the 39bit kept allow for the representation of over 500 billion distinct values, which for all practical purposes should provide sufficient assurance that the appearance of collisions in practice is not significant.
  125. This is particularly evident as the Contact Feature, according to the information provided by WhatsApp IE, does transfer any phone number, not only mobile phone numbers, and then applies the lossy hashing procedure to the non-user numbers.
  126. See also PT SA Objection, paragraph 39.
  127. WP29 Opinion 05/2014, page 24.
  128. See also HU SA Objection, page 4, that re-identification may be achieved due to data in another database that the controller or other person may access.
  129. See also PT SA Objection, paragraph 42.
  130. See for instance L Backstrom, C Dwork, J Kleinberg, Wherefore art thou R3579X? Anonymized social networks, hidden patterns, and structural steganography, Proceedings of the 16th international conference on World Wide Web, 181-190.
  131. See NL SA Objection, paragraph 17 and 18 and FR SA Objection page 2. WhatsApp IE in its Submissions (WhatsApp LH Submissions) argues that it does not have a “social graph network” of the sort that appears envisaged by the objection, and that the service could be described as a “social graph network” only relating to the links between existing users of the service (and not non-users). However, the EDPB considers that the data provided in the Non-Users list is sufficient to allow for graph-based attacks, considering the means available to WhatsApp IE.
  132. By this finding the EDPB also disagrees with WhatsApp IE’s position in its Submission (WhatsApp LH Submissions, paragraph 14 and following), that the data is not pseudonymous but rather anonymous.
  133. Draft Decision, paragraph 4.
  134. Draft Decision, paragraph 5.
  135. DE SA Objection, p. 2.
  136. DE SA Objection, p. 4.
  137. DE SA Objection, p. 7.
  138. DE SA Objection, p. 7.
  139. DE SA Objection, p. 8.
  140. IE SA Composite Response, paragraph 12.
  141. IE SA Composite Response, paragraph 14.
  142. IE SA Composite Response, paragraph 16.a.
  143. IE SA Composite Response, paragraph 16.a.
  144. IE SA Composite Response, paragraph 16.e.
  145. IE SA Composite Response, paragraph 16.d.
  146. IE SA Composite Response, paragraph 16.b.
  147. IE SA Composite Response, paragraph 16.b.
  148. IE SA Composite Response, paragraph 16.c.
  149. IE SA Composite Response, paragraphs 16.d. and 17.a.
  150. IE SA Composite Response, paragraph 16.d.
  151. IE SA Composite Response, paragraph 17.a.
  152. IE SA Composite Response, paragraph 16.f.
  153. IE SA Composite Response, paragraph 19.
  154. Guidelines on RRO, paragraph 27.
  155. Guidelines on RRO, paragraph 19.
  156. Guidelines on RRO, paragraph 13.
  157. Guidelines on RRO, paragraph 16.
  158. DE SA Objection, p. 3.
  159. DE SA Objection, p. 7-8.
  160. Guidelines on RRO, paragraph 14.
  161. Guidelines on RRO, paragraph 37.
  162. See, for example, paragraph 294, 301, 691, 699 and 769 of the Draft Decision.
  163. See, for example, paragraph 294, 301 and 609 of the Draft Decision.
  164. IE SA Composite Response, paragraph 12.
  165. IE SA Composite Response, paragraph 14 and 18(a).
  166. IE SA Composite Response, paragraph 18(b)(i).
  167. See paragraph 13 above.
  168. IE SA Composite Response, paragraph 12.
  169. IE SA Composite Response, paragraph 14 and 20(b). 170 See paragraph 13 above.
  170. Guidelines on RRO, paragraph 37.
  171. In this respect, the objection of the IT SA makes reference to specific passages of the Draft Decision that refer to Article 5(1)(a) GDPR.
  172. Guidelines on RRO, paragraph 13.
  173. Guidelines on RRO, paragraph 26.
  174. WhatsApp Article 65 Submissions, paragraphs 11.2 and 11.3.
  175. Guidelines on RRO, paragraphs 17 and 19.
  176. The objection refers, in particular, to paragraphs 691, 699 and 769 of the Draft Decision.
  177. WhatsApp Article 65 Submissions, paragraph 11.6.
  178. WhatsApp Article 65 Submissions, paragraphs 11.11 and 11.12.
  179. See footnote 21 above.
  180. IT SA Objection, p. 5.
  181. IT SA Objection, p. 5.
  182. IT SA Objection, p. 5.
  183. IE SA Composite Response, paragraph 18(a)(i), as referred to in paragraph 20 of the Composite Response (emphasis added).
