GDPR fines can contemplate parent group turnover: The story behind the WhatsApp fine

Summary

• The DPC has fined WhatsApp, an instant messaging app owned by Facebook, €225 million in relation to an investigation into its compliance with transparency obligations under the GDPR.
• Following intervention from the EDPB, the proposed fine was increased from €30 - €50 million up to €225 million by taking into account the turnover of the Facebook group of companies as well as WhatsApp itself.
• The case is the first time that regulators have opined on the application of competition law principles around single economic undertakings in the context of fines under the GDPR.
• It has been reported that WhatsApp plans to appeal the decision.

 Background

The Data Protection Commission ("DPC"), the Irish supervisory authority for the General Data Protection Regulation ("GDPR"), has been investigating WhatsApp since December 2018 in relation to its compliance with transparency obligations under the GDPR.

As the lead supervisory authority, the DPC previously submitted its draft decision, which proposed a fine within the range of €30 million to €50 million, to other relevant supervisory authorities in accordance with the process set out in Article 60 of the GDPR.

However, following a number of objections raised by relevant supervisory authorities which could not be resolved, the case was later referred to the European Data Protection Board ("EDPB") for determination pursuant to the dispute resolution process set out in Article 65 of the GDPR.

The EDPB adopted its binding decision in July and, amongst the EDPB's various assessments in relation to the objections raised by the relevant supervisory authorities, an interesting assessment relates to the elements to be relied upon when calculating the amount of an administrative fine, which ultimately resulted in a vast increase in the final fine issued to WhatsApp.

Calculation of 'turnover' can include parent group company turnover

One of the objections raised by a relevant supervisory authority related to the relevant turnover figure to use when calculating WhatsApp's fine.

As widely known, fines under the GDPR can reach up to €20 million, or in the case of an "undertaking", up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Yet, there has been significant uncertainty over the application of the GDPR's fining provisions, in particular, over what constitutes an 'undertaking'. The GDPR does not seek to define this term but, rather, points us to competition law principles in Recital 150:

"Where administrative fines are imposed on an undertaking, an undertaking should be understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes."

In this regard, the Court of Justice of the EU (the "CJEU”) has previously established that: “an undertaking encompasses every entity engaged in an economic activity regardless of the legal status of the entity and the way in which it is financed".

As described by the DPC in its initial draft decision, CJEU competition case law has previously held that a number of different enterprises could together comprise a single economic unit where one of those enterprises is able to exercise decisive influence over the behaviour of the others on the market. Such decisive influence may arise, for example, in the context of a parent company and its wholly owned subsidiary. The ability, on the part of the parent company, to exercise decisive influence over the subsidiary’s behaviour on the market, means that the conduct of the subsidiary may be imputed to the parent company, without having to establish the personal involvement of the parent company in the infringement.

In order to ascertain whether a subsidiary determines its conduct on the market independently, account must be taken of all the relevant factors relating to the economic, organisational and legal links which tie the subsidiary to the parent company, which may vary from case to case. However, the CJEU has also established that, where a parent company has a 100% shareholding in a subsidiary, it follows that: (i) the parent company is able to exercise decisive influence over the conduct of the subsidiary; and (ii) a rebuttable presumption arises that the parent company does in fact exercise a decisive influence over the conduct of its subsidiary. Similarly, the CJEU has also established that, in a case where a company holds all or almost all of the capital of an intermediate company which, in turn, holds all or almost all of the capital of a subsidiary of its group, there is also a rebuttable presumption that that company exercises a decisive influence.

On this basis, the DPC concluded that Facebook Inc. as the ultimate parent company of WhatsApp Ireland Limited ("WhatsApp IE") was able to exercise decisive influence over WhatsApp IE’s behaviour on the market, therefore triggering a rebuttable presumption which the DPC did not feel that WhatsApp IE was able to rebut.

At the supervisory authority level, there was then a divergence in view about how the turnover of this undertaking should be calculated i.e. whether:

• the overall turnover of the single economic unit should be used (i.e. the combined turnover of the entire Facebook, Inc. group of companies); or
• only the combined turnover of Facebook Inc. and WhatsApp IE should be used.

As set out in the EDPB's binding decision, the EDPB's view is that, in accordance with Recital 150, competition case law from the CJEU is also relevant when assessing the turnover to be taken into account for the purposes of the GDPR's fining provisions.

The EDPB referred to a CJEU ruling which sets out that: "when a parent company and its subsidiary form the single undertaking that has been found liable for the infringement committed by the subsidiary, the total turnover of its component companies determines the financial capacity of the single undertaking in question".

The above therefore makes it clear that, as widely feared, the consolidated turnover of the entire group of companies is relevant when determining fines under the GDPR (where a parent and its subsidiary form part of the single undertaking that has been found liable for the infringement committed by the subsidiary).

This highlights the importance, especially for parent companies, of good data protection compliance and governance within each subsidiary within corporate groups and has shed some further light on the application of the GDPR's fining provisions.

Relevance of 'turnover'

Another of the objections raised by a relevant supervisory authority related to the level of the DPC's proposed fine, in particular, that the fine proposed in the DPC's draft decision fell short of the proportionality and dissuasiveness requirements set out in Article 83 of the GDPR, and questioned the DPC's application of the criteria in Article 83(2) of the GDPR in proposing the fine.

As part of this, there was a divergence in view about whether an undertaking's turnover is relevant:

• only to determine the maximum fine to be imposed; or
• in the calculation of the level of fine.

In response to the above, WhatsApp argued for the former, adding that turnover is not listed in Article 83(2) of the GDPR, which sets out a list of factors to be taken into account when deciding (i) whether to impose an administrative fine and (ii) the amount of such fine.

As set out in the EDPB's binding decision, the EDPB's view is that the aim of the reference to turnover in Articles 83(4) to (6) of the GDPR is to ensure that there is a way to deter even the largest undertakings through calculating an appropriate level of fine. The EDPB then refers to the Guidelines on Administrative Fines which state that, in assessing such fines, "the definition of the notion of an undertaking as provided for by the CJEU for the purposes of the application of Article 101 and 102 TFEU" shall be used and, thus...the "connection is made between the size of the undertaking, measured in terms of turnover, and the magnitude a fine needs to have in order to be effective, proportionate and dissuasive."

The EDPB's assessment therefore makes it clear that the turnover of an undertaking is important in determining fines (and not just the maximum level of fines) and, notably, concluding that turnover as relevant only in calculating the maximum level of fines due to the fact that 'turnover' is not listed in Articles 83(2) or 83(3) of the GDPR is "unsustainable in law" since:

• a reference to turnover is unnecessary on the basis that all fines must be set at a level that is effective, proportionate and dissuasive; and
• it would be "internally contradictory" for there to be a maximum level of fines, while also preventing supervisory authorities from assessing whether a fine might need to be adjusted in light of the turnover of a company to ensure it is effective, proportionate and dissuasive.

It was also clarified that the list of factors in Article 83(2) of the GDPR is not meant to be interpreted as an exhaustive list.

This provides clarification for the first time on the relevance of turnover in the calculation of administrative fines under the GDPR. In particular, it clarifies that turnover is not just relevant in determining the maximum fine amount which supervisory authorities must stay within when exercise their fining power (which appeared to be a commonly held understanding).