As WhatsApp Challenges €225 Million GDPR Fine, Swiss Army Drops Recommendation

WhatsApp is challenging the €225 Million fine it received under the GDPR laws. This as the Swiss Army is no longer recommending it.

WhatsApp certainly grabbed a number of headlines over the last few years here on Freezenet. More recently, they grabbed headlines because of their legal battle with malware vendor, NSO Group. While those stories were, indeed, noteworthy, that wasn’t the only way they made headlines last year.

Another reason they made headlines was the less flattering story about how they got fined under Europe’s General Data Protection Regulation (GDPR). In September, they were fined €225 Million (according to the BBC) ironically by the Irish DPC:

Facebook, which owns WhatsApp, has its EU headquarters is in Ireland, and the Irish regulator is the lead authority for the tech giant in Europe.

WhatsApp said it disagrees with the decision, and the severity of the fine, and plans to appeal.

The fine relates to an investigation which began in 2018, about whether WhatsApp had been transparent enough about how it handles information.

The issues involved were highly technical, including whether WhatsApp supplied enough information to users about how their data was processed and if its privacy policies were clear enough.

Those policies have since been updated several times.

There is plenty of irony to go around in that story. The reason is that the Irish DPC has been under fire for some time for being soft on large tech giants when they violate the GDPR. The accusations grew so loud that officials had to take to the airways just to defend the organization.

On the flip-side, over top of the stories of WhatsApp fighting NSO Group, there was also the story ain 2017 where WhatsApp found itself on the front lines of the war on encryption where the app contained end-to-end encryption and governments were demanding that encryption either have backdoor access to encrypted communications or simply ban such encryption altogether.

So, you can see just how ironic all of this is where the Irish DPC is fining WhatsApp for privacy violations. It’s enough to make your head spin, really.

More recently, WhatsApp has challenged the ruling. They say that the fines were disproportionate. From Pinsent Masons:

Dublin-based data protection law expert Andreas Carney of Pinsent Masons said: “The challenges raised by WhatsApp address points of technical interpretation of the GDPR, as well as fundamental questions as to whether the EDPB applied due process and acted properly in exercising its powers. This is perhaps not unexpected given the impact of the EDPB’s decision on the scope of findings and level of the fine levied against WhatsApp by the DPC. Given that the main role of the EDPB is to ensure the consistent application of the GDPR throughout the European Economic Area, this case will no doubt be watched very closely from various quarters.”

The case, which now stands to be considered by the EU’s General Court, originated with complaints raised by individuals about WhatsApp’s data processing. The complaints spurred the DPC to open an investigation in 2018 into whether WhatsApp complied with transparency obligations under the GDPR.

At the time, WhatsApp said it disagreed with the decision, describing the penalties imposed on it as “entirely disproportionate”. Now the company has lodged legal action seeking annulment of the EDPB’s decision. To support its case, the company has raised seven separate pleas – including that the EDPB “exceeded its competence” under the GDPR.

WhatsApp has also claimed that the EDPB has held it to a higher standard of transparency than the GDPR requires and “excessively” interpreted and applied the definition of ‘personal data’ under the Regulation.

According to WhatsApp, the EDPB also breached the Charter of Fundamental Rights of the EU. Specifically, it has pleaded that the EDPB violated the “presumption of innocence” and “right to good administration”, in the former case by “inappropriately” reversing the burden of proof onto WhatsApp to “demonstrate that its processing environment is such that the risks of re-identification of data subjects is purely speculative”, and in the latter case” by “disregarding WhatsApp’s right to be heard and the EDPB’s obligations to carefully and impartially examine evidence and to adequately state reasons”.

