Ireland’s data watchdog has been asked to investigate data processes between Facebook and WhatsApp.
A binding decision adopted by the European Data Protection Board (EDPB) has requested that the Irish Data Protection Commission (DPC) conduct an investigation into Facebook Ireland.
The decision was taken following a case taken by the data protection authority for the German state of Hamburg. In May, the Hamburg Commissioner for Data Protection and Freedom of Information temporarily banned Facebook Ireland from processing personal data from WhatsApp for its own purposes.
The Hamburg authority also brought the case to the European Data Protection Board in pursuit of an EU-wide ban.
While the EDPB decided that an immediate widespread ban was not necessary in this case, it has requested that the Irish Data Protection Commission carries out a statutory investigation into Facebook Ireland “as a matter of priority”.
It made this decision “considering the high likelihood of infringements” on the handling of data between WhatsApp Ireland and other Facebook companies.
In its own investigation into the matter, the EDPB said that it found “contradictions, ambiguities and uncertainties” between WhatsApp’s user-facing information and written commitments from both Facebook and WhatsApp. Because of this, the body has been unable to determine “which processing operations are actually being carried out and in which capacity” between these entities.
The EDPB recommended that the matter requires “swift further investigations” to clarify the data processing activities between WhatsApp and other Facebook companies and determine if they have a legal basis under GDPR. The EU body also requested that the Irish DPC investigate whether Facebook Ireland acts as a data processor or a data controller with respect to these operations.
The Irish DPC, the Hamburg commissioner, Facebook Ireland and WhatsApp Ireland have been informed of this decision.
The request will add to a number of Big Tech investigations already ongoing at the DPC. The agency’s annual report for 2020 revealed that 14 of its 27 cross-border investigations related to Facebook, WhatsApp or Instagram.
The recent focus on WhatsApp stems from recent changes to its terms of service and privacy policy, which were rolled out in May. Users received repeated messages and had their use of the app limited until they accepted these new terms.
The EDPB decision comes just days after the European Consumer Organisation (BEUC) and eight of its member groups submitted a formal complaint against WhatsApp to the EU Commission and the European network of consumer authorities.
This complaint claims that WhatsApp “failed to explain in plain and intelligible language the nature of the changes” to its terms of service.
In January, WhatsApp said the new terms would not expand the amount of data it shares with Facebook, which acquired the service in 2014 for more than $19bn.
Roll-out of the messaging service’s new privacy policy has been put on hold in India, pending the enactment of a new data protection law and the outcome of several legal probes at state and federal levels.