10 minute read
Review of the Materials being relied upon by WhatsApp
182. In its Response to Investigator’s Questions, WhatsApp advised that it provides users with the information prescribed by Article 13 of the GDPR “via its Privacy Policy … and related pages (which are presented to users when they register to use the Service and are accessible at all times to users thereafter).”
Advertisement
183. WhatsApp provided the Investigator with a copy of the privacy policy (the policy in question bearing a “last modified” date of 24 April 2018) (“the Privacy Policy”) and “related pages” by way of Appendix 2 to its Response to Investigator’s Questions. Appendix 2 was just over 16 pages in length (in the format furnished) and the content is set out by reference to the following main headings:
a. WhatsApp Privacy Policy b. Information We Collect c. How We Use Information d. Information You And We Share e. How We Work With Other Facebook Companies f. Assignment, Change Of Control, And Transfer g. How The General Data Protection Regulation Applies To Our European Region Users h. Managing And Deleting Your Information i. Law And Protection j. Our Global Operations k. Updates To Our Policy l. Contact Information m. How We Process Your Information n. WhatsApp Inc., The EU-US Privacy Shield And The Swiss-US Privacy Shield o. Intellectual Property Policy: Your Copyrights And Trademarks p. Cookies
184. For the sake of completeness, I note that WhatsApp expressly referenced a further document in its
Response to Investigator’s Questions. In response to Question 4, WhatsApp confirmed that it
“identifies the purposes of processing personal data and the legal bases for such processing in the
Privacy Policy and the ‘How We Process Your Information’ notice … ” [emphasis added]. WhatsApp provided the Investigator with a copy of this (undated) notice (“the Legal Basis Notice”) by way of Appendix 4 to its Response to Investigator’s Questions. This document, in the format furnished, was 4.5 pages in length.
Temporal Scope of this Assessment
185. For the avoidance of doubt, the assessments recorded in Parts 2 and 3 of this Decision reflect an assessment of the material relied upon by WhatsApp, as available to the public at the date of commencement of the within inquiry (10 December 2018). I have not had regard to any amendments that might have been made to the material provided in the intervening time, save insofar as those amendments have rendered it unnecessary for me to issue a previously proposed direction to WhatsApp, as regards the remedial action required to address an identified issue that is not directly the subject of any finding (of infringement or otherwise).
How the User accesses and interacts with the Materials provided
186. Adopting the approach taken by the Investigator, I will firstly consider the contents of Appendix 2 and the Legal Basis Notice, both in the format furnished and in the online environment, so as to enable me to consider them from the perspective of the user.
187. App users can access the Privacy Policy via the in-app “settings” options. Within the “settings” options, the Privacy Policy is clearly identified under the “Help” option. Within the “Help” option, the Privacy Policy is again clearly identified under the “Terms and Privacy Policy” option. Once selected, this brings the user to the “WhatsApp Legal Info” page on WhatsApp’s website96 .
188. The ”WhatsApp Legal Info” page provides app users with the following shortcut options:
a. Key Updates [the linked notice is undated] b. Terms of Service [the linked document is identified as “Last modified: April 24, 2018”] c. Privacy Policy [the linked document is identified as “Last modified: April 24, 2018”] d. How We Process Your Information [the linked notice is undated] e. Privacy Shield [the linked notice is undated] f. IP Policy [the linked notice is undated] g. Cookies [the linked notice is undated]
189. The policies and notices listed above are presented in the form of a continuous scroll with one policy/notice running into the next, in the order set out above. For ease of reference, I will refer to this suite of documents as “the Page”.
190. As observed by the Investigator, the shortcut options are set out at the top of the Page with the result that, when the reader scrolls down through the various polices/notices, the shortcut options are no longer visible. I note WhatsApp’s submission, in this regard, that the reader can return to the top of the document by tapping “WhatsApp Legal Info” (which remains at the top of the page throughout).
I agree, however, with the Investigator’s view that this functionality is not immediately obvious to the user and, accordingly, I included a proposed direction, in the Preliminary Draft, requiring WhatsApp to take the action required to ensure that it is clear that the user can return to the top of the Page at any time by tapping “WhatsApp Legal Info”. I note that WhatsApp has since taken the action required to address the substance of my concerns, in this regard, and, accordingly, the proposed direction is no longer required.
191. Web users can access the Privacy Policy by selecting “Privacy” from the list of options set out at the very end of WhatsApp’s landing page97. The linked page contains a link to the Privacy Policy in the section entitled “Data transparency”, located towards the end of the page. This link brings the user directly to the top of the Privacy Policy, as it is located within the scroll of policies and notices on the Page.
192. Like app users, web users are provided with a series of shortcut options, as follows:
a. Key Updates [the linked notice is undated]
96 www.whatsapp.com 97 www.whatsapp.com
b. Terms of Service [the linked document is identified as “Last modified: April 24, 2018”] c. Privacy Policy [the linked document is identified as “Last modified: April 24, 2018”] d. How We Process Your Information [the linked notice is undated] e. Privacy Shield [the linked notice is undated] f. IP Policy [the linked notice is undated] g. Cookies [the linked notice is undated]
193. Unlike app users, however, these shortcut options are located on the right of the Page and remain available to the user as he/she scrolls down the Page. In addition, web users are provided with a series of further shortcut options, in the form of an expanding list that appears when the user clicks on the Privacy Policy shortcut. The expanding list also appears automatically once the user reaches the Privacy Policy on the Page (i.e. the expanding list is presented to the user once he/she accesses the Privacy Policy, regardless of whether or not he/she has actively clicked on the Privacy Policy shortcut). The expanding list of additional shortcuts facilitate immediate access to the following specific sections of the Privacy Policy:
a. Information We Collect b. How We Use Information c. Information You And We Share d. How We Work With Other Facebook Companies e. Assignment, Change of Control, And Transfer f. How The General Data Protection Regulation Applies To Our European Region Users g. Managing And Deleting Your Information h. Law And Protection i. Our Global Operations j. Updates To Our Policy k. Contact Information
194. As set out above, the Privacy Policy and Legal Basis Notice are two of a number of policy documents/notices available under the general heading of “WhatsApp Legal Info”. The policy documents are not presented to the reader as separate documents; they are set out, one immediately following the other, in an unbroken scroll on the Page. As I will detail further below, the Privacy Policy and Legal Basis Notice incorporate reference (by way of a range of different hyperlinks embedded in the text of those documents) to most of the other documents/notices set out on the Page. For this reason, it was relevant for me to also consider the Privacy Policy and Legal Basis Notice from the perspective of their presentation to the user, as part of the Page, as well as the ways in which they interact with each other on the Page.
Presentation of, and Interaction between, the Privacy Policy and the Legal Basis Notice on the Page
195. I note that the Page, when copied into Word document format, runs to approximately 23 pages in length. The various documents and notices that make up the Page, their order of presentation and approximate length (when copied into Word document format, as before), are as follows:
a. Key Updates (approximately 1 page in length - 4% of total Page length) b. Terms of Service (approximately 9 pages in length - 39% of total Page length) c. Privacy Policy (approximately 7 pages in length - 30% of total Page length) d. How We Process Your Information (approximately 3 pages long - 13% of total Page length) e. Privacy Shield (approximately 1 page in length - 4% of total Page length)
f. Intellectual Property Policy (approximately 1.5 pages in length - 7% of total Page length) g. Cookies Policy (approximately 0.5 page in length - 2% of total Page length)
196. In terms of the interaction between the Privacy Policy and Legal Basis Notice, I firstly note that there is no reference whatsoever to the Legal Basis Notice within the Privacy Policy itself. This is surprising, given the significance of the information that the Legal Basis Notice purports to provide to the user. Further, the Privacy Policy only contains a single link to the Legal Basis Notice. This, too, is surprising in circumstances where the Privacy Policy appears to contain multiple links, spread throughout the document, to almost every other cross-referenced document/text. While that single link is contained in the “Our Legal Bases For Processing Information” sub-section of the section entitled “How The
General Data Protection Regulation Applies To Our European Region Users”, the link is embedded in in the text “Learn More”. This is unfortunate given that this section contains a total of five links, the first three of which (embedded in the words “collect”, “use” and “share”) link the user back to earlier sections of the Privacy Policy, while the fourth one (embedded in the word “Terms”) links the user to the Terms of Service with the last one being the “Learn More” link. There is nothing in this arrangement that would suggest, to the user, that the “Learn More” link will contain new and important information about WhatsApp’s processing activities that he/she is entitled to receive.
197. In addition to this, I note that there is no reference whatsoever to the Legal Basis Notice at any point of the user engagement flow, regardless of whether the user engages with that flow as an app or web user. Consequently, a user wishing to access the prescribed information is provided directions by reference to the term “privacy policy” only; he/she has no way of knowing about the existence of the Legal Basis Notice, let alone that it contains some of the core information that he/she is entitled to receive pursuant to Article 13.
198. Turning, finally, to the format in which the Privacy Policy and Legal Basis Notice are presented to the user, I note that they are, respectively, the second and third documents in an overall scroll that comprises seven different policies/notices across a range of matters. Notwithstanding the availability of shortcut links, the Page, once accessed by the user, contains a significant amount of text (as documented above).
199. Considering this arrangement in the context of the obligations arising, Article 13 requires the data controller to “provide” the prescribed information to the data subject. Article 12(1) supports this by requiring the data controller to take “appropriate measures” to “provide” the information in a
“concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”.
200. In effect, Article 12(1) is directed to ensuring, insofar as possible, that the data subject receives the information that is “provided” by the data controller. It does this by reference to the potential barriers that could operate to prevent the information from being received by the data subject. The requirement, for example, for the data controller to use “clear and plain language” when “providing” the information helps to ensure that the data subject is not prevented from receiving the information because he/she could not understand complicated or technical jargon. Similarly, the requirement for the data controller to “provide” the information in a “concise” manner helps to ensure that the data subject is not prevented from receiving the information as a result of information fatigue caused by the incorporation of the information into a long and rambling piece of text.
