WhatsApp has to appoint a representative in the Netherlands, what now?

WhatsApp has often been mentioned in the news lately. Take our article from October on the warning to WhatsApp from the Article 29-working party. Yesterday’s press release from the court in the Hague, Netherlands showed that WhatsApp lost a case against the Dutch privacy watchdog, the Autoriteit Persoonsgegevens (AP) and has to appoint an official representative to comply with the Dutch legislation concerning the protection of personal data (Wet Bescherming Persoonsgegevens, Wbp). If WhatsApp does not appoint a representative, it will face a penalty of €10,000 per day with a maximum of €1,000,000.

What happened previously?

Back in 2013, the watchdog has warned WhatsApp already for not complying with the privacy legislation. The AP (called the College Bescherming Persoonsgegevens or CBP back then) launched an investigation as WhatsApp was processing personal data of non-users through the app on smartphones in the Netherlands. WhatsApp expects full access to its user’s digital contact list, including contact data from contacts who don’t use WhatsApp. These mobile numbers are subsequently compared by WhatsApp with a so-called user table from WhatsApp’s US-based servers. The mobile numbers from these non-users will be encrypted and saved on WhatsApp’s servers.

According to the AP, the processing of these personal data of non-users complies with the requirements of the Wbp. Consequently, WhatsApp has to appoint a representative in the Netherlands to prevent the company from violating article 4 recital 3 of the Wbp. The watchdog enacted a penalty that WhatsApp disagreed with and objected the penalty.

In November 2015, the watchdog concluded that WhatsApp has implemented some changes that enhance the protection of privacy of non-users. However, WhatsApp refused to appoint a representative. Again, WhatsApp objected this in court.

What’s noticeable of this judgment?

Just transit?

WhatsApp argues that it does not process such data in the Netherlands and cannot be labeled as the responsible that uses automated tools in the Netherlands for things beyond processing data from non-users. The company does not employees in the Netherlands and only uses servers in the United States.

The court disagreed with this statement. First, the Court argues that WhatsApp uses automated tools in the Netherlands when processing personal data. WhatsApp processes data from their Dutch users through the app that is installed on Dutch smartphones. Also, the Court argues that it doesn’t just transit. The Article 29-working party emphasizes in an advice that transit is meant for tools that are exclusively used for ‘simple transfer from one point to the other’. One could think of cable or postal services. However, WhatsApp compares the phone numbers on its own servers, so one cannot consider this to be just transit.

Impossibility of appointing a representative

WhatsApp argues that the watchdog unfavorably expects that the company appoints a representative in the Netherlands. WhatsApp uses the argument that the watchdog provides too few room to anticipate on future privacy legislation in which will be ruled that just 1 representative in the European Union has to be appointed. But, as proven, WhatsApp did not appoint a representative in another EU Member State, leading to the lack of clear prospect on legalization of the current situation according to the Court.

Also, WhatsApp argues that it is not possible for the company to appoint a representative as no for-profit party is willing to take on the risks of fines and penalties. The Court disagrees and states that WhatsApp cannot dismiss the Dutch privacy legislation because of this.

Consequences?

WhatsApp can appeal the decision within six weeks at the Administrative Law Division of the Dutch Council of State.

What’s more interesting about this judgment are the consequences for other publishers of (foreign) apps that use personal data on Dutch smartphones. Will such apps also be required to appoint a Dutch representative? The AP declined to answer this question. We think this could be the case if a foreign company is processing lots of personal data from Dutch people from Dutch smartphones beyond transit. We’d advise to appoint a representative in the Netherlands, or at least in a European Member State.