  184. WhatsApp Article 65 Submissions, paragraphs 12.1 and 13.2(A). See also 35.22-35.24 (concerning the interpretation of Article 83(3) GDPR but referring to the principle of ne bis in idem as enshrined in Article 50 of the Charter).
  185. FR SA Response, page 2.
  186. WhatsApp Article 65 Submissions, paragraph 12.2.
  187. WhatsApp Article 65 Submissions, paragraph 12.3.
  188. WhatsApp Article 65 Submissions, paragraph 12.3.
  189. WhatsApp Article 65 Submissions, paragraph 12.3.
  190. WhatsApp Article 65 Submissions, paragraph 12.1.
  191. WhatsApp Article 65 Submissions, paragraph 13.2(B). WhatsApp further argues that it is inappropriate for it not to have the case for infringement put to it in line with the other issues in scope of the inquiry and instead be required to make submissions in the abstract in response to insufficiently particularised reasoning as to the meaning and application of Article 5(1)(a) GDPR where WhatsApp does not have adequate notice of the nature of the case being made against it.
  192. Transparency Guidelines, paragraph 4.
  193. Transparency Guidelines, paragraph 42.
  194. Transparency Guidelines, paragraph 2.
  195. Transparency Guidelines, paragraph 10.
  196. Transparency Guidelines, paragraph 1.
  197. Peter Puškár v. Finančné riaditeľstvo Slovenskej republiky and Kriminálny úrad finančnej správy (Case C-73/16, judgment delivered on 27 September 2017), ECLI:EU:C:2017:725, § 59.
  198. Draft Decision, paragraph 385.
  199. Draft Decision, paragraph 417.
  200. Draft Decision, paragraph 440.
  201. Draft Decision, paragraph 458.
  202. Draft Decision, paragraph 479.
  203. Draft Decision, paragraphs 167-168.
  204. Draft Decision, paragraph 572.
  205. IE SA Composite Response, paragraph 16.
  206. Draft Decision, paragraph 598.
  207. Draft Decision, paragraph 599.
  208. Draft Decision, paragraph 598.
  209. Draft Decision, paragraph 626.
  210. Draft Decision, paragraph 630.
  211. See, e.g. Draft Decision, paragraph 746.e.
  212. Draft Decision, paragraph 155.
  213. Draft Decision, paragraph 769 (emphasis added).
  214. See, in particular, sections 10-14 of WhatsApp Article 65 Submissions.
  215. Draft Decision, paragraph 489.
  216. Draft Decision, paragraph 496.
  217. Draft Decision, paragraph 501.
  218. Draft Decision, paragraph 500.
  219. Draft Decision, paragraph 501.
  220. DE SA Objection, p. 5.
  221. IE SA Composite Response, paragraph 25.
  222. IE SA Composite Response, paragraph 28.
  223. IE SA Composite Response, paragraph 29.
  224. WhatsApp Article 65 Submissions, paragraph 16.2-5.
  225. See footnote 21 above.
  226. Draft Decision, paragraphs 496 and 499.
  227. Draft Decision, paragraph 500.
  228. Draft Decision, paragraph 501.
  229. Draft Decision, paragraph 1.
  230. Draft Decision, paragraph 498.
  231. Draft Decision, paragraph 499.
  232. EDPB Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, version 2 adopted 8 October 2019, p. 20.
  233. WhatsApp Article 65 Submissions, paragraph 17.6(A).
  234. Transparency Guidelines, paragraph 23.
  235. WhatsApp Article 65 Submissions, paragraph 17.6(B)-(E).
  236. WhatsApp Article 65 Submissions, paragraph 17.6.
  237. On the assessment of the character of such data as personal data, see section 6.4.2 above.
  238. DE SA Objection, p. 11.
  239. Guidelines on Article 65(1)(a), paragraph 73 and Guidelines on RRO, paragraph 26.
  240. Guidelines on Article 65(1)(a), paragraphs 74-76.
  241. Article 60(1) GDPR.
  242. Guidelines on RRO, paragraph 27.
  243. EDPB Binding Decision 01/2020, paragraph 136.
  244. IT SA Objection, section 1.a, page 2-3; NL SA Objection, paragraph 32 and following ; PT SA Objection, paragraph 49 and following.