The company has also taken issue with the EDPB approach to determining GDPR fines and further argued that the watchdog “violated the principle of legal certainty by failing to acknowledge that its decision puts forward novel interpretations and applications of several provisions of the GDPR, with the consequence that the infringement was unpredictable”.

while that was happening, the Swiss Army has chosen to drop its recommendation of WhatsApp. This in favour of a home grown Swiss app. The cited reason is the notorious US CLOUD Act and they said that because the Swiss app isn’t subject to such a law, it means that the app is more secure. From the Associated Press:

Army leaders, in a letter to top commanders last month, called for use of the Swiss instant messaging service Threema, and a promotion for the service was posted Dec. 29 on the Swiss army’s page on Facebook, which, like WhatsApp, is owned by the U.S. company now known as Meta.

Officials have cited an enhanced need for secure communications as Swiss soldiers have fanned out to support the response to the COVID-19 pandemic in the Alpine country.

A letter sent to army chiefs last month said Threema “must be used for all service communications,” adding that “no other messaging service will be authorized.”

Army spokeswoman Delphine Schwab-Allemand, in an e-mail on Wednesday confirming reports on the issue in Swiss media, seemed to soften the army’s position, saying that there was a “recommendation” that troops use Threema. It took effect on Jan. 1. She added that the army cannot and does not want to tell troops to use a particular app on their private devices.

As Threema is a Swiss-based company, information it holds isn’t subject to the U.S. Cloud Act, she said, referring to legislation passed in a 2018 spending bill that governs how U.S. authorities can get electronic communications held by technology companies.

So, while it is not an outright ban, it is no longer recommending it to its officers. It’s largely a coincidence that this happens as the GDPR fine against the app is getting challenged in court.

For those who don’t know, the CLOUD Act allows American law enforcement to access information regardless of if you are a US citizen or not. From the EFF:

The Clarifying Overseas Use of Data (CLOUD) Act expands American and foreign law enforcement’s ability to target and access people’s data across international borders in two ways. First, the bill creates an explicit provision for U.S. law enforcement (from a local police department to federal agents in Immigration and Customs Enforcement) to access “the contents of a wire or electronic communication and any record or other information” about a person regardless of where they live or where that information is located on the globe. In other words, U.S. police could compel a service provider—like Google, Facebook, or Snapchat—to hand over a user’s content and metadata, even if it is stored in a foreign country, without following that foreign country’s privacy laws.[1]

Second, the bill would allow the President to enter into “executive agreements” with foreign governments that would allow each government to acquire users’ data stored in the other country, without following each other’s privacy laws.

For example, because U.S.-based companies host and carry much of the world’s Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe (so long as the target of the wiretap is not a U.S. person or located in the United States) without the procedural safeguards of U.S. law typically given to data stored in the United States, such as a warrant, or even notice to the U.S. government. This is an enormous erosion of current data privacy laws.

This bill would also moot legal proceedings now before the U.S. Supreme Court. In the spring, the Court will decide whether or not current U.S. data privacy laws allow U.S. law enforcement to serve warrants for information stored outside the United States. The case, United States v. Microsoft (often called “Microsoft Ireland”), also calls into question principles of international law, such as respect for other countries territorial boundaries and their rule of law.

Notably, this bill would expand law enforcement access to private email and other online content, yet the Email Privacy Act, which would create a warrant-for-content requirement, has still not passed the Senate, even though it has enjoyed unanimous support in the House for the past two years.

This, of course, is one of many reasons for Europe to grow increasingly untrusting of US technology. One such example is Max Schrems successfully challenging the SHIELD laws which suggested that European’s personal information is safe in the US given that it is a trusted ally.

At any rate, you have two separate stories that does challenge the image of WhatsApp being this amazing secure communications app. While reminding people of the WhatsApp fine was a risk, from WhatsApp’s perspective, it was pretty much necessary in an effort to try and evade the fine in the first place. The latter of which just seemed more of a case of bad timing for WhatsApp. To be fair, though, it’s not likely that the US Cloud Act was in their control in the first place. After all, it was ultimately the US government that enacted it in the first place.

Still, this does shake the image of WhatsApp privacy capabilities somewhat. Whether these events snowball into a much bigger problem for the app or fade away as tiny blips in the radar remains to be seen.

Drew Wilson on Twitter: @icecube85 and Facebook.

2 Trackbacks and Pingbacks

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: