7 minute read
Assessment: Article 13(1)(c) – the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
Assessment: Article 13(1)(c) – the purposes of the processing for which the personal data are intended as well as the legal basis for the processing
Required Information and WhatsApp’s Response to Investigator’s Questions
Advertisement
257. Article 13(1)(c) requires a data controller to provide the data subject with “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing.”
258. In its Response to Investigator’s Questions, WhatsApp confirmed, by reference to question 4, that:
“[WhatsApp] identifies the purposes of processing personal data and the legal bases for such processing in the Privacy Policy and the ‘How We Process Your Information’ notice …”
The Investigator’s Proposed Finding, WhatsApp’s Inquiry Submissions and the Investigator’s Conclusion
259. The Investigator set out her views on the extent to which WhatsApp complied with its obligations under this heading by reference to Proposed Findings 5, 6, 7 and 9.
260. By reference to Proposed Finding 5, the Investigator expressed the view that the information provided in the “Our Legal Bases for Processing Information” section of the Privacy Policy was insufficient to demonstrate WhatsApp’s compliance with Article 13(1)(c) “as a first layer of information”. In addition, the Investigator expressed the view that:
a. The information provided by the data controller, pursuant to Article 13(1)(c), “should link the processing activity and the legal basis relied on by the data controller”. The Investigator was of the view that this approach was consistent with the wording of Article 13(1)(c) and the views of the Working Party, as set out in the Transparency Guidelines.
b. The Investigator was further of the view that the information should be provided by reference to a processing “operation” or “set of operations”, in accordance with the definition of “processing” set out in Article 4(2) and the provisions of Recital 60.
261. WhatsApp disagreed with the Investigator’s views, in this regard. It submitted that the GDPR does not require the precise legal bases being relied upon to be set out in the first layer of information114 . WhatsApp further submitted115 that the GDPR “does not require the separate disclosure of the legal basis for each and every processing operation.”
262. The Investigator was unconvinced by WhatsApp’s submissions and confirmed, firstly, that she remained of the view that references to “processing” should be understood as being references to a processing “operation” or “set of operations”. By reference to that approach, the Investigator confirmed her view (by way of Conclusion 5) that the information provided under the sub-heading
“Our Legal Bases for Processing Information” was insufficient to demonstrate WhatsApp’s compliance with Article 13(1)(c) of the GPDR, as a first layer of information.
114 The Inquiry Submissions, paragraph 7.3 115 The Inquiry Submissions, paragraph 7.7
263. By reference to Proposed Finding 6, the Investigator set out her concerns in relation to the information that was provided to the user in relation to processing grounded on the contractual necessity basis (Article 6(1)(b)). She proposed a finding that “the disjointed manner in which the information is provided to data subjects regarding legal bases for processing of personal data, and the lack of clarity regarding the link between the purposes of processing and what the processing entails, is not in line with the requirements of Articles 12(1) and 13(1)(c) of the GDPR.” The Investigator expressed the view, in this regard that:
“requiring a data subject to access four different locations from a second layer of information within a Privacy Policy, in order for that data subject to access all the requisite information to fully understand the purposes of the processing of their personal data, is not in line with the requirement set out in Article 12(1) of the GDPR for the information to be clear and intelligible.”
264. WhatsApp disagreed with the Investigator’s views, in this regard. It submitted116 that:
“Despite the assertions to the contrary in paragraph 162 of the Draft Report, users need only consult the “Our Services” section of the Terms of Service to understand the service provided under the contract. In reaching the view that users have to review the Terms of Service in their entirety, the [Investigator] has ignored the explicit statement in the “How We Process Your Information” notice that “We describe the contractual services for which this data processing is necessary in Our Services section of the Terms” (emphasis added).”
265. WhatsApp further submitted117 that “the “core data uses necessary to provide [the WhatsApp] contractual services” are specifically identified and listed in four bullet points in the contractual necessity section of the “How We Process Your Information” notice” and that “(t)hese four bullet points summarise in a clear and concise manner the processing that is necessary for the performance of the contract …”.
