It’s looking increasingly like Europe’s privacy protectors are losing patience with Ireland’s data protection authority over its failure to enforce the tough General Data Protection Regulation (GDPR) against Big Tech.
On Tuesday, the data protection watchdog in the German city-state of Hamburg decided it would push to block WhatsApp-to-Facebook data transfers anyway, at least on German soil, before the mid-May deadline when the terms change.
The Hamburg authority—each German state has a privacy regulator, whereas other EU countries have only a national authority—initiated the GDPR’s seldom-used urgency procedure to “protect the rights and freedoms of German users.” It said it feared the changes would allow WhatsApp to “expand data transfers with Facebook for marketing purposes and direct advertising,” on top of the data sharing that already takes place for security and product improvement.
Under the GDPR’s urgency procedure, the Hamburg watchdog should be able to issue an immediately enforceable order blocking Facebook’s further absorption of WhatsApp user data. The order could last for only three months, though the European Data Protection Board—an umbrella body for the EU’s privacy watchdogs—could decide to extend or supplement it.
“WhatsApp is now used by almost 60 million people in Germany and is by far the most widely used social media application, even ahead of Facebook,” Johannes Caspar, the Hamburg data protection commissioner, said in a Tuesday statement. “It is therefore all the more important to ensure that the high number of users, which makes the service attractive to many people, does not lead to an abusive exploitation of data power.”
Then he appeared to twist the knife into his Irish counterpart, Helen Dixon.
“Unfortunately, up to now there has been no supervisory review of the actual processing operations between WhatsApp and Facebook that we are aware of,” Caspar said. “Currently, there is reason to believe that the provisions that will enable and expand the sharing of data between WhatsApp and Facebook will be unlawfully enforced due to the lack of voluntary and informed consent.”
WhatsApp/Facebook strongly disputes this interpretation of the looming changes.
“To be clear, by accepting WhatsApp’s updated terms of service, users are not agreeing to any expansion in our ability to share data with Facebook,” a spokesperson said in an emailed statement. “Facebook is reviewing the correspondence it has received from the Hamburg DPA and will address their misunderstandings around the purpose and effect of the update.”
The spokesperson insisted the changes relate specifically to circumstances in which Facebook handles WhatsApp interactions between businesses and their customers, saying, “While Facebook will not automatically use messages to inform the ads that a user sees, as is always the case, businesses will be able to use chats they receive for their own marketing purposes, which may include advertising on Facebook.”
This isn’t the first time the Hamburg authority has tried to bypass the under-resourced Irish regulator by invoking the GDPR’s urgency procedure. In 2019, it initiated the procedure in an attempt to stop Google using human reviewers to listen to snippets of Google Assistant users’ audio commands—the threat alone proved sufficient, and Google suspended the practice in Europe.
However, the watchdog’s WhatsApp move comes at a time when continental exasperation with Irish inaction is bubbling to the surface.
The GDPR came into effect in May 2018. But in the intervening three years, the Irish DPC has cracked down only once on Big Tech, fining Twitter a modest €450,000 ($548,000) last December over a data breach. For the last couple of years, observers have been expecting the agency to hit WhatsApp with a big GDPR fine over its failure to give people enough information about how it uses their personal data, but that case is still limping toward a conclusion.
In March, the German federal data protection commissioner Ulrich Kelber complained to members of the European Parliament that his country had sent the Irish DPC more than 50 complaints about WhatsApp alone, and not a single case had been closed.
Kelber accused Dixon’s office of “extremely slow case handling, which falls significantly behind the case handling progress of most EU and especially German supervisors.”
Around the same time, the European Parliament’s civil liberties committee also asked the European Commission to launch an infringement procedure against the Irish DPC for failing to properly enforce the GDPR. That was specifically referring to Austrian lawyer Max Schrems’ epic battle to get the Irish regulator to block Facebook’s data transfers from the EU to the U.S.
It’s worth noting that when Schrems and his Noyb data protection nonprofit earlier this month filed a complaint against Google with the French privacy authority, it did so under the EU’s old e-Privacy Directive rather than the GDPR—this route may lead to a lower fine than would be possible under the GDPR, but it guarantees that the French watchdog handles the case rather than passing it to the Irish DPC.
Dixon’s office had not responded to a request for comment at the time of publication on the Hamburg authority’s latest move.
Clarification, April 13, 2021: This article has been updated to note that the WhatsApp changes specifically relate to interactions between businesses and their customers, and to include further comment from WhatsApp’s spokesperson.