eskisehir termal otel ankara evden eve nakliyat Antika mobilya alanlar
Tech News

WhatsApp beaten for processing data without a legal basis under EU GDPR • TechCrunch

Another bill has come in for Meta for non-compliance with the European Union’s General Data Protection Regulation (GDPR) – but this is a tiddler! Meta’s messaging platform, WhatsApp, has been fined €5.5 million (just under $6 million) by the tech giant’s leading data protection regulator in the region for lacking a legal basis for certain types processing of personal data.

In December, Meta’s main regulator, the Irish Data Protection Commission (DPC), was instructed to make a final decision on this complaint (which dates from May 2018) – via a binding decision by the European Data Protection Board (EDPB) — along with two other complaints, against Facebook and Instagram.

Those two final decisions came out of the DPC earlier this month, when it announced a total of €310 million in fines; and gave Meta three months to find a valid legal basis for processing those ads. But while the last few GDPR decisions addressed the lack of a valid legal basis for Meta to process user data to run behavioral advertising (a.k.a. its core business model), Ireland’s WhatsApp decision appears to have addressed the issue of the legality of processing completely bypassed ads — since its investigation focused on the legal basis Meta claimed for “service improvements” and “security.”

Here, Meta had tried (similarly) to rely on a claim of contractual necessity – but Ireland has now found (via EDPB order) that it cannot.

The DPC has given WhatsApp six months to put these data processing purposes in order. This means it needs to find a way to lawfully process the data (perhaps asking users if they consent to such purposes and not processing their data if they don’t).

But the regulator has simply refused to respond to a parallel EDPB instruction telling the DPC to investigate whether WhatsApp processes user (meta)data for advertising. And this has led to new cries, by the original complainant, about yet another sting from the much-criticized Irish regulator.

In a press release, nightthe not-for-profit privacy rights behind the original strategic complaints don’t pull a fist – arguing that Ireland is essentially putting the finger on the EDPB on this issue.

“We are amazed how the DPC simply ignores the core of the matter after a 4.5-year procedure. The DPC is also clearly ignoring the EDPB’s binding decision. It appears that the DPC is finally cutting all ties with EU partner authorities and with the requirements of the EU and Irish law,” said Honorary President, Max Schrems, in a typically pithy and pithy statement.

While the content of messages on WhatsApp is end-to-end encrypted — meaning that, assuming you’re relying on Meta’s implementation of the Signal protocol, this information should be protected from prying eyes — the social media giant can still share insights about users collect through their WhatsApp metadata (aka: who is talking to whom, how often etc.) – and also by connecting the dot and users to accounts and public (or otherwise non-E2EE digital activity) through other services it owns (and possibly third party services it’s riddled with tracking technologies)… So basically Meta’s data collection net is long (and wide).

That means questions could certainly be raised about how it might process WhatsApp users’ data for marketing purposes – and what legal basis it should rely on for such processing.

WhatsApp users may remember the major controversy that started in 2021 – when the platform announced an update to its terms and conditions that users had to accept in order to continue using the service. It was not clear what exactly changed in the updated terms. But whatever the matter, Meta certainly didn’t give WhatsApp users a free choice on the matter! And while regulatory attention to that issue led to what appeared to be a minor climb by Meta, which stopped sending aggressive popups demanding EU users to agree (or leave), the entire episode led to widespread confusion about what exactly it was doing with WhatsApp user data (and how it was doing it, legally speaking).

The episode also sparked some consumer protection complaints. Last summer, the European Commission gave the company a month to resolve confusing terms and conditions and “clearly inform” consumers about its business model.

None of the confusion and distrust surrounding WhatsApp’s terms and conditions was helped by a much earlier turnaround in syncing user data with Facebook – when the platform reversed a founder’s promise to never cross those streams. In short, it’s a mess – and a mess that Europe’s regulators can’t claim to have cleaned up.

But despite all the ongoing confusion and privacy concerns, the DPC seems spectacularly uninterested in taking a close look at how WhatsApp processes user data for advertising.

“The DPC has now limited the 4.5-year procedure to the minor issues of the legal basis for using data for security purposes and for service improvement,” writes noyb, accusing the regulator of missing this important part of its complaint. creature to ignore. “The DPC thereby ignores the main issues of sharing WhatsApp data with Meta’s other companies (Facebook and Instagram) for advertising and other purposes.”

The DPCs press release announcing its final decision almost completely avoids mentioning behavior-based ads — until the finale, when the phrase pops up. But only because it quotes the EDPB’s instruction – to conduct a new investigation into “WhatsApp IEs [Ireland’s] processing activities in its service to determine whether it processes special categories of personal data (Article 9 GDPR), processes data for behavioral advertising, for marketing purposes, as well as for providing statistics to third parties and exchanging data with affiliated companies for service improvements and to determine whether they comply with the relevant obligations under the GDPR.”

Ireland thus had a chance to grab the nettle on behalf of WhatsApp users and monitor the data streams to get a clear picture of what Meta’s ownership of the E2EE messaging platform really means for user privacy. (And remember, Meta’s behavioral ad targeting empire currently has no legal basis for processing ads on Facebook and Instagram in the EU.)

But instead of continuing to investigate WhatsApp’s data processing, the Irish regulator has opted to instruct its lawyers to challenge the EDPB’s binding decision and seek to have it annulled in court.

To update: Meta has now responded to the DPC decision by sending us this statement, attributed to a WhatsApp spokesperson, confirming that it will appeal:

WhatsApp has led the industry in private messaging by providing end-to-end encryption and layers of privacy that keep people safe. We strongly believe that the way the service works is both technically and legally sound. We rely on contractual necessity for service improvement and security purposes, as we believe helping to keep people safe and providing an innovative product is a fundamental responsibility when performing our service. We disagree with the decision and are appealing.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close
Close
Bolu escort gümüshane escort istanbul escort Kamagra Levitra Novagra Geciktirici