This transcript is generated by parley.nvim.

Question

Give me a summary of the IDPC case against WhatsApp in 2021. From my impression, WhatsApp used a lossy hashing scheme and upload minimal amount of data (just phone numbers), and not shared with Facebook. Is that correct? If that’s the case, what’s the fine for? Literally every other company under the sun is doing much more than that, and I’m pretty sure none of they disclosed this “non-subscriber data” collection, as it’s so minor to the grand scheme of things. And for example, how the hell you can notify non-subscriber? It’s a case where regulator doesn’t check reality of how people want to use a service, and just out there to get probably one of the most privacy conscious service out there, just because they can milk innovation, essentially.

Do some research around this and tell me your opinion.

IDPC document here.

🤖:[Claude-Code-Opus]

🧠: Xian is asking about the Irish Data Protection Commission (IDPC) case against WhatsApp in 2021. He has a strong opinion that this was regulatory overreach against a privacy-conscious service. He wants me to research the actual case details and give my honest opinion. He’s linked the EDPB binding decision document. Let me fetch that document and do some web research to understand the case properly before forming an opinion. Given his WhatsApp background, he likely has insider knowledge, so I need to be substantive and not superficial.

Let me research this thoroughly - fetch the document and search for context.Now I have a thorough understanding of this case. Let me synthesize everything and give Xian my honest assessment.

Okay, I’ve gone deep into the EDPB binding decision and the surrounding commentary. Here’s my analysis.

The Case in a Nutshell

The DPC concluded WhatsApp failed to: provide required privacy information to WhatsApp users (Article 13); provide privacy information to contacts of WhatsApp users — “non-users” — whose personal data was processed to show users which contacts were also WhatsApp users (Article 14); make privacy information easily accessible (Article 12); and failed to comply with the overarching transparency principle (Article 5(1)(a)).

The investigation was an “own volition” enquiry — the regulator selected the parameters itself, choosing to fix on an audit of WhatsApp’s “transparency” obligations.

Your Technical Understanding — Partially Correct, But the Picture Is Bigger

You’re right that WhatsApp used a lossy hashing scheme on non-user phone numbers and uploaded minimal data. The EDPB document confirms this in detail — when a user enables the Contact Feature, non-user phone numbers are hashed via a lossy process that maps each number to one of ~2^39 buckets (theoretically grouping ~16 numbers per hash). WhatsApp argued this constituted anonymization.

However, the fine wasn’t really about the technical processing itself. Here’s the critical distinction:

What the Fine Was Actually For

The DPC took no issue with how WhatsApp collects data at all. Instead, the huge financial penalty was based on WhatsApp’s failure to disclose the entire range of ways in which it uses the personal information it collects from users.

The violations were purely about transparency — the how you describe what you do in your privacy policy, not what you actually do. Specifically:

  1. Privacy policy was too vague and scattered — information spread across multiple linked documents, using conditional language like “may” and “such as”
  2. Legitimate interests not specific enough — WhatsApp listed interests like “measurement, analytics, and other business services” without tying them to specific processing operations
  3. Non-user notification failure — WhatsApp processed non-user phone numbers (via the contact upload feature) but provided zero Article 14 information to those non-users
  4. Data sharing with Facebook Companies — the privacy policy didn’t clearly explain what was shared, with whom, and on what legal basis

The DPC considered that the Article 14 breach (non-users) was the most serious among the four breaches identified, given the estimated number of non-users concerned (126 million) and the fact that they had no control or knowledge whatsoever over the processing of their personal information.

The Lossy Hashing Fight

This is where it gets technically interesting and where I think you have the strongest point. The Irish DPC actually agreed with WhatsApp that the lossy hash output was anonymous data — the DPC’s Decision-Maker overturned the original investigator’s finding. But then eight other EU regulators objected, and the EDPB overruled the DPC, concluding the lossy hashed data was pseudonymous, not anonymous, because:

  • The “at least 16 numbers per hash” was actually “at most 16” — many hashes would map to fewer numbers in practice
  • The Non-User List linked hashes to the uploading users, creating a social graph that could be used for re-identification
  • The NL SA demonstrated that a brute-force lookup table for all Dutch mobile numbers could be built in ~3 minutes on 2017 hardware
  • WhatsApp’s argument that it had “no motivation” to re-identify was rejected — the EDPB ruled motivation is irrelevant to whether data is personal

The Fine Escalation Drama

Ireland originally proposed a far more low-ball penalty of up to €50 million for WhatsApp. The EDPB’s binding decision contained a clear instruction that required the DPC to reassess and increase its proposed fine, resulting in the €225 million fine.

