On 15 July 2021, the European Data Protection Board (the EDPB) issued a press release concerning its first urgent binding decision adopted under Article 66(2) GDPR (the Decision) in response to a request of the Hamburg Commissioner for Data Protection and Freedom of Information (the Hamburg Commissioner) in the Facebook/WhatsApp case. The Decision is an important step in the application of the GDPR and provides practical insights into the functioning of the one-stop-shop mechanism.
Under the GDPR one-stop-shop mechanism, the Irish Data Protection Commission (the Irish DPC) is “lead supervisory authority” in relation to cross-border data processing by Facebook Ireland Ltd (Facebook) and WhatsApp Ireland Ltd (WhatsApp) in the EU. The Hamburg Commissioner is one of the supervisory authorities concerned (CSAs). On 10 May 2021, the Hamburg Commissioner had imposed a provisional ban on Facebook’s processing of personal data relating to users of WhatsApp in Germany for its own purposes, following an update of WhatsApp’s privacy policy and terms of service. Article 66 GDPR permits, in exceptional circumstances, a supervisory authority to derogate from the GDPR consistency mechanisms for a maximum period of three months and to adopt immediately provisional measures where the authority believes that urgent action is required to protect the rights and freedoms of data subjects within its jurisdiction. The supervisory authority must inform without delay the EDPB, the European Commission and any other CSAs about the adoption of those measures.
The Hamburg Commissioner requested the EDPB on 7 June 2021 to issue an urgent binding decision to require the adoption of binding final measures across the EU. The EDPB stated in its Decision that there was insufficient evidence to demonstrate an infringement requiring urgent intervention, particularly given that the issues in consideration existed in previous versions of the terms and conditions. The Hamburg Commissioner also did not demonstrate that the Irish DPC failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR.
Further, the EDPB noted its concerns about several matters raised by the Hamburg Commissioner, including combination of data by Facebook, WhatsApp and the Facebook Companies, the intended use of WhatApp business API and the lack of clarity and transparency in WhatsApp’s user-facing information. The EDPB concluded that many of these aspects are currently subject to the one-stop-shop procedure led by the Irish DPC, and this procedure is in its final stages.
The EDPB acknowledged that a number of issues require prompt investigation by the Irish DPC and appropriate action. The EDPB asked the Irish DPC to look, as a matter of priority, into several matters.
The Hamburg Commissioner responded to the Decision by stating that it was “disappointing”, questioning whether the response of the Irish DPC and the EDPB was sufficient given the gravity of the issues it had sought to address with its provisional ban.
The EDPB press release is available here, the Decision is available here and the Hamburg Commissioner’s response is available here (in German only).
