The main thing is that WhatsApp changed some processing from relying on Consent to relying on "Contractual Agreement" (contrary to popular opinion, GDPR does not always require consent). The fine is based on two things: 1) this change and its ramifications were not communicated to users 2) you can't actually use "Contractual Agreement" for some of that processing.
1) is important because consent can be withdrawn. If users still believe that processing is based on their consent, they believe they have the ability to withdraw consent and processing must stop, but that doesn't apply to Contractual Agreement. In other words, this lack-of-clarity means users believed they had more control over they data, but they didn't.
2) requires reading deeper into the decision to see what matters. From background, Facebook has argued in the past that personalized advertising is a contractually-provided service, and that's probably what got rejected.
This is a recurring theme by now: American company decides to look at the law in the narrowest way possible and to try to find a loophole to keep doing what they were doing, European legislators insist that you take the intent to heart and try to do your best to comply with that. This will probably happen many more times before the coin will finally drop.
The GDPR absolutely has the capability to provide that motivation. Especially when you get hit several times for different instances of the same infraction it can really add up, potentially even a large player could be put out of business. I think that at some point in time one of these regulators is going to get angry enough that they may want to set an example.
If the cookie law is anything to go by, the real question is enforcement rather than the letter of the law.
The cookie law is quite well written and makes it clear that the obvious dark patterns are verboten.
You aren't allowed to use intentionally deceptive toggles, or to make it much harder to say no than to say yes. The law is very rarely enforced though, so such dark patterns are rife.
I suspect something similar may happen with other Internet-governing regulation.
Keep a very good eye on your local elections and get technically competent people (and hopefully the ones that are not for sale by lobbyists) into the seats of power. The best bit: it's free. I'm pretty happy with the way the GDPR so far has worked out and as far as I'm concerned they're welcome to ratchet up the pressure a notch, or even two.
Why is legal reporting in Europe so ambiguous? There are always articles with a summary but it seems like you can never read any deeper unless it reaches the ECJ or ECHR. In America we have PACER and anyone with a few dollars can read everything besides sealed documents,
There are no personalised ads or no ads at all in WhatsApp, are there?
What got rejected is using the data for "service improvement" and "security" - in particular how WhatsApp used personal data for these purposes, and how in the opinion of Europea data protection authorities this was not necessary for Meta to perform the contract.
Press release: https://www.dataprotection.ie/en/news-media/data-protection-...
The main thing is that WhatsApp changed some processing from relying on Consent to relying on "Contractual Agreement" (contrary to popular opinion, GDPR does not always require consent). The fine is based on two things: 1) this change and its ramifications were not communicated to users 2) you can't actually use "Contractual Agreement" for some of that processing.
1) is important because consent can be withdrawn. If users still believe that processing is based on their consent, they believe they have the ability to withdraw consent and processing must stop, but that doesn't apply to Contractual Agreement. In other words, this lack-of-clarity means users believed they had more control over they data, but they didn't.
2) requires reading deeper into the decision to see what matters. From background, Facebook has argued in the past that personalized advertising is a contractually-provided service, and that's probably what got rejected.