Does your privacy policy hold up? New clarifying decision from Ireland, fining WhatsApp with MEUR 225

The privacy policy is one of the most important documents to have in place under the general data protection legislation ("GDPR"). From it, data subjects learn of the controller's processing and what rights they have and how to enact those rights to hold the controller accountable. Failure to live up to the transparency requirements of the GDPR may be costly – and something many companies may unknowingly fail at, indicates a recent decision by the Irish supervisory authority (the Data Protection Commissioner, henceforth the "DPC"). The 20^th of August 2021, the DPC fined WhatsApp Ireland Limited ("WhatsApp") a 225-million-euro administrative fine for not fulfilling its transparency obligations under the GDPR.

The principle of transparency is enshrined in GDPR article 5.1 (a) and from it stems controllers' obligations to inform data subjects of their processing, found in GDPR articles 12 – 14. Of the mentioned articles, article 12 lays the foundation of how the information is to be provided, article 13 dictates the information to provide when you collect personal data directly from a data subject and article 14 dictates information to provide when you collect personal data from other sources than the data subjects themselves. WhatsApp was found to be infringing all of the mentioned articles. In the following we review the WhatsApp decision in relation to GDPR article 13.

The DPC's decision has been reviewed by and subject to a binding decision from the European Data Protection Board ("EDPB") and can therefore serve as guidance as to what is expected of companies in relation to their transparency obligations; or rather, what exactly must be communicated to data subjects in a privacy policy.

II.i Information about the purposes and legal basis of processing and pursued legitimate interests

Pursuant to GDPR article 13.1 (c), the controller must provide data subjects with information about the purposes and legal basis of the processing. There are six legal bases for processing personal data and WhatsApp was found lacking in transparency in relation to all of them.

Pursuant to DPC's decision, a controller must identify and specify what categories of personal data and what processing operations rely on any given legal basis as well as the purpose for said processing. The information must be provided in a way that informs data subjects of what processing operations uses which categories of data and on what legal basis said processing operation rests on. Otherwise, the information provided would not be specific or concrete enough to enable data subjects to hold the controller responsible for the processing, which would fail to hold up the principle of transparency. In other words, the purpose, legal basis, processing operations and categories of personal data must not be given separately from each other (e.g., under separate sections of the policy). A data subject must be able to clearly understand the purpose of each processing operation, what categories of data are concerned and what legal basis for processing the processing operation relies on.

To fulfill these requirements means providing the reader with a lot of information. In response to WhatsApp's objection that providing such an amount of information would cause the reader information fatigue and thereby in itself be a cause for lack of transparency, the DPC answered simply that such was not the case if the text was written in a clear and accessible way. Furthermore, between the lines the DPC recommended the use of tables, particularly in the case of an information requirement comprising a number of linked elements - such as, e.g., the information required under GDPR article 13.1 (c).

In addition, when a controller is relying on its legitimate interests or legal obligations to process personal data, the privacy policy should, for each processing operation, specify each individual legitimate interest relied on or the relevant European Union or member state law giving rise to the obligation to process data. It is not sufficient to merely state that data is processed due to the controller's legitimate interest or legal obligation. A data subject must be informed of which interests or legal obligations are at hand to accurately hold the controller responsible for the processing. However, the DPC also felt the need to underline the importance of concision in providing the data subjects the information required, stating that the importance cannot be overstated.

II.ii Information on data retention

WhatsApp was further deemed to be in breach of article 13.2(a) requiring that controllers inform data subjects regarding data retention periods, or if they cannot, the criteria used for the determination of such periods.

The DPC notes that information provided pursuant to transparency under the GDPR should be meaningful to the data subject. When it comes to retention periods, this means that a data subject should be able to understand the basis for any retention of data by way of practical examples on how data retention criteria impact the retention period. As such, a controller must provide key information regarding whether certain information will be retained and explain if and how such retained records are disassociated from personal identifiers.

Most critically, this places a larger information duty on controllers retaining personal data after the provision of services to or contact with the data subject have ceased. It is not sufficient to state that personal data may be kept as required by law. Instead, retention periods should be given by way of specific examples that clarify how the period for retention is calculated.

