Complaining about WhatsApp: soon also in the Netherlands

WhatsApp_Logo_6-300x250.png

The American company WhatsApp Inc. lost a lawsuit on 22 November 2016 that it had filed against the Dutch Data Protection Authority (DPA) after being sanctioned. According to the DPA, WhatsApp had violated the Dutch Personal Data Protection Act as it was found to process personal data of Dutch customers using Dutch smartphones (and not just transferring) while no ‘representative’ had been appointed in the Netherlands. Such a representative would make it easier for Dutch consumers (WhatsApp-users in this case) to file complaints and claims for damages regarding the processing of personal data.

What exactly does WhatsApp do? By installing the application users give WhatsApp permission to access their address books. WhatsApp stores this data on an American server and subsequently “matches” it with the data of other users. Initially WhatsApp also matched the data of non-users – this data was also stored automatically since users grant WhatsApp access to their full address book – however WhatsApp has confirmed to no longer do so.

The Dutch Personal Data Protection Act states: “This Act applies to the processing of personal data by or on behalf of a controller who is not established in the European Union and who makes use of equipment, automated or otherwise, situated in the Netherlands, unless such equipment is used only for purposes of the transit of personal data.” Many American companies are of the opinion that they do not fall under the scope of the Dutch legislation because their servers are located in the US, and they therefore believe to process the data in the US and not in the Netherlands/Europe. However, the judge of the District Court  The Hague ruled that Dutch smartphones of WhatsApp-users are to be considered “equipment, automated or otherwise, situated in the Netherlands”, since WhatsApp is doing more than just transmitting data.

This means that WhatsApp still needs to appoint a Dutch representative, subject to a penalty for non-compliance of EUR 10.000 a day. The defence raised by WhatsApp that under future privacy law (the EU Privacy Regulation) only one representative needs to be appointed for the whole of Europe, did not work , since it turned out WhatsApp had not appointed a representative in any EU country. Neither did WhatsApp’s argument that it had proven to be impossible to find a suitable party who wanted to take on this responsibility.

From this decision it follows that every app-operator that collects personal data of Dutch customers and sends this data to the US, is obliged to have a representative in the Netherlands.

Moïra Truijens

Intellectual PropertyDaniel Haije