Earlier this month, the Commissioner for Data Protection and Freedom of Information in Hamburg ordered Facebook's subsidiary in Ireland to stop processing personal data collected from WhatsApp. See, Press Release, The Hamburg Commissioner for Data Protection and Freedom and Information, Order of the HmbBfDI: Ban of further processing of WhatsApp user data by Facebook (May 11, 2021), available at: https://datenschutz-hamburg.de/assets/pdf/2021-05-11-press-release-facebook.pdf. WhatsApp users will have to agree to new terms which allow their data to be shared with Facebook by May 15, or they will have to make do with a version of the app with limited functionality. The data will be used for advertising to WhatsApp users. The Commissioner found that the data processing does not comply with GDPR.
The Commissioner criticized WhatsApp for isolating terms regarding data transfers in separate areas of the new terms, and using contradictory language. Facebook's processing of WhatsApp data could not be regarded as being necessary for the performance of a contract. "Facebook cannot claim a prevailing legitimate interest in processing the data of WhatsApp users because their interests are overridden by the rights and freedoms of the data subjects. Consent is neither given freely nor in an informed manner. This applies particularly to minors. For these reasons, consent under data protection law cannot be considered as a legal ground." Ibid. The Commissioner faulted WhatsApp for not promptly responding to its inquiry into how data is shared.
The order will be in effect for three months while the Commissioner requests that the European Data Protection Board issue a final decision. Article 66 of the GDPR allows a supervisory authority to immediately adopt provisional measures when there is an urgent need to act. These measures can only last for three months.