European Union: Issued DPC ruling in investigation into WhatsApp's delivery of services compliance with GDPR including EUR 5.5 million fine

On 12 January 2022, the Data Protection Commission Ireland (DPC) adopted its final decision in the investigation into WhatsApp's delivery of services compliance with the General Data Protection Regulation (GDPR), issuing a EUR 5.5 million fine. The DPC ordered WhatsApp to change its data processing operations to comply with the GDPR in a maximum of six months. The DPC opened an investigation after receiving a complaint from a German data subject on 25 May 2018. The complaint stated that when GDPR was implemented, WhatsApp required its users to "agree and continue" to its updated Terms of Service to use its services. WhatsApp argued that the users, by accepting the terms, entered into a contract with the company, offering a lawful basis for processing users' data. The users that would not accept the updated Terms of Service could not access WhatsApp. The complaint contested the use of contract as a legal basis for processing data and argued that WhatsApp was asking for users' consent as a basis for legal processing of data and claimed that by restricting access, it was "forcing" users to consent to the processing of their personal data. In its ruling, the DPC adopted the binding decision of the European Data Protection Board (EDPB) and stated that WhatsApp cannot rely on contract as a legal basis for the processing of personal data to deliver its services. The DPC found that WhatsApp personal data processing until now was in violation of the lawfulness of processing requirements under GDPR. Finally, the DPC noted that in its decision, the EDPB asked for a new investigation into WhatsApp processing of sensitive personal data for the purpose of advertising compliance with GDPR. The DPC stated that it will contest the EDPB direction before the Court of Justice of the European Union.