On the 12th of July, the European Data Protection Board (EDPB) has adopted its decision on the request of the Supervisory Authority of Hamburg in a urgent binding decision on Facebook Ireland Limited (Facebook IE).
The Board has considered highly probable that Facebook IE process personal data received by WhatsApp Ireland Limited as a data controller or join controller and has asked to the Irish Supervisory Authority to investigate on the question. This is the first decision of the Board based on the urgent procedure.
The decision of the Board refers to a request of the Hamburg Supervisory Authority to implement measures against Facebook Ireland Limited. The request has been reported to the Hamburg Supervisory Authority after the change of the usage terms and the privacy policy for European users of the WhatsApp instant messaging service.
A supervisory authority in the European Union can impose provisional emergency measures on its territory if it considers them as necessary to protect rights and freedoms of the data subjects. In the filed of the emergency procedure according to the General Data Protection Regulation, the supervisory authority can ask an urgent binding decision of the Board for the final adoption of this provisional measures.
Anyway, the Board has considered that conditions in order to establish the existence of a personal data protection breach and to determine the urgency were not met. For this reason, the Irish DPA has not the need to impose final measures against Facebook Ireland Limited.
Anyway, the Board has considered probably that Facebook Ireland Limited processes personal data that receive from WhatsApp Ireland Limited as data controller or join controller for some common purposes, like guarantee the security and update products. Anyway, based on received information, the Board has not been able to confirm with enough certainly which processing operation are still realized and under what heading. But, due to the probability of a personal data breach, the Board invites the Irish DPA to investigate on the question. In particular, if data connected to European users of the WhatsApp instant messaging service have been aggregated or compared with data of other Facebook’s companies and, in affirmative case, the basis of the processing pursuant to the General Data Protection Regulation.
Talking about the urgency, the Board has concluded that the urgent procedure was not appropriate because the Hamburg supervisory authority has not demonstrated that the Irish DPA was not able to provide information in the context of a formal mutual assistance request. In addition, the Board has concluded that an update of the usage conditions which includes the same troubled elements of the previous version of usage conditions does not justify by its own the imposition of measures in the field of the urgent provision.
The decision of the Board in the field of the urgent provision will be published on the website of the Board.
The European Data Protection Board will decide on the emergency procedure during a plenary section which will affect all the supervisory authorities of the European Union. Also, the Finnish supervisory Authority has participated to the decision as the Finnish Data Protection Authority.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA FINLANDIA