10 minute read
Identified Legal Basis 3: Legitimate Interests
Identified Legal Basis 3: Legitimate Interests
What information has been provided?
Advertisement
350. In this section, I examine whether there has been compliance with Article 13(1)(c), insofar as WhatsApp refers to reliance on the legal basis set out in Article 6(1)(f) (legitimate interests). In this regard, the Legal Basis Notice provides the following information:
“The other legal bases we rely on in certain instances when processing your data are: …
Our legitimate interests or the legitimate interests of a third party, where not outweighed by your interests or fundamental rights and freedoms ("legitimate interests"):
For people under the age of majority (under 18, in most EU countries) who have a limited ability
to enter into an enforceable contract only, we may be unable to process personal data on the grounds of contractual necessity. Nevertheless, when such a person uses our Services, it is in our legitimate interests:
To provide, improve, customize, and support our Services as described in Our Services; To promote safety and security; and To communicate with you, for example, on Service-related issues.
The legitimate interests we rely on for this processing are:
To create, provide, support, and maintain innovative Services and features that enable people under the age of majority to express themselves, communicate, discover, and engage with information and businesses relevant to their interests, build community, and utilize tools and features that promote their well-being; To secure our platform and network, verify accounts and activity, combat harmful conduct, detect and prevent spam and other bad experiences, and keep our Services and all of the Facebook Company Products free of harmful or inappropriate content, and investigate suspicious activity or violations of our terms or policies and to protect the safety of people under the age of majority, including to prevent exploitation or other harms to which such individuals may be particularly vulnerable.
For all people, including those under the age of majority:
For providing measurement, analytics, and other business services where we are processing data as a controller. The legitimate interests we rely on for this processing are:
o To provide accurate and reliable reporting to businesses and other partners, to ensure accurate pricing and statistics on performance, and to demonstrate the value our partners realise using our Services; and o In the interests of businesses and other partners to help them understand their customers and improve their businesses, validate our pricing models, and evaluate the effectiveness and distribution of their services and messages, and understand how people interact with them on our Services.
For providing marketing communications to you. The legitimate interests we rely on for this processing are: o To promote Facebook Company Products and issue direct marketing.
To share information with others including law enforcement and to respond to legal requests. See our Privacy Policy under Law and Protection for more information. The legitimate interests we rely on for this processing are: o To prevent and address fraud, unauthorised use of the Facebook Company Products, violations of our terms and policies, or other harmful or illegal activity; to protect ourselves (including our rights, property or Products), our users or others, including as part of investigations or regulatory inquiries; or to prevent death or imminent bodily harm.
To share information with the Facebook Companies to promote safety and security. See our Privacy Policy under "How We Work with Other Facebook Companies" for more information. The legitimate interests we rely on for this processing are: o To secure systems and fight spam, threats, abuse, or infringement activities and promote safety and security across the Facebook Company Products.”
351. The text contains a number of embedded links which, when selected, bring the user to the following text/information:
a. The “Our Services” section of the Terms of Service (which has further links to the “Facebook
Companies” and the “Privacy Policy”);
b. An “article”, hosted on Facebook’s website, entitled “Facebook Company Products” (containing further links to other relevant/related “articles”, on Facebook’s website);
c. The “Law And Protection” section of the Privacy Policy;
d. The “How We Work With Other Facebook Companies” section of the Privacy Policy, with a further link to a Frequently Asked Question (“FAQ”) on this topic (“the Facebook FAQ141”);
e. An “article”, hosted on Facebook’s website, entitled “Facebook Companies” (containing further links to other relevant/related “articles”, on Facebook’s website).
How has the information been provided?
352. The information has been provided largely by way of the relevant section of the Legal Basis Notice with links to a number of other documents and texts. As before, the approach taken is somewhat disjointed (albeit to a lesser degree than the contractual necessity section). As before, it is unclear why the summary of core data uses referenced under the section that addresses those users under the age of majority could not have been prepared by reference to the contents of the “Our Services” section of the Terms of Service, with more detailed information being made available by way of a link (if a layered approach is WhatsApp’s preferred approach to the delivery of the required information).
Assessment of Decision-Maker
353. As before, the information provided under this heading gives risk to concern, from the perspective of the quality of information that has been provided as well as the way in which it has been provided.
Quality of information provided
141 Available at https://faq.whatsapp.com/general/26000112/?eea=1 (the “Facebook FAQ”)
354. It seems to me that insufficient detail has been provided in relation to the processing operations that will be grounded upon the legitimate interests basis. Further, it is not possible to identify what categories of personal data will be processed for those processing operations that will be grounded upon this legal basis.
