WhatsApp required to appoint a representative in The Netherlands

16. December 2016

Background

On the 22nd November, the Administrative Court of the Hague confirmed the fine imposed by the Dutch DPA to WhatsApp. In 2012, the Dutch DPA investigated WhatsApp because it had not yet appointed a representative in the Netherlands, according to current Dutch Data Protection legislation. As WhatsApp had still not complied with its obligation to appoint a representative in the EU in 2014, it imposed a fine of 10.000€ for each day of non-compliance.

The Dutch DPA remarked that WhatsApp had the obligation to appoint a representative in The Netherlands because it acted as Data Controller, as it was processing personal data of Dutch citizens. When a user searched for a contact in order to send a WhatsApp message to this contact, WhatsApp accessed this information and stored it in its U.S. servers. Therefore, WhatsApp had to be considered as a data controller in terms of the EU Directive on Data Protection and the Dutch Data Protection Act.

Current situation according to the EU Directive

The Dutch Administrative Court based its argumentation on the following key aspects:

  • WhatsApp is a controller, as already admitted by the company at oral argument.
  • The equipment used by Dutch data subjects, this is the mobile device, is located in Dutch territory. Moreover, according to previous positions of the WP 29 and other EU Courts, mobile devices are also considered as equipment in terms of data processing.
  • WhatsApp argued that Dutch Data Protection Act imposes additional requirements than those imposed by the EU Directive, so that a representative appointed by a data controller has also to comply with the Dutch Data Protection Act. However, the Dutch Court clarified that the extension of the responsibility of the Data Controller to the representative aims at filling legal gaps regarding the application of the data protection principles. The Court also specified that an agreement between the data controller and the representative may be needed in these cases, in order to agree on liability issues.
  • WhatsApp also argued that it should have been requested to appoint just one representative in the EU, as foreseen in the GDPR. The Dutch Administrative Court pointed out that WhatsApp had no representative in any other EU Member State.
  • Finally, WhatsApp alleged that it could not find a party willing to asume this role, but the Court rejected this argument as it has no legal basis.

Will this change with the GDPR?

With the GDPR the requirement to appoint a representative in the EU will change in two ways:

  • Also processors will be subject to this obligation
  • it will be possible to appoint one single representative for all the EU operations.

Under the GDPR it will be mandatory to appoint a representative for those controllers or processors who are based in a third country and they offer goods or services to data subjects in the EU or if behavior monitoring of these data subjects takes place in the EU.

Moreover, the GDPR distinguishes between the representative and the role of the DPO. The requirements to appoint each of them are different but it may occur that a company is obliged to appoint both, only a representative, or a DPO.