1 December 2016
The Administrative Court of The Hague (‘the Court’) upheld, on 22 November 2016, a decision by the Personal Data Authority (‘PDA’), which found WhatsApp Inc. had failed to appoint a representative for the processing of Dutch citizens’ data in the Netherlands, and hence violated Article 4(3) of the Dutch Data Protection Act 2000 (‘the Act’).
Wouter Seinen, Partner at Baker & McKenzie, told DataGuidance, “The view taken by the PDA and the Court is quite extreme. The ultimate consequence of the Court’s reasoning would be that any app that is offered by a company outside the EU would be subject to 28 different national data protection regimes. A non-European app developer could not appoint a representative in just one Member State to address the issue, as other national data protection authorities could take the position that equipment in ‘their’ jurisdiction is used as well. This would lead to unacceptable uncertainty for businesses, which should be considered by the Court of Justice of the European Union as well, if it were to decide on this.”
Under Article 4(1)(c) and (2) of the Data Protection Directive (95/46/EC) (‘the Directive’), a controller established outside of the EU that uses equipment located in the territory of a Member State for the processing of personal data must designate a representative to be established there. The PDA deemed that WhatsApp had made use of equipment located in the Netherlands and considered the downloading of the app on a Dutch user’s phone sufficient to meet the criteria of Article 4(1)(c) of the Directive.
This seems to be a rather creative interpretation of the stipulation [of Article 4(1)(c) of the Directive], which I doubt the European legislator envisioned at the time the Directive was drafted
In addition, the General Data Protection Regulation (‘GDPR’) provides for the appointment of a representative based in the EU in certain circumstances. WhatsApp argued that it should only be required to appoint a single representative for the whole EU, however, this was rejected by the Court on the basis that the GDPR entered into force after the appealed decision. The Court also held that, in any case, WhatsApp did not provide evidence that it had appointed a representative in another Member State.
Seinen concluded, “The decision does not seem very realistic and amplifies flaws in current data protection laws that Europe tried to fix through the GDPR. Let’s hope the decision is revised at appeal and that by that occasion guidance is given which really helps international tech businesses.”
The Court upheld an administrative penalty of €10,000 for every day that WhatsApp does not comply with the decision, up to a maximum of €1,000,000. WhatsApp has six weeks to appeal the decision.
“The conditional penalties imposed by the PDA are also surprisingly significant,” commented Van der Eijk. “This is a lower court procedure in response to an investigation of the PDA; WhatsApp can (and will likely) appeal.”
Cristina Ulessi | Privacy Analyst