  245. IT SA Objection, page 3; NL SA Objection, paragraph 36 ; PT SA Objection, paragraph 49.
  246. See for example Draft Decision, paragraph 139.
  247. Draft Decision, paragraphs 148 (and following) and 168.
  248. However, WhatsApp did provide extensive elements on whether it considers the objections to meet the requirements of Art 4(24) GDPR and on the position of the CSAs that the result of the Lossy Hashing procedure is personal data.
  249. WhatsApp Article 65 Submissions, paragraph 5.1(B).
  250. Draft Decision, paragraphs 639, 800 and Appendix C. The Draft Decision, in paragraphs 641 - 645, refers to WhatsApp’s position on the order in the Supplemental Draft Submissions, paragraphs 1.8, 2.2, 2.3, 2.4, 3.1, 3.2 and 3.4.
  251. Draft Decision, Appendix C.
  252. HU SA Objection, p. 6.
  253. Draft Decision, Appendix C and paragraphs 157 and 158.
  254. IE SA Composite Response, paragraph 100.
  255. IE SA Composite Response, paragraph 102 - 103, referring to WhatsApp Supplemental Draft Submissions, paragraphs 19.1 and 19.2.
  256. IE SA Composite Response, paragraph 102 - 103, referring to WhatsApp Supplemental Draft Submissions, paragraphs 19.1 and 19.2.
  257. IE SA Composite Response, paragraph 103.
  258. See paragraph 13 above.
  259. IE SA Composite Response, paragraph 103.
  260. Guidelines on RRO, paragraph 32. See also Recital 129 GDPR.
  261. HU SA Objection, p. 7.
  262. WhatsApp considers the objection “does not relate to specific legal and factual content in the Composite Draft”, adding it is premised on unsubstantiated allegations towards WhatsApp. In addition, Whatsapp considers the HU SA’s objection is not adequately reasoned because it “assumes (incorrectly) that WhatsApp Ireland is unlawfully processing data” and also because “unsubstantiated (and incorrect) claims cannot provide an adequate basis for an objection”. Further, WhatsApp’s deems the objection does not persuasively articulate how the Draft Decision poses any risk – let alone significant risk – to data subjects, adding that to an extent the HU SA “is making assertions of risk based on unsubstantiated claims of WhatsApp Ireland ‘processing data unlawfully’”. See WhatsApp Article 65 Submissions, 43.2 and 43.4. WhatsApp’s submission goes into the merits of the objection, while not refuting that the HU SA objection articulates concerns about a precise part of the Draft Decision, alleges risks attached to the draft decision impacting data subjects, suggests a specific change to the draft decision and succinctly gives reasons why this is warranted in the HU SA’s view. WhatsApp’s criticism of the wording in the HU SAs objection arguing the deadline for compliance “is in serious breach of recital 148 of the GDPR” being illogical (WhatsApp Article 65 Submissions, 43.4 (B)), is immaterial in assessing whether objection as a whole (in this instance revolving around whether the corrective measure is effective, proportionate and dissuasive) is reasoned.
  263. See paragraph 132 and following and 135 and following respectively
  264. Recital 129 GDPR states that : “[…] each measure should be appropriate, necessary and proportionate in view of ensuring compliance with this Regulation, taking into account the circumstances of each individual case, respect the right of every person to be heard before any individual measure which would affect him or her adversely is taken and avoid superfluous costs and excessive inconveniences for the persons concerned.”
  265. WhatsApp Article 65 Submissions, paragraph 43.4(B).
  266. WhatsApp Article 65 Submissions, paragraphs 44.3-44.4; Supplemental Draft Submissions, section 6.4.C
  267. Supplemental Draft Submission, paragraph 19.1.
  268. The IE SA refers to “the significance, utility and function of the transparency obligation in the context of the GDPR as a whole” in connection with the proposed order, see Draft Decision, paragraph 642. The IE SA makes its assessment on the number of data subjects affected in connection with article 83(2)(a) GDPR, see Draft Decision, paragraphs 663 - 677.
  269. This is in line with the deadline for compliance initially proposed by the IE SA for actions related to user data. IE SA Composite Response, paragraph 102.
  270. HU SA Objection, p. 5.
  271. Draft Decision, paragraph 158.
  272. Draft Decision, paragraph 158 and Appendix C.
  273. Draft Decision, paragraph 776. WhatsApp agrees with the view taken by the IE SA on this matter. Supplemental draft submissions, paragraph 18.5.
  274. Draft Decision, paragraphs 777-799, with emphasis to paragraph 797.
  275. DE SA Objection, p. 13.
  276. DE SA Objection, p. 13.
  277. DE SA Objection, p. 13 and 16.
  278. DE SA Objection, p. 13-14.
  279. IE SA Composite Response, paragraph 62.
  280. See paragraph 13 above.
  281. IE SA Composite Response, paragraph 63.a.i.
  282. IE SA Composite Response, paragraph 64.b.ii.
  283. IE SA Composite Response, paragraph 64.b.iii.
  284. IE SA Composite Response, paragraph 64.b.i.
  285. IE SA Composite Response, paragraph 64.b.iii. The final position of the IE SA was that of not following the objections as clarified above in paragraph 13.
  286. IE SA Composite Response, paragraphs 62 and 64.c.ii.
  287. IE SA Composite Response, paragraphs 64.c.i.
  288. See GDPR, Recital 150; Guidelines on RRO, paragraph 34 and Guidelines on Article 65(1)(a) GDPR, paragraph 91.
  289. DE SA Objection, p. 12-14 and 15-17.
  290. Guidelines on RRO, paragraph 32.
  291. WhatsApp Article 65 Submissions, paragraphs 29 and 30.
  292. DE SA Objection, p. 12-14 and 15-17.
  293. For this reason “WhatsApp Ireland fails to see how this Objection clearly demonstrates the significance of the risks posed by the Composite Draft given that only abstract and unsubstantiated risks have been identified by the German (Federal) SA”. WhatsApp Article 65 Submissions, paragraphs 30.3, 30.6 and 30.7
  294. WhatsApp considers the reasons set out in the DE SA’s objection as either unsubstantiated in fact, incorrect in law or irrelevant (WhatsApp Article 65 Submissions, paragraphs 29 and 30). The EDPB understands these considerations as arguments on the merits. WhatsApp’s submission does not refute that the DE SA objection alleges risks attached to the draft decision impacting data subjects, suggests specific changes to the draft decision and gives reasons why this is warranted in the DE SA’s view.
  295. DE SA Objection, p. 12-13.
  296. See paragraph 13 above.
  297. IE SA Composite Response, paragraphs 63.a.i. and 65.
  298. Draft Decision, paragraphs 793-794.
  299. Letter dated 1 May 2020 from WhatsApp to the IE SA, in response to the letter dated 24 April 2020 from the IE SA to WhatsApp on the concept of undertaking.
  300. WhatsApp Article 65 Submissions, paragraph 31.2.
  301. WhatsApp Supplemental Draft Submission, paragraphs 18.5 to 18.9 (in particular 18.6.D and 18.7).
  302. Draft Decision, paragraph 779.
  303. Akzo Nobel and Others v. European Commission (Case C-97/08 P, judgment delivered on 10 September 2009), ECLI:EU:C:2009:536, § 58-61.
  304. See inter alia Groupe Gascogne SA v. European Commission (Case C-58/12 P, judgment delivered on 26 November 2013), ECLI:EU:C:2013:770, § 51-56; Eni SpA v. European Commission (C-508/11 P, judgment delivered on 8 May 2013), ECLI:EU:C:2013:289, § 109; Siemens Österreich et VA Tech Transmission & Distribution v. European Commission (Joined cases T-122/07 to T-124/07, judgment delivered on 3 March 2011), ECLI:EU:T:2011:70, § 186-187.
  305. Groupe Gascogne SA v. European Commission (Case C-58/12 P, judgment delivered on 26 November 2013), ECLI:EU:C:2013:770, § 52-57.
  306. See paragraph 405 and following.
  307. Draft Decision, paragraph 797.
  308. DE SA Objection, p. 13.
  309. Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty. Article 23(1) of Regulation 1/2003 provides that “The Commission may by decision impose on undertakings and associations of undertakings fines not exceeding 1 % of the total turnover in the preceding business year […]”.
  310. Laufen Austria AG v. European Commission (Case C-637/13 P, judgment delivered on 26 January 2017) ECLI:EU:C:2017:51, § 48; YKK Corporation e.a. v. European Commission (C‑408/12 P, judgment delivered on 4 September 2014) ECLI:EU:C:2014:2153, § 64. The CJEU has ruled that in certain situations, the turnover of the year preceding the decision of the European Commission to impose fine does not provide any useful indication as to the actual economic situation of the undertaking concerned and the appropriate level of fine to impose on that undertaking. In such a situation, the European Commission is entitled to refer to another business year in order to be able to make a correct assessment of the financial resources of that undertaking and to ensure that the fine has a sufficient and proportionate deterrent effect. See 1. garantovaná a.s. v. European Commission (Case C-90/13, judgment delivered on 15 May 2014) ECLI:EU:C:2014:326, § 16-17; Britannia Alloys & Chemicals v. European Commission (Case C-76/06 P, judgment delivered on 7 June 2007) ECLI:EU:C:2007:326, § 30.
  311. IE SA Composite Response, paragraph 64.b.i.
  312. IE SA Composite Response, paragraph 64.b.iii. The final position of the IE SA was that of not following the objections as clarified above in paragraph 13.
  313. Article 60(6) GDPR, providing that the LSA and CSA are bound by the draft decision on which they (are deemed to) agree, in any case does not apply to the present situation.
  314. Draft Decision, paragraph 774.
  315. IE SA Composite Response, paragraph 67.
  316. IE SA Composite Response, paragraph 72.
  317. IE SA Composite Response, paragraph 72(b)(i).
  318. IE SA Composite Response, paragraph 72(b)(iv).
  319. IE SA Composite Response, paragraph 72(b)(viii).
  320. IE SA Composite Response, paragraph 72(i)(i).
  321. IE SA Composite Response, paragraph 72 (i)(ii).
  322. IE SA Composite Response, paragraph 72(i)(ii).
  323. IE SA Composite Response, paragraph 72(i)(ii).
  324. IE SA Composite Response, paragraph 72(i)(iii).
  325. IE SA Composite Response, paragraph 72(i)(iv).
  326. IE SA Composite Response, paragraph 73.
  327. IE SA Composite Response, paragraph 69.
  328. WhatsApp Article 65 Submissions, paragraph 34.1-34.11.
  329. See footnote 21 above.
  330. IE SA Composite Response, paragraph 72(b)(i).
  331. IE SA Composite Response, paragraph 72(b)(iv).
  332. Draft Decision, paragraph 774.
  333. Draft Decision, paragraph 747.
  334. WhatsApp Article 65 Submissions, paragraph 35.1.
  335. WhatsApp Article 65 Submissions, paragraph 35.3.
  336. WhatsApp Article 65 Submissions, paragraph 35.6-35.12.
  337. See, inter alia, Antonio Muñoz y Cia SA, e.a. v. Frumar Ltd e.a. (Case C-253/00, judgment delivered on 17 September 2002) ECLI:EU:C:2002:497, § 28 and the case law cited therein.
  338. Article 29 Working Party, “Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679” (3 October 2017), WP 253, endorsed by the EDPB on 25 May 2018, hereinafter “Guidelines on Administrative Fines”. 340 Guidelines on Administrative Fines, p. 10.
  339. Draft Decision, paragraphs 649 - 746.
  340. Draft Decision, paragraphs 649 - 684.
  341. Draft Decision, paragraphs 652 and 746.a.
  342. Draft Decision, paragraphs 655-657 and 746.a.
  343. Draft Decision, paragraphs 658 and 746.c.
  344. Draft Decision, paragraphs 660-662.
  345. Draft Decision, paragraphs 663 - 677 and 746.b.
  346. Draft Decision, paragraphs 685-699 and 746.e-g.
  347. Draft Decision, paragraphs 705-711 and 746.h.
  348. Draft Decision, paragraph 731.d.
  349. Draft Decision, paragraph 741.
  350. Draft Decision, paragraph 745.
  351. Any action taken by the controller to mitigate the damage suffered by data subjects, as per Article 83(2)(c) GDPR, is discussed in paragraphs 700-704 of the Draft Decision. Any relevant previous infringements by the controller or processor, as per Article 83(2)(e) GDPR, is discussed in paragraphs 712-714 of the Draft Decision. The degree of cooperation with the supervisory authority, as per Article 83(2)(f), is discussed in paragraphs 715- 719 of the Draft Decision. The categories of personal data affected by the infringement, as per Article 83(2)(g) is discussed in paragraph 720 of the Draft Decision. The manner in which the infringement became known to the supervisory authority, as per Article 83(2)(h) GDPR, is discussed in paragraphs 721-724 of the Draft Decision. Where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures, as per Article 83(2)(i) GDPR, is discussed in paragraphs 725-727 of the Draft Decision. Adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42, as per Article 83(2)(j) GDPR, is discussed in paragraphs 728-730 of the Draft Decision. Any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement, as per Article 83(2)(k) GDPR, is discussed in paragraphs 731-745 of the Draft Decision.
  352. Draft Decision, paragraph 748.
  353. Draft Decision, paragraph 749.
  354. Draft Decision, paragraph 750.
  355. Draft Decision, paragraph 750.
  356. Draft Decision, paragraphs 747 and 774.
  357. DE SA Objection, p.12 and 16.
  358. DE SA Objection, p. 17.
  359. The DE SA’s objection refers to Draft Decision, paragraph 655.
  360. The DE SA’s objection refers to Draft Decision, paragraphs 663 to 677.
  361. HU SA Objection, p. 1.
  362. HU SA Objection, p. 1-2. The HU SA’s objection refers to the Draft Decision, paragraph 731.
  363. The IT SA’s objection also mentions that the IE SA did not explain what percentage of the relevant global turnover the proposed fine corresponds to or on what grounds such percentage was calculated.
  364. See, in particular, Draft Decision paragraphs 687 and 688.
  365. IT SA Objection, section 2.b, p. 11.
  366. IT SA Objection, section 2.b, p. 11.
  367. IE SA Composite Response, paragraph 74.
  368. IE SA Composite Response, paragraph 80.a.
  369. IE SA Composite Response, paragraph 81.a.
  370. IE SA Composite Response, paragraph 81.b.
  371. IE SA Composite Response, paragraph 82.a.
  372. IE SA Composite Response, paragraph 82.a.
  373. IE SA Composite Response, paragraph 86.d.i.
  374. IE SA Composite Response, paragraph 85.b.i.
  375. IE SA Composite Response, paragraph 85.b.i.
  376. IE SA Composite Response, paragraph 95.
  377. IE SA Composite Response, paragraph 95.
  378. IE SA Composite Response, paragraph 84.b.i.
  379. IE SA Composite Response, paragraph 90.a.
  380. IE SA Composite Response, paragraph 96.a.
  381. IE SA Composite Response, paragraph 96.a.
  382. IE SA Composite Response, paragraph 89.b.
  383. IE SA Composite Response, paragraph 89.c.
  384. IE SA Composite Response, paragraph 83.a.
  385. IE SA Composite Response, paragraph 87.b.i.
  386. IE SA Composite Response, paragraph 87.b.iii and 87.b.iv.
  387. IE SA Composite Response, paragraph 97.a.
  388. IE SA Composite Response, paragraph 95.
  389. IE SA Composite Response, paragraph 85.b.i.
  390. DE SA Objection, p. 12-17.
  391. Guidelines on RRO, paragraph 32.
  392. DE SA Objection, p. 12-17.
  393. WhatsApp IE submitted that the DE SA’s objections (i) raise vague and unsubstantiated concerns and (ii) do not demonstrate a risk to the rights and freedoms of data subjects. WhatsApp IE considers the reasons set out in the DE SA’s objection as either unsubstantiated in fact, incorrect in law or irrelevant (WhatsApp Article 65 Submissions, paragraphs 38.1, 38.2(A) and 38.3(A)). The EDPB understands these considerations as arguments on the merits. WhatsApp IE’s submission does not refute that the DE SA objection alleges risks attached to the draft decision impacting data subjects, suggests a specific change to the draft decision and gives reasons why this is warranted in the DE SA’s view.
