No processing without representation
WhatsApp Inc. and the Dutch Data Protection authority have been fighting over the question of whether or not WhatsApp has to appoint a representative in the Netherlands. On 22 November the Regional Court of the Hague took its decision against WhatsApp.
For a while now WhatsApp Inc., the US-American company behind the internationally well known instant messaging app, and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) have been fighting over the question whether or not WhatsApp, which so far does not have any offices in the European Union, has to appoint a representative in the Netherlands.
In the summer of 2014 the Data Protection Authority had issued an order under which WhatsApp had to appoint a representative in the Netherlands. It was (amongst other things) this order against which WhatsApp directed its litigation.
WhatsApp had fought against the Data Protection Authority’s view bringing up various arguments, basically none of which was accepted by the court. It argued that it was impossible to comply with article 4, paragraph 3 of the Dutch Data Protection Act (Wet bescherming persoonsgegevens). This provision requires the appointment of a legally responsible representative in case of data processing for or on behalf of a data processor outside of the European Union by means in the Netherlands. WhatsApp argued that it had not been possible to find any commercial party willing to assume this position and the liability risks connected with it. The court did not accept this argument and explained that it should have been possible for WhatsApp to come to an agreement with a representative under which WhatsApp would have agreed to bear all monetary fines or penalty payments.
In addition, the US companies' argument that Dutch data protection law should not apply as WhatsApp did not employ any personnel in the Netherlands and as, furthermore, the companies’ servers are in the United States, has been refused by the court. To the contrary, the court argued that as data processing occurred on Dutch smartphones WhatsApp is responsible under Dutch data protection law. It based its view on the argument that any processing by means of an app takes place in the jurisdiction in which the smartphones on which the apps are located are being used. This is in line with the view taken by the Article 29 Working Party in its Opinion 2/2013 on apps on smart devices.
Also, the court argued that contrary to WhatsApp’s reasoning the fact that as of 2018 the European Data Protection Regulation in its article 27, paragraph 1, will require (only) one representative in Europe in scenarios such as above does not mean that the existing national provisions in place are not fully applicable and enforceable until then.
Should WhatsApp fail to appoint a representative in the Netherlands it will potentially have to face penalty payments of €10,000.00 per day up to a maximum of €1m.
Whilst it is true that the above decision is of direct relevance only for WhatsApp's matter against the Dutch Data Protection Authority - not all European national legislations provide for a direct liability of the representative to be named in the various European jurisdictions - the decision raised some important issues also in other jurisdictions: First, as long as the European Data Protection Regulation is not yet applicable, it will be necessary to pay attention to and comply with the various national data protection regimes in Europe. Secondly, where data is being processed in apps on smartphones in the European Union, European data protection laws apply and must be complied with, even if the company behind the app is outside of the European Union.
