3 minute read
6.3 Position of the LSA on the objections
115. Finally, the IT SA states that the decision poses a significant risk for the rights and freedoms of the data subjects as it impairs their right to be informed as well as due to the disproportionate corrective measure.
6.3 Positio n of th e LSA on t he obj ecti ons
Advertisement
116. The final position taken by the IE SA was to not follow any of the objections 91 . However, in the Composite Response the IE SA indicated that it considered the objections relevant and reasoned. It acknowledges the common issue, i.e. that the data is to be regarded as pseudonymous rather than anonymous, and takes account of the proposed ways in which identification might be achieved. The LSA further takes stock of the concerns raised by the CSAs regarding the salt, that the number of 16 numbers being represented by the lossy hash is in practice not a minimum, but rather a maximum and that WhatsApp IE has at its disposal a vast network of contacts among users and non-users 92 .
117. Considering the above, the LSA argues that while it is theoretically possible to consider the 39-bit hash Value as being anonymous, viewing the hash value in isolation disregards the risks that are present in the processing environment that might enable the re-identification of the data subjects 93 . Further, in reaction to WhatsApp IE s submissions refuting the objections as theoretical and raising that the objections fail to identify why WhatsApp IE might want to re-identify the non-users, the LSA states that it is not unusual to rely on hypothetical scenarios to identify the re-identification risks and that the motivation does not affect the technical ability to re-identify a data set. However, it states that the motivation will be relevant when assessing whether the means identified are reasonably likely to be used.
118. Further, the LSA refers to the WP29 Opinion 05/2014 94 and points out that, since the retained dataset contains links from the hash value to users of the service, it presents a greater-than-zero risk that some non-users could be re-identified by inference, linking or singling out 95 . However, it also point s out that in many of the scenarios presented by the CSAs, the auxiliary data is the phone number of the non-user itself, thereby creating a somewhat circular argument. It argues as well, that a zero-risk approach is likely to result in very few, if any, processes achieving anonymisation. The LSA questions that such an outcome was envisaged by the legislator.
119. Finally, following the above, the LSA concludes that neither the CSAs have provided solid arguments to conclude that the process is insufficient to anonymise data, nor are WhatsApp IE s responses sufficiently developed to support a finding that the process is sufficient to anonymise data in every case 96. Therefore, it agrees with the concerns expressed by the CSAs in relation to the potential finding having a very significant impact as a precedent, but remains concerned whether the reversed finding according to the varying hypotheses proposed by the CSAs would be sustained if challenged in court.
120. Further, it is to be noted that before referring the dispute to the Board, the LSA proposed as a compromise to amend the draft decision to only retain the finding that WhatsApp IE processes the personal data of non-users, thus being subject to Article 14 GDPR, and to remove all references to the Lossy-Hashing procedure, including any associated findings.
91 Letter to the EDPB Sec retaria t, dated 2 June 2021, p. 2. 92 IE SA Composit e Re sponse, p aragraph 38 and following. 93 IE SA Composit e Re sponse, p aragraph 56. 94 Article 29 Working Party, O pinion 05/2014 on Anonymis ation Techniques (10 April 2 014), WP2 16 ( "WP 2 9 Opinion 05/2014 "). 95 IE SA Composit e Re sponse, p aragraph 56.e. 96 IE SA Composit e Re sponse, p aragraph 57.
