The EDPB adopted its first urgent binding decision pursuant to Art. 66(2) GDPR following a request from the Hamburg supervisory authority (DE-HH SA), after the SA had adopted provisional measures towards Facebook Ireland Ltd (Facebook IE) on the basis of Art. 66 (1) GDPR.

The DE-HH SA ordered a ban on processing WhatsApp user data by Facebook IE for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd. The EDPB decided that the conditions to demonstrate the existence of an infringement and an urgency are not met. Therefore, the EDPB decided that no final measures need to be adopted by the IE SA against Facebook IE in this case.

Based on the evidence provided, the EDPB concluded that there is a high likelihood that Facebook IE already processes WhatsApp IE user data as a (joint) controller for the common purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, and for the common purpose of improvement of the products of the Facebook Companies. However, in the face of the various contradictions, ambiguities and uncertainties noted in WhatsApp’s user-facing information, some written commitments adopted by Facebook IE and WhatsApp IE’s written submissions, the EDPB concluded that it is not in a position to determine with certainty which processing operations are actually being carried out and in which capacity. In addition, there was not enough information to establish with certainty whether Facebook IE already started to process WhatsApp IE user data as a (joint) controller for its own purposes of marketing communications and direct marketing, and cooperation with the other Facebook Companies. Nor could it be established whether Facebook IE already started or will soon start processing WhatsApp IE user data as a (joint) controller for its own purpose in relation to WhatsApp Business API.

On the existence of urgency, the EDPB considered that Art. 61(8) GDPR was not applicable as the DE-HH SA did not demonstrate that the IE SA failed to provide information in the context of a formal request for mutual assistance under Article 61 GDPR. Moreover, the EDPB decided that the adoption of the Updated Terms, which contain similar problematic elements as the previous version, cannot, on its own, justify the urgency for the EDPB to order the LSA to adopt final measures under Article 66(2) GDPR. The EDPB therefore considered that there is no urgency for the LSA to adopt final measures in this case. Considering the high likelihood of infringements in particular for the purpose of safety, security and integrity of WhatsApp IE and the other Facebook Companies, as well as for the purpose of improvement of the products of the Facebook Companies, the EDPB considered that this matter requires swift further investigations. In particular to verify if, in practice, Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers. For this reason, the EDPB requests the IE SA to carry out, as a matter of priority, a statutory investigation to determine whether such processing activities are taking place or not, and if this is the case, whether they have a proper legal basis under Article 5 and Article 6 GDPR.

In addition, taking into consideration the lack of information as regards how data are processed for marketing purposes, cooperation with the other Facebook Companies and in relation to WhatsApp Business API, the EDPB calls upon the IE SA to further investigate the role of Facebook IE, i.e. whether Facebook IE acts a processor or as a (joint controller), with respect to these processing operations.