11 minute read
Identified Legal Basis 4: Compliance with a Legal Obligation
Identified Legal Basis 4: Compliance with a Legal Obligation
What information has been provided?
Advertisement
364. In this section, I examine whether there has been compliance with Article 13(1)(c), insofar as WhatsApp refers to reliance on the legal basis set out in Article 6(1)(c) (compliance with a legal obligation). In this regard, the Legal Basis Notice provides the following information under this heading:
“The other legal bases we rely on in certain instances when processing your data are: … For processing data when the law requires it, including, for example, if there is a valid legal request for certain data. See our Privacy Policy under Law and Protection for more information.”
365. The “Law And Protection” section of the Privacy Policy further provides as follows:
“Law And Protection We collect, use, preserve, and share your information if we have a good-faith belief that it is reasonably necessary to: (a) respond pursuant to applicable law or regulations, to legal process, or to government requests; (b) enforce our Terms and any other applicable terms and policies, including for investigations of potential violations; (c) detect, investigate, prevent, and address fraud and other illegal activity, security, or technical issues; or (d) protect the rights, property, and safety of our users, WhatsApp, the Facebook Companies, or others, including to prevent death or imminent bodily harm.”
How has the information been provided?
366. The information has been provided by way of a short statement in the body of the Legal Basis Notice with a link to a short text in the “Law And Protection” section of the Privacy Policy, as referred to above.
Assessment of Decision-Maker
Quality of information provided
367. I note that the “Law And Protection” section has already been incorporated, by way of a link, into the legitimate interests section. In these circumstances, its incorporation into the “legal obligations” section is a source of potential confusion for the user. I further note that, while the “Law And
Protection” section identifies some processing operations (“collect”, “preserve” and “share”), it is not clear what processing operations might be covered by the umbrella term “use”. Further, and while I acknowledge that the processing that might be necessitated in the circumstances covered by this heading is largely dependent on the occurrence of certain events, the user should be provided with some indication as to what categories of personal data might be processed under this heading.
368. I note, in this regard, that there is information available elsewhere on the WhatsApp website that might assist the user to understand how and why his/her personal data might be processed under this heading. There are links within the Privacy Policy (embedded in text such as “end-to-end encrypted”) that links the user to WhatsApp’s “End-to-end encryption” FAQ145. There are a series of
145 Available at https://faq.whatsapp.com/en/general/28030015
further links within that document, including one that links to an “Information for Law Enforcement Authorities” FAQ146. While I note that this document does not appear to be directed to EEA users (given that it only references WhatsApp, Inc., rather than WhatsApp), it provides useful information about the circumstances in which WhatsApp might have to share information with law enforcement authorities. Given the requirement for the data controller to provide “meaningful” information to the data subject, I recommend that consideration is given to a more direct incorporation of this document (with appropriate references to WhatsApp) or, at the very least, the incorporation of similar information, into the Privacy Policy (insofar as the information proffered in that document might be applicable).
369. I am further of the view that, where WhatsApp intends to ground a processing operation on this legal basis, it should also identify the “European Union law or Member State law” giving rise to the obligation for WhatsApp to process data.
The way in which information has been provided
370. The requirements of Article 12(1) are clear in that any prescribed information must be provided in a
“concise, transparent, intelligible and easily accessible form, using clear and plain language …”. The information that has been provided by WhatsApp, however, is somewhat opaque and does not enable the user to understand the circumstances in which his/her personal data will be processed under this heading.
WhatsApp’s Response to Assessment of Decision-Maker
371. WhatsApp, by way of the Preliminary Draft Submissions, confirmed its disagreement with the above assessment, submitting that “(t)he reality is that the processing described in the “Law and Protection” section may be based on legal obligation or legitimate interest depending on the circumstances at hand147”.
372. Further, “(i)n light of the sensitive and often complex processing that occurs for law enforcement purposes, the description of the processing (considered together, i.e. “collect, use, preserve and share”) in combination with the rest of the section gives users a clear picture of the ways in which their data may be “used”. While “use” is a broad term, when read together with the rest of the section, WhatsApp considers it is sufficiently clear148.”
373. Again, it is clear that WhatsApp and I fundamentally disagree as to my assessment of the information provided by WhatsApp to users under this heading. I have already set out above reasons why I consider the information provided to be insufficient, in terms of quality and the manner of delivery. My concerns remain, in this regard, notwithstanding WhatsApp’s perspective on matters.
374. While my view, as set out in paragraph 369 above, that information should be provided in relation to any underlying legal obligation set out in EU or Member State law, was not included in the Preliminary Draft, in the context of my assessment of Article 13(1)(c) concerning WhatsApp’s reliance on the legal obligation legal basis, it was however included in the context of my assessment of the information
146 Available at https://faq.whatsapp.com/en/general/26000050 147 The Preliminary Draft Submissions, paragraph 7.17 148 The Preliminary Draft Submissions, paragraph 7.18
provided under the heading “Identified Legal Basis 6: Tasks carried out in the public interest”. Given that Article 6(3) is the origin for this requirement, in both cases, I am appraised of WhatsApp’s position on the issue by virtue of the submissions that it furnished in response to my assessment of “Identified Legal Basis 6: Tasks carried out in the public interest”. In the circumstances, my response to those submissions, as set out in paragraphs 394 – 398, below, applies equally here.
