Inquiry into WhatsApp Ireland Ltd. - January 2023

• Section: Decisions made under data protection act 2018

In the matter of the General Data Protection Regulation

DPC Inquiry Reference: IN-18-5-6

In the matter of JG, a complainant, concerning a complaint directed ag ainst WhatsApp Ireland Limited

in respect of the WhatsApp Service

Decision of the Data Protection Commission made pursuant to Sec tion 113 of the Data Protection Act,

2018 and Articles 60 and 65 of the General Data Protection Regulation

Further to a complaint-based inquiry commenced pursuant to Secti on 110 of the Data Protection Act

2018

DECISION

Decision-Maker for the Commission:

Helen Dixon

________________________________

Commissioner for Data Protection

Dated the 12th day of January 2023

Data Protection C ommission

21 Fitzwilliam Square South

Dublin 2, Ireland

2

1. INTRODUCTION AND PROCEDURAL BACKGROUND

PURPOSE OF THIS DOCUMENT

1.1 This document is a decisio n (“the Decision”) of the Data Protection Commission (“the

Commission”), made in accordance with Section 113 of the Data Protection Act 2018 (“the 2018

Act”), arising from an inquiry conducted by the Commission, pursuant to Section 110 of t he 2018

Act (“the Inquiry”).

1.2 The Inquiry, which commenced on 20 August 2018, examined whether WhatsApp Ireland Limited

(“WhatsApp”) complied with its obligations under the EU General Data Protection Regulation

(Regulation (EU) 2016/679 of the European Parliament and of the Council) (“the GDPR”) in respect

of the subject matter of a complaint made by Mrs. J.G. (“the Complainant”). The complaint was

referred to the Commission by the Hamburg Data Protection Authority: Der Hamburgische

Beauftragte für Datenschutz und Informationsfreiheit (“the Hamburg DPA“) on 25 May 2018 (“the

Complaint“). The Hamburg DPA subsequently passed the Complaint to the German Federal Data

Protection Authority, the relevant national authority: Bundesbeauftragter für den Datenschutz

und die Informationsfreiheit (“the Germ an Federal DPA“). The Complainant is at all times

represented by noyb – European center for digital rights.

1.3 This Decision further reflects the binding decision that was made by the European Data Protection

Board (the “EDPB” or, otherwise, the “Board”), pursuant to Article 65(2) of the GDPR1 (the

“Article 65 Decision”), which directed changes to certain of the positions reflected in the draft

decision that was presented by the Commission fo r the purposes of Article 60 GDPR (“the Dr aft

Decision”) as detailed further below. The Article 65 Decision will be publ ished on the website of

the EDPB, in accordance with Article 65(5) of the GDPR, and a copy of same is attached at Schedule

2 to this Decision.

1.4 Further details of procedural matters are set out in Schedule 1 to this Decision.

2. FACTUAL BACKGROUND AND THE COMPLAINT

FACTUAL BACKGROUND

2.1 WhatsApp is an online instant messaging platform. In o rder to access the WhatsApp service, a

prospective user must create a WhatsApp account. To create a WhatsApp account, a prospective

user is required to accept a series of terms and conditions, referred to by WhatsApp as its Terms

of Service (the “Terms of Service”). When a prospective user accepts the Terms of Service, the

terms contained therein constitute a contract between the (new) user and WhatsApp. It is only

on acceptance of the Terms of Service that the individual becomes a registered WhatsApp user.

1 Binding Decision 5/2022 on the dispute submitted by the Irish SA on WhatsApp Ireland Limited, adopted 5

December 2022

3

2.2 In April 2018, WhatsApp updated the Terms of Service to give effect to changes it sought to

implement to comply with the obligations which would arise when the GDPR became applicable

from 25 May 2018. Obligations introduc ed by the GDPR include, inter alia, a requirement that

organisations processing personal data have a lawful basis for any such processing. Legal base s

provided for in the GDPR include consent of t he data subject, necessity based on the requirement

to fulfil a contract with the data subject or processing based on the legitimate interests of the

data controller. In addition, such organisations are required to provide detailed information to

users at the time personal data is obtained in relation to the purposes of any data processing and

the legal basis for any such processing. In essence, there must be a legal basis for each processing

operation or sets of operations (of personal data) and there are transparency requirements in

respect of the communication of such information to individual us ers.

2.3 To continue to access the WhatsApp service, all users were required to accept the updated Terms

of Service prior to 25 May 2018. The updated Terms of Service were brought to the attention of

existing users by way of a series of information notices and options, referred to as an

“engagement flow” or “user flow”. The engagement flow was designed to guide users through

the processing of accepting the updated Terms of Service; the option to accept the updated

“terms” was presented to users at the final stage of the engagement flow. As referenced in the

full text of the Terms of Service, a separate Privacy Policy provides information to users on

WhatsApp’s processing of personal data in respect of the service.

2.4 Existing users were not provided with an opportunity to disagree and continue to use the service,

to copy their account, or to delete their account. The only available choice was to accept the

Terms of Service, stop using the app or uninstall the app. 2

2.5 Figures 2.1 below is a screenshot of the final stage of the “engagement flow” which brought an

existing user, the Complainant, through the process of accepting the updated Terms of Service.

The screenshot is in German; an English translation can be found below.

2 Complaint, paragraph 1.4.