During its 52nd plenary section, the EDPB has adopted its first urgent binding decision pursuant to Article 66, paragraph 2 of the GDPR, following a request from the Hamburg supervisory authority, after the SA had adopted provisional measures towards Facebook Ireland Ltd (Facebook IE) on the basis of Article 66, paragraph 1 of the GDPR. The Hamburg supervisory authority ordered a ban on processing WhatsApp user data by Facebook IE for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd.
The Authority has based it self on the article 66 of the GDPR, which establishes that in exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the Board and to the Commission.
The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the IE SA against Facebook IE in this case.
The EDPB concluded that there is a high likelihood that Facebook IE already processes WhatsApp IE user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. In addition, there was not enough information to establish with certainty whether Facebook IE already started to process WhatsApp IE user data as a (joint) controller for its own purposes of marketing communications and direct marketing, and cooperation with the other Facebook Companies.
Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB considered that this matter requires swift further investigations. In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers. For this reason, the EDPB requests the IE SA to carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR.
SOURCE: AUTORITA’ PER LA PROTEZIONE DEI DATI DELLA POLONIA – UODO