375. WhatsApp, by way of its Article 65 Submissions, expressed the view that my conclusion, as regards the requirement for a data controller to identify the European Union law or Member State law giving rise to the relevant obligation is “flawed in substance” on the basis, inter alia, that149:
a. “The legislature specifically prescribed that such information be provided in Article 13(1)(d)
GDPR, and the fact that it did not choose to do the same with respect to Article 13(1)(c) is significant.”
b. “There are also straightforward reasons to justify drawing a distinction between these provisions. For example, it is feasible for controllers when preparing a privacy policy to identify the legitimate interests they are pursuing to process data under Article 6(1)(f) GDPR, in a way which would not be the case if controllers were required to exhaustively identify in their privacy policy all legal obligations that may justify them processing data pursuant to
Articles 6(1)(c) and/or 6(1)(e) GDPR. This is because a controller decides (and so can readily identify) the legitimate interests it wishes to rely on pursuant to Article 6(1)(f) GDPR; however a controller does not decide which legal obligations it is subject to and which may be relevant to Articles 6(1)(c) and/or 6(1)(e) GDPR given this is the responsibility of law makers, both at
EU level and national level.”
c. “The Commission’s approach would be infeasible for controllers. For example, in Ireland, various regulatory bodies have a wide range of powers to request information from entities such as [WhatsApp], and these powers change at the discretion of the Irish legislature. On top of this, a multitude of regulatory bodies from across other EU Member States also have a wide range of powers to request information – again at the discretion of their legislatures – which they might consider would also apply to entities such as [WhatsApp]. It is not feasible as a matter of practice for a controller to identify all such laws in existence when preparing a privacy policy. Indeed it may be the case that the controller only becomes aware of a particular legal obligation at the time when such powers are exercised, once it is put on notice and after it has had the opportunity to consider their applicability on the facts of a specific request. The approach prescribed by the Commission therefore risks imposing obligations on controllers which would be impossible to comply with.”
d. A similar issue arises with respect to Irish criminal laws, where laws which may give rise to a requirement to produce information to law enforcement are spread across numerous pieces of primary and secondary legislation. As one illustration of this, the Law Reform Commission reported that as of 2015, more than 300 separate legislative provisions … provide for powers to issue search warrants. It simply cannot have been the legislative intention to exhaustively list all such legal obligations that a controller is subject to in order to comply with its obligations under Article 13(1)(c) GDPR.”
149 The Article 65 Submissions, paragraphs 53.1 to 53.7
e. Even if controllers were able to identify all such relevant legal obligations in advance, the long list of names of statutory provisions that would then need to be provided to data subjects would serve only to overwhelm them with detailed – and, for most practical purposes, useless – information.” WhatsApp has further submitted, in this regard, that, in the event that I consider “such information regarding laws” to be required by Article 13(1)(c), I should conclude that it would be “more beneficial for data subjects if controllers were to, at most, describe the categories or types of laws engaged, and explain how these categories or types of laws could result in the processing of their data”. WhatsApp considers that this is the “only way in which such information could feasibly be provided by controllers and be meaningful for a data subject.”
376. I note that I have already addressed the matters covered by the submissions summarised at paragraph 375(a), above, as part of the same assessment carried out for the purpose of the information required to be provided where a data controller intends to process personal data on the basis of Article 6(1)(e) (tasks carried out in the public interest). I remain of the views set out in paragraphs 394 to 398, below.
377. As regards the submissions set out at paragraph 375(b), above, I disagree that the fact that a controller does not decide which legal obligations it is subject to is a relevant consideration. If a data controller processes personal data in pursuit of compliance with a legal obligation, then the controller is in a position to “readily identify” and inform the data subjects concerned about the processing and the reason for the processing. To be clear, it is not the case, as appears to be suggested by WhatsApp’s submissions, that a data controller is required to “exhaustively identify … all legal obligations that may justify them processing data pursuant to Articles 6(1)(c) and/or 6(1)(e) GDPR” [emphasis added]. A controller either processes personal data pursuant to a requirement set out in EU or Member State law or it does not; if it does, then all that is required is for the controller to inform the data subjects concerned about that processing along with the underlying legal requirement.
378. I further do not agree that such a requirement would be “infeasible” for controllers, as suggested. If it is the case that a controller becomes subject to a new legal requirement to process personal data, then all that is required is for the data controller to update its privacy policy to reflect that. It is important to remember, in this regard, that the transparency obligation is an ongoing one and not one which can be complied with on a once-off basis. As with all of the obligations that are imposed on data controllers, the GDPR requires controllers to continually monitor and review their practices to ensure ongoing compliance with the obligations arising. This is particularly the case for the transparency obligation, which is not only one of the core data subject rights but also one of the fair processing principles enshrined in Article 5 of the GDPR. While I note WhatsApp’s reference to a 2015 report from the Law Reform Commission, identifying more than 300 separate legislative provisions providing for powers to issue search warrants, it is unlikely to be the case that WhatsApp is subject to a requirement to process personal data pursuant to each one of those provisions.
379. As regards the suggestion that a requirement to provide information as to the underlying legal obligation would result in the data subject being overwhelmed with “details – and, for most practical purposes, useless – information”, I firstly disagree that such information is appropriately classified as “useless”. The information enables the data subject to understand why his/her personal data is being processed, thereby enabling him/her to (i) hold the relevant controller accountable and (ii) exercise
