Short Reads

District Court The Hague: WhatsApp is more than data transition medium and must appoint Dutch representative

District Court The Hague: WhatsApp is more than data transition medium and must appoint Dutch representative

District Court The Hague: WhatsApp is more than data transition medium and must appoint Dutch representative

24.02.2017 NL law

On 22 July 2015, the Dutch Data Protection Authority ("DPA") imposed an order on WhatsApp Inc., backed by a penalty for non-compliance. The DPA concluded that WhatsApp must appoint a representative in the Netherlands within three months, subject to a penalty of €10,000 per day with a maximum of €1,000,000.

WhatsApp lodged an appeal against the DPA's decision and brought the case before the District Court of The Hague. A brief description of the relevant legal framework is presented below, followed by a discussion on WhatsApp’s most relevant arguments seeking the Court to dismiss the DPA's decision.

Under the Data Protection Directive (95/46/EC), which has been implemented in the Dutch Data Protection Act, a data controller that is established outside the EU and that uses equipment (automated or otherwise) situated in a Member State must designate a representative in that Member State unless such equipment is used for personal data transit only. Under the Dutch Data Protection Act, personal data may only be processed if the designated representative person or authority complies with the Dutch Data Protection Act. For the purposes thereof, the designated representative is regarded as the data controller.

WhatsApp alleged that Article 4 § 3 of the Dutch Data Protection Act (which states that a representative must be regarded as the controller) is inconsistent with the Data Protection Directive and therefore not binding. However, the District Court considers that the Directive does contain the obligation for a controller outside the EU to appoint a representative that can be held responsible by the supervisory authorities in the context of safeguarding rights and duties under the Data Protection Directive, which consideration is supported by Article 29 Working Party's advice on the applicable law of 16 December 2010. The Data Protection Directive must ensure the right to private life, even if the controller is not established within the EU. The rationale of the obligation is evidently that such protection of private life must not be hindered by the practical barrier of having to go to another country and turn to another legal system to safeguard privacy, as set out in the Data Protection Directive. The Court therefore dismisses WhatsApp's argument on this basis.

Furthermore, WhatsApp asserted that the absence of a local representative in the Netherlands should be allowed in anticipation of the GDPR. The GDPR comes in effect on 25 May 2018 and stipulates that a representative in a Member State of the EU should be appointed (instead of a representative in each Member State where equipment of a data controller outside the EU is situated). WhatsApp's argument in this respect also fails. The Court states that the GDPR does not apply yet and, moreover, WhatsApp did not provide any evidence showing that it had appointed a representative in another Member State.

WhatsApp also asserted that it cannot be regarded as a “controller” under the Dutch Data Protection Act because WhatsApp uses the automated equipment in the Netherlands for purposes of non-users’ personal data transit only. The District Court considered that users grant WhatsApp access to their telephone directory and, subsequently, WhatsApp compares the telephone numbers contained in its customers' directories with the telephone numbers on its own servers. The District Court therefore held that WhatsApp does not use its equipment in the Netherlands for data transit only.

WhatsApp finally argued that it is practically impossible to find a representative in the Netherlands because such representative would be held liable for any penalty for non-compliance with the Dutch Data Protection Act but would not have any influence on WhatsApp's activities. The District Court held that WhatsApp's statement that it is unable to find a representative is not a well-founded reason to discharge WhatsApp from its duty to appoint a representative in the EU Member State.

The District Court therefore upheld the DPA's decision. WhatsApp can still appeal against the District Court's decision by bringing the case before the Administrative Jurisdiction Division of the Council of State.

The case can be found here.

Team

Related news

02.07.2019 NL law
Debate night: HR Analytics: opportunity or threat?

Seminar - On 2 July 2019, Stibbe's Digital Economy Group will host a debate night in Amsterdam on the hot topic of HR analytics. During Stibbe's debate night, speakers from the world of business, politics, science and law will exchange views on HR analytics, how they can be used in practice, and their development in the context of employment and privacy law.

Read more

06.06.2019 NL law
Masterclass: Alcohol and drug testing in the workplace

Masterclass - Stibbe will host a masterclass entitled 'Alcohol and drug testing in the workplace' on 6 June in Amsterdam. During this masterclass, employment law expert Johan Zwemmer and privacy experts Frederiek Fernhout and Judica Krikke will discuss the Dutch Data Protection Authority's general prohibition of these tests and discuss whether and how employers should implement.

Read more

07.06.2019 BE law
Part three - GDPR and public law: To retroact or not?

Articles - Since the General Data Protection Regulation (“GDPR”) became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and public law”, we discuss three capita selecta of the interaction of GDPR with public law and government. In this blog we discuss the retroactive application of GDPR.

Read more

06.06.2019 NL law
Masterclass: Alcohol- en drugstesten op de werkvloer

Masterclass - Stibbe in Amsterdam organiseert op 6 juni de masterclass 'Alcohol- & drugstesten op de werkvloer'. Tijdens deze masterclass bespreken arbeidsrechtexpert Johan Zwemmer en privacydeskundigen Frederiek Fernhout en Judica Krikke het algemene verbod van de Autoriteit Persoonsgegevens op deze testen voor werkgevers en leggen zij onder meer uit hoe hiermee moet worden omgegaan.

Read more

06.06.2019 BE law
TMT Roundtable: Getting a handle on software quality

Roundtable - Erik Valgaeren, TMT Partner at Stibbe Brussels, and his team organize a roundtable on software quality in our Brussels office on June 6th, 2019. Software quality is a recurring theme in many matters handled by our TMT team. Whether our assistance relates to preparing tender documents, contracting effectively, assessing proper performance or allocating ownership and accountability in challenging IT projects, questions concerning software quality always arise.

Read more

05.06.2019 BE law
Part two - GDPR and Public Law: Data protection in public procurement

Articles - Since the General Data Protection Regulation (“GDPR”) became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and public law”, we discuss three capita selecta of the interaction of GDPR with public law and government. In this blog we discuss some GDPR-related aspects of public procurement.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring