Whatsapp gets an GDPR fine – What can we learn form this?

On 12 January, the Irish privacy watchdog imposed a €5.5 million GDPR fine on WhatsApp. The fine decision was made after consultation with other European privacy authorities.

It underlines the importance of transparent and fair terms of use. And the need to have a valid reason for use of personal data.

Want to know more about the valid reasons? Download the whitepaper

Many terms of use of websites, apps and software refer to “improvement of service and security” as the reason for use of user data.

WhatsApp’s terms and conditions also mentioned this purpose, citing as the legal basis for the processing that it is “necessary” for the “performance of the contract”.

WhatsApp thereby failed to provide a transparent and honest description of how personal data is used. Nor is the legal basis valid.

This shows:

• It should be made clear how personal data will be used.
• There must be a better basis for using the data than “necessary for the performance of the contract”.

Now, information security and improving a product in it can be a good reason for using certain personal data.

So how do you ensure good terms of use?

The obvious thing to do is to ask users for explicit permission to use their data.

Note two things here:

• Describe sufficiently specifically what the data will be used for.

So, provide a sufficiently clear description of process and purpose. Ask yourself the question: Do you yourself find your description transparent, clear and honest?

• Consent can be withdrawn at any time.

Take this into account in UX design: Is consent easily revoked?

Basis “legitimate interest”

Apart from consent, you can also consider using the “legitimate interest” basis: Information security and improvement of a product generally constitute a legitimate interest for processing personal data.

Note that this does not always mean that all data may be used for this purpose.

The “legitimate interest” basis requires a balancing of interests: Does the interest of using the data outweigh the users’ privacy?

The risk to privacy can be mitigated by anonymisation, pseudonymisation and/or aggregation of data.

Users’ personal data must – in short – be handled sensibly and carefully.

When using “legitimate interest”, it is also always advisable to include a brief description of the purpose and method(s) used in the terms of use.

Will you now face a €5.5 million GDPR fine if you fail to comply?

Probably not. But even an investigation, a warning, negative publicity and a low(er) fine can have a significant impact on your reputation and business.

Want to know more about the GDPR legislation, GDPR penalty, how it fits together and what issues are important for your business? Get in touch with our specialists