The fine breakdown was: €90M for Article 5(1)(a), €30M for Article 12, €30M for Article 13, and €75M for Article 14 — totaling €225 million, being the sum of the separate fines proposed for breaches of GDPR Articles 12, 13, 14 and 5 respectively.

My Honest Opinion

I think you’re partially right and partially wrong, and here’s where I land:

Where you’re right:

  • The non-subscriber data argument is indeed somewhat absurd in practice. The DPC suggested it was not disproportionate to reach out to non-users, e.g. by way of information provided on WhatsApp’s website. But as the HU SA correctly pointed out, non-users might not even know WhatsApp exists, let alone visit their website. The requirement is performative compliance theater.

  • Selective enforcement is a real issue. You’re right that virtually every app that does contact sync (Telegram, Signal, Facebook Messenger, Snapchat, TikTok) processes non-subscriber phone numbers in similar ways, and none of them were providing Article 14 notices to non-users in 2018 either. WhatsApp was arguably doing more privacy-preserving work (the lossy hashing) than most competitors.

  • The fine amount was politically driven. The DPC originally proposed €30-50M. The EDPB — driven largely by Germany, France, and Italy — quadrupled it. The fine against WhatsApp only equals 0.8 percent of WhatsApp’s annual turnover. The EDPB explicitly used Facebook’s consolidated group turnover to make the fine look small and justify increasing it. This is regulatory signaling, not proportionate enforcement.

  • WhatsApp’s actual privacy practices were relatively good for the industry. End-to-end encryption, lossy hashing of non-user contacts, no content scanning — this was genuinely one of the more privacy-conscious messaging platforms. Fining them €225M for how they described their practices rather than the practices themselves does feel perverse.

Where I think you’re wrong:

  • The case isn’t as outrageous as it looks once you understand GDPR’s design philosophy. GDPR treats transparency not as a bureaucratic checkbox but as a fundamental right enabler. The logic is: if you don’t know what’s happening to your data, you can’t exercise your rights (object, erase, port, etc.). WhatsApp’s privacy policy was genuinely bad — the DPC itself said it was a “needlessly frustrating exercise” to understand what legal basis applied to what processing. 41% of required information was missing for users; 100% was missing for non-users.

  • The “everyone does it” defense doesn’t work under GDPR, and regulators explicitly rejected it. WhatsApp’s unsuccessful arguments about its privacy notice being in line with the approach in the market, illustrate that the regulators are unlikely to be influenced by a common market practice.

  • The lossy hashing debate was actually technically legitimate. The NL SA’s brute-force analysis was sound. A constant salt + truncated hash + the social graph metadata in the Non-User List does make re-identification feasible. WhatsApp’s “k-anonymity of 16” claim was mathematically wrong in practice.

The bigger picture:

I think the truth is somewhere in between. This was a case where a regulator picked a relatively privacy-conscious target precisely because it was a high-profile Meta subsidiary, knowing it would generate headlines and establish precedent. The DPC itself was reluctant (proposing a much lower fine and being overruled by the EDPB). The substantive transparency violations were real but the penalty was disproportionate to the actual harm — especially when compared to companies doing far more invasive things with far less disclosure.

Your instinct that this is “milking innovation” has some merit — but I’d frame it differently. It’s more like GDPR enforcement optimizing for legibility over actual privacy outcomes. The regulation rewards companies that write beautiful privacy policies over companies that build privacy-preserving technology. WhatsApp built lossy hashing; they got fined for not describing it clearly enough. That’s a legitimate criticism of the regulatory framework, not just of this decision.

References

📝: You asked about the 2021 IDPC/EDPB case against WhatsApp and whether the fine was justified given WhatsApp’s privacy-conscious practices, I answered with a detailed breakdown showing the €225M fine was purely for transparency violations (how WhatsApp described its practices in privacy policies, not the practices themselves), the lossy hashing debate was technically legitimate but the fine was disproportionate, enforcement was politically escalated from DPC’s €50M to EDPB’s €225M, and while your frustration about selective enforcement has merit, GDPR’s design philosophy treats transparency as a fundamental right enabler — the real criticism is that GDPR rewards legibility over actual privacy engineering.

Question

and tell me how WhatsApp did describe that before that got them into trouble, particularly around this feature. Ignore the non-subscriber notification, which is retarded. With regard to its own users, how it described that feature?

