WhatsApp judgement sets a new direction

1

Dear Team,
I think this is of general interest to Project Liberty and indeed there are lessons for all global platforms. Ireland’s national broadcaster reports some implications:

WhatsApp fine offers pause for thought (rte.ie)

We have analysed the full decision/judgement on WhatsApp’s 225M euro fine – 266 pages – summaries attached (a couple of pages).

Processing: WhatsApp - Summary of Corrective Powers to be Exercised.pdf…

Processing: Appendix A - WhatsApp Summary of Directions and Findings.pdf…

The current business models/practices of social platforms have to change whilst new platforms have the advantage of privacy by design from scratch.

In short, WhatsApp regularly processed ALL contact numbers using their “Contacts Feature” which included non-users of WhatsApp without their knowledge or that of a WhatsApp subscriber – transparency? Relying on subscriber ‘consent’ as a lawful basis for processing personal data was found not to be factually true – not valid. The GDPR definition of personal data is certainly expansive including indirectly identifiable natural persons, regardless of using Lossy Hashing. Further, WhatsApp’s submission that it was a mere data processor was also found not to be factually true. The judgement identified WhatsApp as a data controller .

Kind Regards,
Patrick

2

Meta has 3 months to fix its unlawful business processes problem with the collection and use of personal data; the systems impact and business model impact is huge:

Meta dealt blow by EU ruling that could result in data use ‘opt-in’ | Meta | The Guardian

Meta fined €390m over use of data for targeted ads - BBC News

This expected ruling paves the way for new identity platform(s) that handle PII by observing data protection regulations. Compliance by default has finally become a new normal.
Kind Regards,
Patrick

3

This time it is WhatsApp that gets 6 months to comply. “Consent” must be freely given / withdrawn and even IF WhatsApp did have such consent to process PII that does not mean consent to share that data with 3rd parties (Meta/Facebook +++):

WhatsApp’s £4.8m fine raises questions for organisations using behavioural advertising | Computer Weekly

GDPR impact is not limited to the covert behavioural advertising industry. ALL organisations that process our PII are impacted which is why off-chain processing of PII/identity data is the better approach taken by Project Liberty.
Kind Regards,
Patrick