EU Member State Courts Rule Against Facebook’s WhatsApp in Decisions Providing Guidance on the Contours of Consent for Data Processing

by Ropes & Gray LLP
Contact

Ropes & Gray LLP

WhatsApp has recently faced scrutiny by regulators about data processing consents it purported to obtain from users. Most recently, on March 15, the Spanish data protection authority (“AEDP”) released a decision imposing the maximum fine of €300,000 against Facebook and WhatsApp for processing personal data without consent. The AEDP found that WhatsApp did not receive valid consent to process users’ data, since their continued use of WhatsApp was conditioned on providing such consent and was therefore not freely given. The AEDP also concluded that WhatsApp failed to clearly present information regarding the purposes for processing user data and how such data would be shared. Additionally, on March 14, WhatsApp pledged to cease sharing its United Kingdom users’ data with Facebook until the General Data Protection Regulation (“GDPR”) takes effect, after the UK’s data protection authority, the Information Commissioner’s Office (“ICO”) concluded WhatsApp did not have a lawful basis of processing to share such user data with its parent company. The ICO also found that WhatsApp failed to adequately inform users about how their data was to be shared.

These decisions follow similar holdings in Germany, the latest a March 1 decision from the Higher Administrative Court of Hamburg (the “Court”). Although the decision was made under German law, it provides helpful guidance on the contours of effective consent in a wider European privacy law context, including under the GDPR. Because of its discussion of the notices required to obtain effective consent, this Alert discusses the Court’s decision in greater detail.

Background

The German Federal Data Protection Act (“BDSG”) permits the collection, processing and use of personal data only if a data controller meets certain requirements (the details of which are not relevant here) or if the data subject has consented. Under the BDSG, “effective consent” must be based on a data subject’s “free decision.” Among other things, the data processors must inform data subjects of “the purpose of collection, processing or use and, insofar as the circumstances of the individual case dictate or upon request, of the consequences of withholding consent.” Additionally, the law stipulates that “if consent is to be given together with other written declarations, it shall be made distinguishable in its appearance.” The GDPR, which comes into effect on May 25 of this year, contains similar requirements. Controllers may process data only on the basis of at least one of the conditions enumerated in Article 6(1), one of which is obtaining user consent. Consent is defined in Article 4(11) as any “freely given, specific, informed and unambiguous indication of the data subject’s wishes.”

In September 2016, the Hamburg Data Protection Regulator (the “Regulator”) barred Facebook from collecting and storing personal data of German WhatsApp users who had not given the consent required under Section 4a of the BDSG. Facebook challenged this decision before the Regulator and subsequently applied for interim measures before the Hamburg Administrative Court. Due to the nature of the proceedings, the court conducted a summary examination of the case and largely sided with the Regulator in its order on April 24, 2017. Facebook then brought the case before the Higher Administrative Court of Hamburg. Again, due to the nature of the proceedings, the Court conducted a summary examination of the case, mostly agreeing with the lower court, and ultimately, the Regulator. In its decision on WhatsApp, the Court found that Facebook likely violated BDSG provisions by collecting and storing the personal data of German users of its WhatsApp subsidiary. The Court concluded that Facebook’s consent provisions in notices to its German WhatsApp users about terms of use updates may be insufficient and in violation of the German privacy law. The decision contains guidance that is relevant (though not binding) for data controllers.

WhatsApp’s Failure to Seek Effective Consent

In Germany, the Higher Administrative Court of Hamburg issued a decision carefully analyzing the disclosures made by WhatsApp. WhatsApp had required users to accept its privacy guidelines, which included consents to the processing of user information, in order to continue using the service. The Court found that WhatsApp did not provide its users with the opportunity to give effective consent to data processing as required under Section 4a of the BDSG. The Court explained that such requirements ensure that data subjects are not agreeing to items “hidden in the small print”—data subjects must understand the circumstances under which they consent to the processing of their data and what the consequences of their decisions are.

In Facebook’s case, the Court found that WhatsApp fell short on providing effective consent to data processing in the notice it provided to users regarding terms of use and data privacy guidelines updates, for several reasons:

  • It was not clear for average users that by clicking the hyperlink to “agree” to WhatsApp’s updated terms of use and data privacy guidelines that users would also be consenting to the processing of their data. The Court found it misleading that the text1 before and after this hyperlink did not itself refer to data processing. Rather, the surrounding language communicated that WhatsApp’s data protection guidelines were being updated and referred users to those guidelines. Users were asked to agree to the guidelines to continue using WhatsApp but were not told that by agreeing they were consenting to the processing of their data.
  • When seeking user consent, WhatsApp explained that it had updated its terms of use and “data protection guidelines.” To the Court, the language was misleading because it suggested the update was designed to “protect” users’ data—when in fact, WhatsApp was seeking consent to process their data.
  • The link to “opt out” of agreeing to the update notice was unclear and not made distinguishable, and the notice’s statement that “independent of this setting [i.e., opting out], your chats and phone numbers are not shared on Facebook” was misleading to users.

In light of this guidance, companies relying on consent as a basis for processing should consider whether they are providing adequate notice to users to receive effective consent. Considerations may include whether the text immediately surrounding any consent button or link itself alerts users to expected processing activities and whether opt-outs are sufficiently clear and distinguishable from other text or features.

No Back-Up Bases for Processing after Seeking User Consent

One additional question the Court addressed of interest to companies seeking to comply with the European privacy regime is whether, even if consent is subsequently invalidated, Facebook could rely on another basis for processing. As discussed, under the BDSG (and the impending GDPR), each data processing activity (including data collection and sharing) must be based on the consent of the data subject or some other legal basis. In the Court’s assessment, if a company’s bases for processing user data for a particular purpose include both consent and processing “prescribed by a legal provision,” and the consent later turns out to be invalid, it is “at the very least doubtful” that a company could rely on its other claimed legal basis for the same processing activity. The Court reasoned that the act of seeking data subjects’ consent will lead them to believe they have the power and ability to avoid the respective processing of their data. That analysis appears in line with guidance issued by the Article 29 Data Protection Working Party for the GDPR, which has explained that a controller cannot fall back on another basis of processing for a particular purpose if the consent it sought for that same purpose is later determined to be invalid.


1 The full text of the surrounding language read: “WhatsApp is updating its terms of use and its data protection guideline in order to account for new functions, like WhatsApp Call. Read our terms of use and data protection guidelines and learn more about your choices. Please agree to the terms of use and the data protection guideline by 25 September 2016 in order to continue using WhatsApp.”

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP
Contact
more
less

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.