WhatsApp Ireland Limited (WhatsApp) has changed the legal basis that it relies on to process personal data to improve its service (including understanding how users interact with the service), and to protect users (including to identify abusive behaviour). WhatsApp, the Meta-owned platform, previously relied on the ‘performance of a contract’ lawful basis for these activities but has reconsidered its approach.
What’s the reason for this change?
Under Article 6 of the GDPR, organisations processing personal data must have a legal basis to do so. There are six available but, here, two are in the spotlight:
- processing is necessary for the performance of a contract to which the data subject is a party (or to take steps at the request of the data subject prior to entering into a contract) - the ‘performance of a contract’ lawful basis.
- processing is necessary for the purposes of the legitimate interests pursued by the controller.
WhatsApp relied on ‘performance of a contract’ for the processing activities in question (see further below), because they considered the processing to be necessary to deliver the WhatsApp service to end users.
However, in January 2023, the Irish Data Protection Commission (IDPC) fined WhatsApp €5.5million for (amongst other things) incorrectly relying on that legal basis (and a similar, more eyewatering fine was also issued to Meta Ireland Limited in respect of its Facebook and Instagram platforms - for more information see our article). In interpreting whether WhatsApp may rely on ‘performance of a contract’, the IDPC (following a determination by the European Data Protection Board (EDPB)) said that the processing must be necessary to fulfil the “clearly stated and understood objectives or “core” of the contract”. See further quote from the EDPB below:
“The question is therefore not what is necessary to fulfil the objectives of “messaging service” in a general sense, but what is necessary to fulfil the core functions of the particular contract between WhatsApp and WhatsApp users… it is therefore necessary to consider the contract itself… the term “contract” does not necessarily refer to the entirety of the (written) agreement… the correct approach is to examine the actual bargain which has been struck between the parties and determine the core function of the contract by reference to this. Therefore, the inclusion of a term which does not relate to the core function of the contract could not be considered necessary for its performance.”
WhatsApp was given six months to bring its processing into compliance.
What exactly has changed?
- to improve the WhatsApp service (e.g. developing new features or updating existing features, including undertaking experiments to evaluate the impact of new features or inviting users to take surveys or provide feedback).
- for some safety, integrity and security related processing activities – such as identifying, analysing and investigating suspicious, harmful or fraudulent behaviour e.g. scams and ensuring that community or group name, description or profile pictures comply with WhatsApp terms and policies.
It’s also important to note, contrary to some reports, that not all security related processing activities will be based on WhatsApp’s legitimate interests. WhatsApp will continue to rely on performance of a contract to ensure the safety, security and integrity of its Services (including, amongst other things, violations of Terms, to “combat scraping” and to “prevent spam”).
It’s also noteworthy that the changes only apply to processing caught by the EU GDPR; the changes do not apply for the purposes of the UK GDPR, where WhatsApp will continue to rely on the ‘performance of a contract’ ground for these activities.
When considering whether to rely on legitimate interests, those interests must be balanced against, and not override, the rights of users.
The CJEU recently found (in Case C-252/21) that WhatsApp’s parent company, Meta, were not able to rely on legitimate interests for certain advertising-related processing activities. However, central to that CJEU decision was that the processing activities would not be within the “reasonable expectations” of users and would have a “significant impact” on users (read more in our article here).
Arguably, these ‘service improvement’ and ‘safety, security and integrity’ processing operations by WhatsApp are less privacy-intrusive and, therefore, it is less likely that a similar determination would be made for these activities (although of course it remains to be seen whether there will be any challenges).
However, the IDPC decision (and the CJEU judgment) clearly demonstrates that the ‘performance of a contract’ lawful basis will be construed narrowly, which will not be welcome news to controllers given (1) the legitimate interest assessment (balancing exercise) that needs to be undertaken if relying on legitimate interest; and (2) the high threshold set by the GDPR for establishing valid consent (and the even higher threshold for establishing ‘explicit’ consent where special category data is concerned). Whatever lawful basis is relied on, it will be important to ensure (and document) that the requirements of the lawful basis (as set out in guidance) are met before committing, and clearly communicating the lawful basis to users via privacy policies.
Finally, it’s interesting that WhatsApp has decided to maintain the status quo in relation to UK users – we assume because WhatsApp anticipates that the ICO may take a more lenient approach to assessing whether processing activities are ‘necessary’ for the performance of a contract.