II.iii Transparency when transferring personal data to third countries (a.13(1)(f))

Since the Schrems II-decision and the revised standard contractual clauses, third country transfers have been on everyone's radar. However, the DPC decision now further develops the requirements for transfers of personal data outside the EU/EEA, this time from a transparency viewpoint.

WhatsApp, as well as many of its contemporaries, inform data subjects about third country transfer by way of saying something along the lines of "any transfers of personal data to countries outside the EU/EEA, including the US, is done according to the EU approved standard contract clauses, an adequacy decision or other safeguards as applicable." This is not sufficient, according to the DPC decision.

When relying on an adequacy decision for the transfer of personal data, the DPC writes that a controller should identify the country of transfer, provided this information enables the data subject to receive transparent and meaningful information as to those transfers, even if there is not. The DPC does not further elaborate on in what situations the provision of such information wouldn't enable the data subject transparent and meaningful information. However, the DPC further states that even if the receiving countries are not specified, the controller must find another way to enable data subjects to access information regarding the specific adequacy decision supporting the transfer in question.

As such, the DPC decision makes it clear that in most cases the controller is incumbent to clearly inform the data subjects of the country of transfer or otherwise find a way to inform the data subjects of the specific adequacy decision supporting the transfer in question.

When transferring personal data pursuant to a safeguard other than adequacy decisions, the controller must be able to provide further information enabling data subjects detailed information about the safeguards being used to protect the personal data. For example, this includes being able to provide the data subject with the applicable standard contractual clauses entered into for the transfer in question. Furthermore, the DPC quotes Working Party 29's transparency guidelines^[1] stating that the third countries be named, so that the information provided can be as meaningful as possible to data subjects.

And lastly, but not least, a controller must specify the categories of personal data that will be transferred, if need be on a transfer by transfer basis, so that the data subject may hold the controller responsible in relation to the transfer mechanism relied on.

WhatsApp had in its privacy policy links to various other documents that required the reader to link in and out of various different sections of the privacy policy as well as the terms of service and a FAQ. Contained in these spread out sections were trenches of text that were worded in a similar way, and the DPC's opinion was that any new elements available within a linked text could easily be overlooked by the reader due to the simultaneous overlap and discrepancies between the various portions of text dealing with similar issues in different locations, while there was no single red thread to follow. This layout did not, according to the DPC enable the reader to easily understand and digest the information, and as such was a not sufficiently clear to fulfill the transparency obligations.

The decision underlines the importance of having a clear logic and red thread to follow in your privacy policy as to not confuse or overwhelm the reader. The text must be clear, concise and easily understandable, while also being specific enough to allow the reader to pursue measures to hold the controller responsible for the processing.

It should also be noted that as the burden of providing information increases, e.g., as a consequence of the DPC's clarifications on the GDPR, the importance of the presentation of said information becomes paramount. The obligation to provide specific and useful information to data subjects, means an increase in the information provided compared to many privacy policies today. This in turn increases the importance of brevity, clarity and the presentation of the information, now more than ever.

More active supervisory authorities, increasing administrative fines, heightened interest and knowledge from individuals all speak for the fact that it is becoming increasingly important to become compliant and continuously review one's compliance with the GDPR.

The DPC's decision against WhatsApp has highlighted the national supervisory authorizes' strict requirements when it comes to transparency. In summary, a privacy policy should clearly explain to a reader what processing operations are being undertaken on what categories of personal data as well as what legal basis is relied upon. Such information cannot be presented separately or disjointly for the reader to be able to enact their rights. This requirement of clarity applies to all the information provided in the policy and a controller should review their privacy policies to ensure that they are clear and concrete enough to enable readers to understand the processing conducted.

The core of the DPC's decision against WhatsApp is that a privacy policy should not furnish the reader with generic or sweeping information, but instead the information should for each processing operation be concrete and meaningful for the data subject, even if it means giving more information. Controllers must tread a fine line between providing the required detailed information, but not causing information fatigue or being confusing. If not able to give this information, a controller risks running afoul of its transparency obligations and what lies ahead may be a fine up to the higher number between 4% of a business group's worldwide, annual turnover or 20 million euro.

^{[1] Article 29 Working Party, Guidelines on transparency under Regulation 2016/679, as last revised and adopted on 11 April 2018 (17/EN WP260 rev.01) (“the Transparency Guidelines”)}