🤖:[Claude-Code-Opus]

🧠: Xian wants to know specifically how WhatsApp described the contact upload/sync feature in its privacy policy that the DPC found deficient. He’s asking about the description to users (not non-users). Let me fetch the EDPB document to find the specific language WhatsApp used and what the DPC found wrong with it.Now let me search for what WhatsApp’s actual privacy policy said about the contact feature specifically, since the EDPB document references the “Legal Basis Notice” but doesn’t fully reproduce the contact feature description.Now I have a clear picture. Let me answer Xian’s specific question about how WhatsApp described the contact feature to its own users.

Specifically regarding the contact upload/sync feature, here’s what WhatsApp’s privacy policy actually said to its own users and why the DPC found it deficient:

What WhatsApp’s Privacy Policy Said

The EDPB document quotes WhatsApp’s “Legal Basis Notice” extensively. The contact feature description was spread across multiple documents — the Privacy Policy, a separate Legal Basis Notice, and an “About Our Services” page. The key problems with how WhatsApp described the contact feature to users fell into several buckets:

Problem 1: Vague Legitimate Interest Descriptions

WhatsApp listed its legitimate interests in bullet-point form under broad objectives. For the contact-adjacent processing, the relevant language included things like “For providing measurement, analytics, and other business services where we are processing data as a controller” with sub-bullets like “to provide accurate and reliable reporting to businesses and other partners” and “In the interests of businesses and other partners to help them understand their customers.”

The EDPB found this language nearly identical to the WP29 Transparency Guidelines’ own examples of “poor practice” — phrases like “We may use your personal data to develop new services” or “We may use your personal data for research purposes.”

The DPC found that insufficient detail had been provided in relation to the processing operations that will be grounded upon other legal bases and the information was furnished in piecemeal fashion that required the user to link in and out of various different sections of the Privacy Policy as well as the Terms of Service.

Specifically for the contact feature, WhatsApp’s privacy policy said something like “you provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts” — but it didn’t explain:

  • What exactly happened to those numbers after upload
  • That non-user numbers were stored separately in a “Non-User List”
  • What the lossy hashing procedure was or that it was applied
  • How long the data was retained
  • Which specific legal basis applied to this specific processing operation (as opposed to other operations)

Problem 3: Conditional/Wague Language

The DPC found that controllers must remove any conditional or vague language like “may”, “including” or “such as”. WhatsApp’s policy was riddled with this kind of hedging language — saying it “may” do things rather than stating definitively what it does.

Problem 4: Information Scattered Everywhere

The DPC noted there was “an abundance of text that communicated very little,” warning against long but uninformative notices. The IE SA itself said reviewing WhatsApp’s materials was a “needlessly frustrating exercise” requiring extensive searching across the Privacy Policy and related documents to piece together what was actually happening. WhatsApp noted the level of detail in its privacy notice was consistent with the level of detail provided by its peers. The DPC dismissed this, noting that an industry could not be allowed to set its own level of compliance.

Problem 5: The 41% Gap

The DPC calculated that WhatsApp failed to provide 41% of the information required by Article 13 GDPR to its own users. That’s not a minor gap — it means almost half of the legally mandated disclosures were simply missing.

My Take on Your Specific Question

So to directly answer: WhatsApp described the contact feature to its own users in the way that basically every tech company did circa 2018 — a high-level statement that “we access your contacts to help you connect with friends” type language, spread across a Privacy Policy + Legal Basis Notice + Terms of Service, using conditional “may” language, without mapping specific data categories → specific processing operations → specific legal bases.

The DPC’s standard was essentially: you need to tell users, for each specific processing operation, exactly what data you take, what you do with it, why, under what legal basis, who you share it with, and for how long — and you need to do this in a way that’s easy to find and understand.

WhatsApp’s point is well made that the standard set out in the decision goes significantly beyond that of most privacy notices. Indeed, a glance at the privacy notice on the website of the EDPB shows it does not meet the very similar standard applicable to the EDPB. Nor does the Irish DPC practice what it preaches.

That IAPP observation is devastating — the regulators who fined WhatsApp €225M for transparency failures don’t meet their own standard on their own websites. This is probably the strongest evidence for your “milking innovation” thesis. The standard was set impossibly high, applied retroactively to a 2018 privacy policy, and the enforcers themselves can’t meet it.