The way in which information has been provided
355. The information has been furnished in a piecemeal fashion that requires the user to link in and out of various different sections of the Privacy Policy as well as the Terms of Service and a comprehensive
FAQ entitled “How we work with the Facebook Companies”142 (available by way of a link from the linked “How We Work With Other Facebook Companies” section of the Privacy Policy). As before, this results in a situation whereby, even if the user actively seeks out the additional information that is available by way of the various links, he/she is presented with variations of information previously furnished. The way in which the information has been spread out and included in similarly worded tranches of text means that any new elements available within a linked text could easily be overlooked by the user due to the simultaneous overlap and discrepancies between various portions of text dealing with the same / similar issues in different locations. This is unnecessary and could easily be alleviated by adopting a concise approach to the delivery of the relevant information.
356. As before, there is no single composite text or layered route available to the user such as would allow the user to quickly and easily understand the full extent of processing operations that will be conducted on her/her personal data in reliance on the legitimate interests legal basis. Each additional layer presents the user with similar information to that already provided as well as new elements that are not easy to detect. The user should not have to work hard to access the prescribed information; nor should he/she be left wondering if they have exhausted all available sources of information and nor should he/she have to try to reconcile discrepancies between the various pieces of information given in different locations.
357. I also note, in this regard, that the Terms of Service appears to contradict the information set out in the Legal Basis Notice, in relation to reliance on the legitimate interests basis for processing the personal data of users who have not attained the age of majority. The Legal Basis Notices states, in this regard, that the legitimate interests basis will ground processing operations in cases where the user concerned has a limited ability to enter into an enforceable contract. The Terms of Service, however, provides, in the “About Our Services” section, that:
“Age. If you live in a country in the European Region, you must be at least 16 years old to use our Services or such greater age required in your country to register for or use our Services. … . In addition to being of the minimum required age to use our Services under applicable law, if you are not old enough to have authority to agree to our Terms in your country, your parent or guardian must agree to our Terms on your behalf.” [emphasis added]
358. Thus, while the information provided suggests that inability to enter into a contract might mean that WhatsApp will not be able to rely on the contract legal basis for any consequent processing of personal data, the Terms of Service clearly require a contract to be entered into, if necessary, by a parent or guardian acting on behalf of the user concerned. This appears to be somewhat of a contradiction in terms.
142 Available at https://faq.whatsapp.com/general/26000112/?eea=1 (the “Facebook FAQ”)
359. Further, the bullet point summary of processing operations set out under this legitimate interests heading includes three of the four operations listed under the contractual necessity heading. If it is the case that the legitimate interests basis will form the basis for processing in the case of those under the age of majority, it is unclear why reference to “the transmission, storage and processing of data outside of the EEA” has been omitted from this summary list.
360. I further note that a number of the objectives set out in the general body of the legitimate interests section have already been included in the contractual necessity section. Similarly, by incorporating a link to the “Law And Protection” section, this indicates that the legitimate interests basis will form the basis for any processing set out in this text, including for the purpose of “[responding] pursuant to applicable law or regulations, to legal process, or to government requests”. The same issue arises in relation to the incorporation of a link to the “How We Work With Other Facebook Companies” section of the Privacy Policy. I note, in this regard, that such processing has also been included under the contractual necessity heading. This state of affairs leaves the user unable to identify which legal basis is being relied upon when processing his/her personal data for any required processing activities.
WhatsApp’s Response to Assessment of Decision-Maker
361. WhatsApp, by way of the Preliminary Draft Submissions, confirmed its disagreement with the above assessment, submitting that the provision of additional information through links “does not undermine the information made available in the Legal Basis Notice but rather helps the user better understand the Service and how a data subject’s information will be used. A reduction of information or removing convenient hyperlinks to relevant information would have the effect of reducing overall user understanding and control of the Service, to the detriment of users143” .
362. In relation to my observation that “a number of the objectives set out in the general body of the legitimate interests section have already been included in the contractual necessity section … This state of affairs leaves the user unable to identify which legal basis is being relied upon …”, WhatsApp’s position is that it “has designed the Legal Basis Notice in this manner, as depending on the circumstances, more than one legal basis for processing may be applicable to processing pursuing the same objective. … WhatsApp is being transparent about the fact that it relies on different legal bases in different circumstances, and does not consider this should be a point of criticism144.”
363. As before, it is clear that WhatsApp and I fundamentally disagree as to my assessment of the information provided by WhatsApp under this heading. I have already set out, above, the reasons why I consider the information provided to be insufficient, in terms of quality and manner of delivery. That assessment already takes account of the matters raised by WhatsApp in the Preliminary Draft Submissions and my concerns remain, in this regard, notwithstanding WhatsApp’s perspective on matters. I remain particularly concerned about the position whereby the data subject is unable to identify, from the information provided, which legal basis is being relied upon to support what particular processing operation.
143 The Preliminary Draft Submissions, paragraph 7.14 144 The Preliminary Draft Submissions, paragraph 7.16