  394. Guidelines on RRO, paragraph 17.
  395. Guidelines on RRO, paragraph 37.
  396. HU SA Objection, p. 1-2.
  397. Guidelines on RRO, paragraph 32.
  398. HU SA Objection, p. 1.
  399. HU SA Objection, p. 1-2.
  400. HU SA Objection, p. 5.
  401. Guidelines on RRO, paragraph 32.
  402. HU SA Objection, p. 5-7.
  403. WhatsApp Article 65 Submissions, paragraph 38.1.
  404. WhatsApp states that the HU SA’s objection is premised on assumptions and unsubstantiated allegations towards WhatsApp (WhatsApp Article 65 Submissions, paragraphs 38.2(C) and 38.3(C)), which the EDPB understands as arguments on the merits. WhatsApp’s submission does not refute that the HU SA objection alleges risks attached to the draft decision impacting data subjects, suggests a specific change to the draft decision and succinctly gives reasons why this is warranted in the HU SA’s view.
  405. IT SA Objection, p. 9-12.
  406. Guidelines on RRO, paragraph 32.
  407. IT SA Objection, p. 9-12.
  408. WhatsApp Article 65 Submissions, paragraph 38.1.
  409. WhatsApp considers the reasons set out in the IT SA’s objection as either unsubstantiated in fact, incorrect in law or irrelevant (WhatsApp Article 65 Submissions, paragraphs 38.2(D) and 38.3(D)), which the EDPB understands as arguments on the merits. WhatsApp’s submission does not refute that the IT SA objection alleges risks attached to the draft decision impacting data subjects, suggests a specific change to the draft decision and gives reasons why this is warranted in the IT SA’s view.
  410. The EDPB reiterates that its current decision is without any prejudice to any assessments the EDPB may be called upon to make in other cases, including with the same parties, taking into account the contents of the relevant draft decision and the objections raised by the CSAs.
  411. These objections are those of the HU SA, DE SA, and IT SA.
  412. Recital 150 GDPR.
  413. Guidelines on RRO, paragraph 34.
  414. Guidelines on Administrative Fines, p. 7.
  415. Guidelines on Administrative Fines, p. 12.
  416. Draft Decision, paragraph 685.
  417. Guidelines on Administrative Fines, p. 11, emphasis added.
  418. Guidelines on Administrative Fines, p. 12.
  419. Guidelines on Administrative Fines, p. 12.
  420. The Guidelines on Administrative Fines mention, among the circumstances indicative of negligence, “failure to adopt policies (rather than simply failure to apply them)”. This provides an indication that non-compliance in situations in which the controller of processor should have been aware of the potential breach (in the example provided, due the lack of the necessary policies) may amount to negligence.
  421. Draft Decision, paragraph 746.e-g.
  422. Draft Decision, paragraphs 619 and 746.e.
  423. Draft Decision, paragraph 746.e.
  424. Draft Decision, paragraph 746.f.
  425. Draft Decision, paragraph 699.
  426. IE SA Composite Response, paragraph 83.a.
  427. WhatsApp Article 65 Submissions, paragraph 38.2.D.
  428. WhatsApp Article 65 Submissions, paragraph 39.10.
  429. WhatsApp Article 65 Submissions, paragraph 39.10.A.
  430. HU SA Objection, p. 1.
  431. WhatsApp Article 65 Submissions, paragraph 38.2.C.1.
  432. WhatsApp Article 65 Submissions, paragraph 39.7.
  433. The Queen, on the application of International Association of Independent Tanker Owners (Intertanko) and Others v Secretary of State for Transport (Case C-308/06, judgment delivered on 3 June 2008), ECLI:EU:C:2008:312, § 77.
