Confusion about updates to the terms and conditions of Facebook-owned chat platform WhatsApp has arisen due to interference by the Data Protection Agency of Italy.
The Italian GPDP said it has approached the European Data Protection Board (EDPB) to express concern about the lack of clear information about what changes are taking place under the upcoming T&C today.
In recent weeks WhatsApp has been alerting users to accept the new T&C to continue using the service after 8 February.
A similar warning on the updated terms has also raised concerns in India – where a petition was filed today Accusing the new terms in the Delhi High Court is a violation of the fundamental rights of users’ privacy and is a threat to national security.
In its notification Website The Italian agency writes that it believes it is not possible for WhatsApp users to understand the changes that are being introduced under the new terms, nor “understand clearly that data processing is actually due on February 8 The latter will be done by the messaging service. “
Under EU law, the General Data Protection Regulation (GDPR) requires consent to be a valid legal basis for processing personal data to properly convey to users about each specific use and to ensure that Their data has been processed for each purpose.
The Italian agency said that it reserves the right to intervene “as urgency” to enforce EU laws on protecting users and protecting personal data.
We have reached EDPB with questions about GPDP interference. The role of the steering body usually acts as a liaison between EU DPAs. But it also issues guidance on the interpretation of EU law and may step in to cast a decisive vote in cases where there is disagreement over EU cross-border investigations.
earlier this week Turkey’s antitrust officials also announced they were investigating WhatsApp’s updated T&CS – objecting to what they claimed was differences in how much data would be shared with Facebook under new terms in Europe and outside is.
On Monday, Ireland’s Data Protection Commission – which is WhatsApp’s lead data regulator in the EU – told us that the messaging app has given it a commitment, with EU users not affected by any widespread changes in data-sharing practices. So Facebook’s principal regulator in the EU has not objected to the new WhatsApp T&C.
WhatsApp itself has claimed that under this update there has been no change in the way its data is shared anywhere around the world.
Apparently there is a communication failure somewhere along the chain – which justifies the Italian objection to the lack of clarity in the words of the new T&CS.
Reached for comment on GDPD intervention, a WhatsApp spokesperson told us:
How the Italian agency can intervene on WhatsApp T&C is an interesting question. (And, in fact, we’ve reached GPDP with questions.)
The GDPR’s one-stop-shop mechanism means that cross-border complaints are funneled through the lead data supervisor where a company’s main regional base (Ireland in the case of WhatsApp). But as noted above, Ireland has said thus – this is not a problem with WhatsApp’s updated T&C.
Under GDPR, however, other DPAs have powers to act with their own bat when they believe there is a pressing risk to users’ data.
As in 2019, When the Hamburg DPA ordered Google to cease manual review of snippets of Google Assistant users’ audio (which it was reviewing as part of the grading program).
In that case Hamburg made Google aware of its intention to use the GDPR’s Article 66 powers – which order a national agency to stop data processing if it believes “protecting the rights and freedoms of data subjects” There is an urgent need to act for “” – causing Google to immediately suspend human reviews across Europe.
The tech giant later revised how the program operated. The Hamburg DPA did not even need it Use Article 66 – The mere threat of an order to stop the processing was enough.
Some 1.5 years later and there are signs from several EU data protection agencies – outside of some major jurisdictions that oversee the lion’s share of big technology – get frustrated By perceived regulatory inaction against big technology.
There may therefore be an increased desire among these agencies to resort to their own creative processes to protect citizens’ data. (And it’s certainly interesting that France’s CNIL recently slapped Amazon and Google with large fines on cookie consent – Working under the e-Privacy Directive, which excludes GDPR-style one-stop-shop mechanisms.)
Related news in Week, An opinion by an adviser to the European Union’s top court also responds to concerns over GDPR enforcement barriers.
In opinion Advocate General Bobek put forward his views The legislation allows national DPAs to bring their proceedings under certain circumstances – including adopting or intervening “immediate measures” to follow the “Lead Data Protection Authority in which a decision has not been made to handle a case.”
The CJEU’s decision on that matter is still pending, but the court aligns with the position of its advisors, so it looks like we’ll see increased data protection enforcement activity across the board from the EU DPA in the coming years, Instead they keep on waiting. For some DPAs to issue all major decisions.