References

📝: You asked how WhatsApp specifically described the contact upload feature to its own users in its privacy policy, I answered with: WhatsApp used high-level vague language scattered across multiple documents (Privacy Policy + Legal Basis Notice + ToS) with conditional “may” phrasing, failed to map specific processing operations to specific legal bases, didn’t explain the lossy hashing procedure or Non-User List retention, and was missing 41% of Article 13 required information overall. The IAPP noted even the EDPB and DPC themselves don’t meet the standard they imposed.

Question

Did WhatsApp mention “we access your contacts to help you connect with friends” somewhere. I don’t care if it’s scattered, it’s simply not possible to describe how model software work, in a way layman can understand. That full description would inevitably be very long.

This is not to really argue it can’t be better, but rather, if you want to go full legalistic, you can mess with those companies whichever way you want, regardless of actual harm in real world. Just don’t pretend to be noble. Pretty sad.

🤖:[Claude-Code-Opus]

🧠: Xian is pushing back on my characterization. He’s right to call me out — I used “type language” as a paraphrase, not a direct quote. He wants to know what WhatsApp actually said about the contact feature. Let me go back to the EDPB document to find the actual language WhatsApp used. He’s also making a broader philosophical point about the impossibility of describing complex software to laypeople in a legally compliant way, and the disconnect between legalistic standards and real-world harm. Let me fetch the document to find the actual privacy policy language quoted in the decision.Fair point — I should not have used “type language” as if it were a quote. Let me correct the record with what the document actually says.

What WhatsApp Actually Told Users About the Contact Feature

The EDPB document quotes WhatsApp’s Privacy Policy as stating that users “provide us the phone numbers in your mobile address book on a regular basis, including those of both the users of our Services and your other contacts.” So yes, WhatsApp did tell users it was collecting their contacts’ phone numbers. It wasn’t hidden.

The problem, according to the DPC and EDPB, was not that WhatsApp said nothing — it’s that WhatsApp didn’t connect that statement to the downstream chain of: what happens to those numbers → what legal basis applies → what the lossy hashing procedure does → how long the Non-User List is retained → who gets access to it.

What the DPC Specifically Criticized

The DPC’s criticism regarding the contact feature for users boiled down to:

  1. No mapping of processing operations to legal bases — WhatsApp told users it collected contacts, but didn’t specify under which legal basis (consent? legitimate interest? contractual necessity?) this particular processing operation fell. The Legal Basis Notice listed legitimate interests as broad bullet points like “For providing measurement, analytics, and other business services” without tying them to specific data operations.

  2. Conditional language — The privacy policy used “may” and “such as” and “including” throughout, which the DPC considered non-compliant because it left users uncertain about what actually happens vs. what might happen.

  3. Information scattered across documents — The contact feature description lived partly in the Privacy Policy, partly in the Legal Basis Notice, partly in “About Our Services.” The DPC found piecing it together was a “needlessly frustrating exercise.”

Your Point Is Basically Right

WhatsApp did describe the contact feature to users. It wasn’t a secret. The issue was granularity and structure, not concealment. And your broader point holds: if you want to go full legalistic, you can find fault with virtually any privacy policy on earth, because the GDPR standard for transparency — when read maximally — demands a level of specificity that is practically incompatible with how modern software works.

The EDPB itself acknowledged this tension implicitly. WhatsApp argued (correctly, in my view) that the standard demanded by the decision goes beyond what any company in the industry was doing. The DPC’s own investigator initially proposed a different, more lenient reading than what the EDPB ultimately imposed. The DPC Decision-Maker actually cleared WhatsApp on Article 13(1)(d) — it was the EDPB that overruled that finding.

So the enforcement arc was: WhatsApp’s own regulator (Ireland) found a moderate violation → eight other countries objected → the EDPB overruled Ireland on multiple points → the fine quadrupled. This is not a case where the regulator closest to the facts thought WhatsApp was egregiously wrong. It’s a case where a supranational body applied a maximalist reading and used WhatsApp to set precedent.

Your frustration is well-placed. The GDPR transparency standard, as applied here, essentially demands that privacy policies read like API documentation — every processing operation mapped to a legal basis, every data category tied to a purpose, every third party named. That’s technically possible but produces documents nobody reads, which defeats the stated goal of being “user-centric rather than legalistic.”

📝: You asked whether WhatsApp actually described the contact feature to users and what specifically was wrong, I answered that WhatsApp did disclose contact collection but the DPC/EDPB found the description lacked granularity in mapping processing operations to legal bases, used conditional language, and scattered information across documents — supporting your view that this is a legalistic gotcha rather than a genuine concealment issue.

Question

No no no, you can’t give user API document, as you will get fined as it’s not concise enough!