I think this is of general interest to Project Liberty and indeed there are lessons for all global platforms. Ireland’s national broadcaster reports some implications:
We have analysed the full decision/judgement on WhatsApp’s 225M euro fine – 266 pages – summaries attached (a couple of pages).
The current business models/practices of social platforms have to change whilst new platforms have the advantage of privacy by design from scratch.
In short, WhatsApp regularly processed ALL contact numbers using their “Contacts Feature” which included non-users of WhatsApp without their knowledge or that of a WhatsApp subscriber – transparency? Relying on subscriber ‘consent’ as a lawful basis for processing personal data was found not to be factually true – not valid. The GDPR definition of personal data is certainly expansive including indirectly identifiable natural persons, regardless of using Lossy Hashing. Further, WhatsApp’s submission that it was a mere data processor was also found not to be factually true. The judgement identified WhatsApp as a data controller .