266. The Investigator was unconvinced by WhatsApp’s submissions, in this regard. She remained of the view that information concerning the purposes of processing and the legal basis for that processing should be linked in order for the provisions of Article 13(1)(c) to be satisfied. The Investigator concluded (by way of Conclusion 6) that the “disjointed manner in which the information is provided to data subjects regarding legal bases for processing of personal data, and the lack of clarity regarding the link between the purposes of processing and what that processing entails, is not in line with the requirements of Articles 12(1) and 13(1)(c) of the GDPR.”
267. While the Investigator considered the section of the Legal Basis Notice that provided information concerning reliance on consent as a legal basis, she did not propose or confirm any particular finding or conclusion on this issue. She confirmed, however, that she was satisfied that the relevant section of the Legal Basis Notice was “sufficiently clear to comply with Article 13(1)(c) of the GDPR, albeit at the second layer of information, without the clear overview of the purposes of the processing, which [the Investigator believed] necessary at the first layer”.
268. By reference to Proposed Finding 7, the Investigator set out her views in relation to the information that had been provided in relation to processing grounded on the legal obligations basis (Article
116 The Inquiry Submissions, paragraph 8.4 117 The Inquiry Submissions, paragraphs 8.5 and 8.6
6(1)(c)). The Investigator proposed a finding, under this heading, that WhatsApp failed to satisfy the requirements of Articles 12(1) and 13(1)(c) on the basis that:
a. The overview provided in the legal obligation section of the Legal Basis Notice, and the further information set out in the “Law And Protection” section of the Privacy Policy, did not provide the data subject with sufficient information about the extent to which WhatsApp relies upon this basis to ground the processing of personal data;
b. Further, the “broad and non-specific language utilised” in the “Law And Protection” section of the Privacy Policy did not provide clarity on the purposes for which any data are processed.
269. WhatsApp disagreed with the Investigator’s views, submitting118 that:
“… it is made clear to users that where law requires WhatsApp to process data in a certain way (for example, in response to a search warrant from An Garda Síochána), it relies on the legal obligation legal basis. Applying the correct legal standard, WhatsApp has both set out the purpose of processing (when the law requires it) and legal basis (compliance with a legal obligation), in this first sentence, as required by Article 13(1)(c).”
270. WhatsApp further submitted119 that:
“The “Law and Protection” section of the Privacy Policy … intentionally (and appropriately) describes processing which is broader than processing permitted on the basis of a legal obligation. For example, the “How We Process Your Information” notice also makes clear that WhatsApp relies on legitimate interests to “share information with others including law enforcement and to respond to legal requests” and this section of the fly-out also links to the “Law and Protection” part of the Privacy Policy. At no point does the “Law and Protection” section of the Privacy Policy purport to claim that WhatsApp only relies on a legal obligation to process personal data for these law and protection purposes.
Finally, the Draft Report ignores the fact that, in light of the sensitive and often complicated processing that occurs in this area on the one hand, and the variety of legal reasons giving rise to a need to process personal data on the other, it is impossible to provide a full and fully nuanced descriptive account to users in respect of such processing without overloading them with information. For example, it would not be possible to provide further specificity in this section with regard to the multitude of circumstances in which WhatsApp will be required to assist law enforcement.”
271. The Investigator was unconvinced by WhatsApp’s submissions, in this regard. She remained of the view that, as a result of the “broad and non-specific language utilised, the information provided in the “Law and Protection” section of the Privacy Policy leaves the user uncertain as to the circumstances in which WhatsApp will rely upon this legal basis for processing his/her personal data” . The Investigator confirmed her view, by way of Conclusion 7, that WhatsApp was “not compliant with the requirements of Articles 12 and 13(1)(c) in relation to the information that it sets out pertaining to its legal basis for processing of personal data of compliance with a legal obligation.”
118 The Inquiry Submissions, paragraph 9.1 119 The Inquiry Submissions, paragraphs 9.2 and 9.3
