8 minute read
Identified Legal Basis 6: Tasks carried out in the public interest
“more granularity is required to comply with Article 13(1)(c) GDPR in this regard. In particular, WhatsApp is of the view that the user is already provided with adequate information so that the user can identify which “safety and security” objectives will be grounded on vital interests … as it is evident that this will be engaged in circumstances where a life or physical integrity is at risk.” Nonetheless, WhatsApp intends to provide the user with some examples of the type of data that has been processed by reference to past processing, as suggested by the Commission.150”
384. As before, it is clear that WhatsApp and I fundamentally disagree as to my assessment of the information provided by WhatsApp to users under this heading. I have already set out above the reasons why I consider the information provided to be insufficient, in terms of the quality of the information that has been provided. My concerns remain, in this regard, notwithstanding
Advertisement
WhatsApp’s perspective on matters however I acknowledge that WhatsApp intends to provide the user with examples, as suggested.
Identified Legal Basis 6: Tasks carried out in the public interest
What information has been provided?
385. In this section, I examine whether there has been compliance with Article 13(1)(c), insofar as WhatsApp refers to reliance on the legal basis set out in Article 6(1)(e) (tasks carried out in the public interest). In this regard, the Legal Basis Notice provides the following information under this heading:
“The other legal bases we rely on in certain instances when processing your data are: … For undertaking research and to promote safety and security, as described in more detail in our Privacy Policy under How We Use Information, where this is necessary in the public interest as laid down by European Union law or Member State law to which we are subject.”
How has the information been provided?
386. The information has been provided by way of the statement set out above with a link that, when selected, brings the user back to the “How We Use Information” section of the Privacy Policy. While that section contains two further embedded links, the one relevant to this assessment brings the user to an “article” hosted on the Facebook website entitled “the Facebook Companies” (which contains further links to further relevant information).
Assessment of Decision-Maker
Quality of information provided
387. I am unable to identify at any level, based on the information that has been provided in relation to this legal basis, what sort of processing operation will be grounded on this legal basis and what categories of personal data will be processed under this heading. Where WhatsApp intends to ground a processing operation on this legal basis, it should also identify the “European Union law or Member
State law” giving rise to the obligation for WhatsApp to process data.
388. I further note that “the promotion of safety and security” has been included under the contractual necessity heading, the legitimate interests heading and the vital interests heading. If this is not an
150 The Preliminary Draft Submissions, paragraph 7.21
error, WhatsApp must identify, with sufficient granularity, the relevant processing operation(s) that will be carried out, under each heading, for the purpose of the promotion of safety and security.
The way in which information has been provided
389. Further, it is unfortunate that the way in which the information has been provided is somewhat circular in that:
a. The user is linked to the Legal Basis Notice by the “Our Legal Basis For Processing Information” section of the Privacy Policy. The top of that section includes a link back to the “How We Use
Information” section of the Privacy Policy.
b. Thus, the inclusion of a link back to the “How We Use Information” section of the Privacy Policy does not provide the user with any new or more detailed information but merely brings the user in a circle back to the original starting point.
390. WhatsApp is perfectly entitled to incorporate layering into its approach to the delivery of information. In order for this to be effective, however, it must be done in a considered way such that the information being provided, across the various layers, still meets the requirements of Article 12(1) for information to be provided in a “concise, transparent, intelligible and easily accessible form”. Bringing the user on a pointless circuitous route, as detailed above, does not achieve this.
WhatsApp’s Response to Assessment of Decision-Maker
391. WhatsApp, by way of the Preliminary Draft Submissions, confirmed its disagreement with the above assessment, submitting firstly that:
“WhatsApp does not consider a requirement can be construed under Article 13(1)(c) GDPR to exhaustively list in a privacy policy-type document all the EU or Member State laws potentially engaged when a controller might rely on Article 6(1)(e) as a legal basis to process personal data. We would question whether it is even possible to identify in advance every such applicable law. Additionally, if this were the case, when new laws are enacted at EU or Member State level that might impose a duty on WhatsApp to carry out tasks in the public interest, WhatsApp would have to update its Privacy Policy each time. This would be impractical to implement, particularly where an applicable situation develops at pace (which could very well be the case in circumstances of public interest). This would be confusing for users, would be likely to create information fatigue, and would not be proportionate to WhatsApp’s obligations under the GDPR151.”
392. It further submitted that “… for the same reasons, WhatsApp does not consider there can be a requirement to specify with granularity the processing operations that will take place under “the promotion of safety and security” heading152.”
151 The Preliminary Draft Submissions, paragraph 7.22 152 The Preliminary Draft Submissions, paragraph 7.24
manner of delivery. My concerns remain, in this regard, notwithstanding WhatsApp’s perspective on matters.
394. In relation to WhatsApp’s submission that Article 13(1)(c) does not require the identification of the underlying EU or Member State law, I note that it is firstly clear, from Article 6(3) (and Recital 45), that, in order for a controller to be able to process personal data in reliance upon Article 6(1)(e), the basis for the processing must be laid down by EU or Member State law. The existence of such legal underpinning is therefore a component part of reliance upon Article 6(1)(e).
395. Article 13(1)(c) requires the provision of information concerning the “legal basis for the processing”. It is clear, from Article 6(3), that the underlying EU or Member State law forms the basis of processing carried out in reliance on Article 6(1)(e). That being the case, my view is that, where a controller intends to process personal data in reliance on Article 6(1)(e), Article 13(1)(c) requires the controller to inform the data subject not only of its intended reliance on Article 6(1)(e), but also of the EU or Member State law that forms the underlying basis for the processing concerned.
396. I note that such an approach is consistent with the purpose of the transparency obligation, as considered as part of the assessment that led to the formulation of the Proposed Approach, above. I note, in particular, the role of transparency in helping the data subject to hold the data controller accountable.
397. I further note that Article 13 already indicates that this is the correct approach, by reference to the requirement, set out in Article 13(1)(d), for the controller to identify the legitimate interests being pursued in a case where the processing is grounded upon Article 6(1)(f). The existence of a legitimate interest plays a similar role, in the context of Article 6(1)(f), as that played by the underlying EU or Member State law, in the context of Article 6(1)(e). That being the case, it would not make sense for Article 13 to require the identification of the legitimate interest being pursued, in the case of processing grounded upon Article 6(1)(f), but not the underlying EU or Member State law that forms the basis for processing grounded upon Article 6(1)(e).
398. Finally, and insofar as it might be suggested that the above approach is inconsistent with the principle of expressio unius est exclusio alterius (on the basis that the express inclusion of the requirement to provide information about the legitimate interest being pursued suggests that the legislator did not intend for Article 13 to contain a similar requirement as regards the provision of information concerning any underlying legal requirement enshrined in EU or Member State law), I note that it is not possible to rely on Article 6(1)(c) or (e) in the abstract; both are subject to compliance with the provisions of Article 6(3). This is not the case with Article 6(1)(f), which is self-contained and not subject to any additional and specific conditionality within Article 6 itself. This means that, in the context of Article 13, it was not necessary for the legislator to specifically require the provision of information as to the underlying EU or Member State law where the applicable legal basis is Article 6(1)(c) or 6(1)(e); this requirement has already been incorporated into these provisions by Article 6(3). The absence of such a corresponding provision in the context of Article 6(1)(f) meant that it was necessary for the legislator to specifically incorporate a requirement for information to be provided about the underlying legitimate interest where, pursuant to Article 13(1)(c), the data controller has confirmed its intention to rely on Article 6(1)(f) to ground its processing.
