One-Two Punch: Lessons from the Irish DPC’s WhatsApp Decision

2023 continues to be a busy year for European data protection authorities. Following its release of the Irish Data Protection Commission’s (DPC’s) binding decisions in cases against Facebook and Instagram, the European Data Protection Board (EDPB), published on January 24 the DPC’s final binding decision concerning another popular Meta offering, the messaging application WhatsApp, which imposed a €5.5 million fine on the company.

Like the Facebook and Instagram cases, the WhatsApp case arose from a complaint regarding the legal basis for certain of WhatsApp’s personal data processing operations. Among other issues, the complainant argued that WhatsApp improperly relied on “performance of a contract” as the legal basis for processing of user data undertaken for “service improvements and safety and security.”

This post explores that aspect of the WhatsApp decision, and the lessons it holds for controllers subject to GDPR who seek to rely on “performance of a contract” as the legal basis to process personal data.

“Necessary” for performance of a contract means processing that is objectively necessary, and not just useful, to performance of the contract.  

Article 6(1)(b) provides that “[p]rocessing shall be lawful only if and to the extent that . . . processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.”

The DPC initially took the view that the service WhatsApp provides “includes, and indeed appears to be premised on, the provision of a service that includes service improvement and security,” and that those aspects of the service were “central to the bargain struck between users and their chosen service provider, and form[] part of the contract concluded at the point at which users accept the Terms of Service.”

Following objections by a number of Concerned Supervisory Authorities, however, the DPC ultimately accepted the EDPB’s much narrower view of the scope of the contract between WhatsApp and its users. Under that view, “necessity” excludes processing undertaken in pursuit of the “possibility of improvements of services routinely included in contractual terms.” Instead, for processing to be “necessary,” it must be “objectively necessary for the performance of the contract with the user.” As emphasized by the EDPB in its analysis, which was adopted by the DPC in its decision, Article 6(1)(b) is not applicable to processing that is useful to, but not necessary for, performing the specific contract between the parties. This is the case even where such processing may be necessary for the controller’s other business purposes.

The DPC’s decision thus emphasizes the need for controllers to carefully evaluate whether the processing is truly “necessary” to perform a contract with a user or whether realistic and less intrusive alternatives are available. That emphasis aligns with the EDPB’s Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects, which opined that processing activities under Article 6(1)(b) have to be objectively necessary for the “particular contract with the data subject.” Those guidelines further explained that those who rely on Article 6(1)(b) to process personal data should be able to demonstrate “how the main subject-matter of the specific contract with the data subject cannot, as a matter of fact, be performed if the specific processing of the personal data in question does not occur.”

Fulsome explanations are needed; bare-bones or vague descriptions won’t cut it to support a contractual purpose.

Whether a controller can justify the necessity of its processing of personal data by reference to a contractual purpose depends on both the controller’s perspective and the “reasonable data subject’s perspective when entering into the contract.” As such, the DPC’s decision also considered in some detail the question of whether the identification of “improvements to the service” and “safety and security” as processing purposes in the contract between the parties was sufficiently detailed to support the processing of users’ personal data.

The DPC initially took the position that improvements to WhatsApp’s existing service and the maintenance of security standards were a core component of the “substance and fundamental object of the contract.” It also noted with approval the fact that such information was “clearly set out, publicly available and understandable by any reasonable user,” rendering it “difficult to argue that this is not part of the mutual expectations of a prospective user and of WhatsApp.” In the final binding decision, however, the DPC determined more was required.

To that end, the final binding decision concluded that WhatsApp’s references to “safety and security,” and protecting against “misuse,” “harmful conduct,” and activities that would violate WhatsApp’s Terms of Service as purposes for its processing were too vague to justify that processing under Article 6(1)(b). Similarly, the decision explained, a brief reference to processing for “service improvement” was insufficient to allow a reasonable WhatsApp user to expect their personal data to be processed for that purpose. Without more detail, the DPC concluded, an average user of the platform would not be able to “fully grasp what is meant by processing for service improvement and security features, be aware of its consequences and impact on their rights to privacy and data protection, and reasonably expect it” based on WhatsApp’s Terms of Service.

As with the Facebook and Instagram decisions, the DPC’s WhatsApp decision thus puts controllers in a difficult position: on the one hand, they must provide detailed and granular descriptions of processing activities that the controller contends are necessary for the performance of a contract, but must also ensure that an average user can “fully grasp” the information. Controllers should thus consider whether text-based privacy policies can strike the appropriate balance between those potentially conflicting aims, or whether resort to more creative methods of conveying that information is necessary.

* * * *

As with the Facebook and Instagram decisions, Meta has indicated that it intends to appeal the DPC’s decision. In the meantime, if you would like help assessing your organization’s processing activities in the wake of that decision, please reach out to any member of our team.