  434. Draft Decision, paragraph 700.
  435. Draft Decision, paragraphs 660 and 661.
  436. Draft Decision, paragraph 662.
  437. Draft Decision, paragraph 746.b.
  438. Draft Decision, paragraph 679.
  439. Draft Decision, paragraph 746.a.
  440. Draft Decision, paragraph 746.c.
  441. Draft Decision, paragraph 746.d.
  442. HU SA Objection, p. 5.
  443. HU SA Objection, p. 6.
  444. IE SA Composite Response, paragraph 86.d.i.
  445. WhatsApp Article 65 Submissions, paragraph 43.2.
  446. WhatsApp Article 65 Submissions, paragraph 38.2.C.1.
  447. IE SA Composite Response, paragraph 86.d.
  448. Draft Decision, paragraph 658.
  449. The principle of legal certainty requires that rules of law be clear, precise and predictable in their effect, especially when they may have adverse consequences on individuals and undertakings (see Global Starnet Ltd v. Ministero dell’Economia e delle Finanze and Amministrazione Autonoma Monopoli di Stato (Case C-322/16, judgment delivered on 20 December 2017), ECLI:EU:C:2017:985, § 46 and the case-law cited therein).
  450. Draft Decision, paragraphs 746.c. and 747.
  451. HU SA Objection, p. 6.
  452. In particular, WhatsApp notes that paragraph 495 of the Draft Decision considers that the information provided regarding the rights of data subjects represents a very thorough and comprehensive approach.
  453. WhatsApp Article 65 Submissions, paragraph 39.16.
  454. WhatsApp Article 65 Submissions, paragraph 39.17.
  455. WhatsApp Article 65 Submissions, paragraph 39.14.
  456. Draft Decision, p.746.a.
  457. DE SA Objection, 6.e.
  458. IE SA Composite Response, paragraph 84.
  459. Draft Decision, paragraph 748.
  460. WhatsApp Article 65 Submissions, paragraph 39.28.
  461. Guidelines on Administrative Fines, p. 10.
  462. Draft Decision, paragraph 748.
  463. Draft Decision, paragraph 699.
  464. Draft Decision, paragraph 746.h.
  465. Draft Decision, paragraph 706 (under the heading on Article 83(2)(d) GDPR, “while WhatsApp made some effort to communicate the prescribed information to its users, it made no such effort in the context of non-users”).
  466. In this respect, the EDPB notes the changes announced simultaneously by WhatsApp Inc. and WhatsApp IE.
  467. WhatsApp Article 65 Submissions, paragraph 38(2)(D)(3).
  468. Guidelines on Administrative Fines, p. 6 (emphasis added).
  469. WhatsApp Article 65 Submissions, paragraph 39.31.
  470. WhatsApp Article 65 Submissions, paragraph 39.49-50.
  471. Guidelines on Administrative Fines, p. 6.
  472. Commission Guidelines on the method of setting fines imposed pursuant to Article 23(2)(a) of Regulation No 1/2003, OJ C 210, 1.9.2006, p. 2–5; Lafarge v European Commission, (Case C-413/08 P, judgment delivered 17 June 2010), ECLI:EU:C:2010:346, § 102 and the case law cited therein.
  473. Guidelines on Administrative Fines, p. 6.
  474. See, inter alia, Versalis Spa v European Commission (Case C-511/11, judgment delivered on 13 June 2013), ECLI:EU:C:2013:386, § 94.
  475. See Asociaţia Accept v Consiliul Naţional pentru Combaterea Discriminării (Case C-81/12, judgment delivered on 25 April 2013), ECLI:EU:C:2013:275, § 63.
  476. Marine Harvest ASA v European Commission (Case T-704/14, judgment delivered on 26 October 2017), ECLI:EU:T:2017:753, § 580.
  477. Draft Decision, paragraph 747.
  478. Draft Decision, paragraph 746.h.i.
  479. IE SA Composite Response, paragraph 95.
  480. WhatsApp Article 65 Submissions, paragraphs 39.46-39.47.
  481. WhatsApp WhatsApp Article 65 Submissions, paragraph 39.47.
  482. WhatsApp Article 65 Submissions, paragraph 39.48.
  483. DE SA Objection, p. 17.
  484. WhatsApp Article 65 Submissions, 2.5 and throughout the submission.
  485. Draft Decision, paragraph 746.
  486. See IT SA Objection, p. 12, which states that the amount of the administrative fine to be imposed should be reconsidered in case the objections pointing to additional infringements were taken on board. Additionally, please see the objections raised by the FR SA, PT SA and the NL SA described in paragraph 231 regarding the impact on the corrective measures of the consideration of the lossy hashed data as personal data.

Le texte correspond au texte original. Des modifications visuelles ont pu toutefois être apportées pour améliorer la lecture du document.

Source : edpb.europa.eu.