Excerpt
The Irish DPC held WhatsApp liable for failure to provide non-users with the necessary information and making it difficult to access by excessively spreading it out across several documents.
Our analysis
WhatsApp came under investigation by the DPC in December 2018 after several individuals lodged complaints about its data processing activities. The DPC's investigation revealed that WhatsApp had violated several laws regarding data protection transparency. Firstly, WhatsApp failed to provide non-users with the necessary information prescribed by Article 14 GDPR, which denied them their right to exercise control over their personal data. This violation involved the use of hidden information, as WhatsApp did not disclose the necessary details to non-users.
Secondly, WhatsApp violated Article 13 GDPR by not providing users with sufficiently meaningful information regarding every category of information. This violation involved obstruction, as the information provided by WhatsApp was difficult to access, excessively spread out across several documents, and contained overlapping but slightly different information. The DPC determined that WhatsApp did not comply with its transparency obligations under the GDPR, which resulted in users being unable to adequately consider and exercise their data rights.
Moreover, WhatsApp did not identify the legal basis for each processing activity, as required by Article 13(1)(c) of the GDPR. Additionally, with respect to transfers of personal data to non-EEA jurisdictions, the DPC found that WhatsApp's statement that transfers "may" rely on adequacy determinations was insufficient to comply with Article 13(1)(f) of the GDPR. WhatsApp should have definitively identified whether or not an adequacy decision existed to support the transfer of specific categories of data.
Outcome
The DPC utilized various corrective measures to address the violations committed by WhatsApp. These included a reprimand under Article 58(2)(b), an order to bring processing operations into compliance within three months under Article 58(2)(d), and an administrative fine of €225,000,000 under Articles 58(2)(i) and 83. The fine was broken down into four separate fines for each violation committed by WhatsApp. The first violation, which was the infringement of Article 5(1)(a) of the GDPR, resulted in a fine of €90,000,000. The second violation, which was the infringement of Article 12 of the GDPR, resulted in a fine of €30,000,000. The third violation, which was the infringement of Article 13 of the GDPR, resulted in a fine of €30,000,000. The fourth violation, which was the infringement of Article 14 of the GDPR, resulted in a fine of €75,000,000. Overall, the DPC utilized a range of corrective measures to ensure that WhatsApp complied with the GDPR and imposed significant fines to address the various violations committed by the company.
Parties
Irish DPC (Data Protection Commission) and WhatsApp Ireland Limited
Case number
Press Release - 02nd September 2021
Decision
Related deceptive patterns
Obstruction is a type of deceptive pattern that deliberately creates obstacles or roadblocks in the user's path, making it more difficult for them to complete a desired task or take a certain action. It is used to exhaust users and make them give up, when their goals are contrary to the business's revenue or growth objectives. It is also sometimes used to soften up users in preparation for a bigger deception. When users are frustrated or fatigued, they become more susceptible to manipulation.
Sneaking involves intentionally withholding or obscuring information that is relevant to the user (e.g. additional costs or unwanted consequences), often in order to manipulate them into taking an action they would not otherwise choose.
Related laws
Requires personal data to be processed lawfully, fairly, and transparently.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Controllers must provide identity, contact details, processing purposes and legal basis, recipient information, retention period, and data subject rights when collecting personal data.
Specifies required information for data subjects when collecting personal data from other sources, including controller identity, processing purposes, personal data categories, recipients, and retention period.
Empowers supervisory authorities to carry out investigations and order controllers and processors to comply with the regulation.