Facebook-owned messaging platform WhatsApp has been fined €225m (£193.4m/$266.6m) by Ireland’s Data Protection Commissioner (DPC) over breaches of the European Union’s (EU) General Data Protection Regulation (GDPR).
One of the largest sanctions issued under the GDPR, and the largest to date in Ireland, the fine comes at the end of an investigation dating back to December 2018, over allegations that WhatsApp had failed to discharge its transparency obligations with regard to the provision of information, and the transparency of same, to users and non-users of its service.
This included information provided to data subjects about how data was processed between WhatsApp and other Facebook properties.
As the lead supervisory authority for WhatsApp within the EU, the DPC had submitted a draft decision on its investigation nearly 12 months ago.
But following objections from other concerned supervisory authorities (CSAs) in Europe, a dispute resolution process was triggered.
This process has now been resolved following the adoption of a binding decision by the European Data Protection Board (EDPB), dated to 28 July 2021.
This binding decision, which can be read in full here, instructed the DPC to substantially increase the fine, which has now been done.
The DPC has also imposed a reprimand, and ordered WhatsApp to bring its data-processing activities into compliance through a number of remedial actions.
In statements to the media, WhatsApp, which had set aside more than €70m in anticipation of a fine, said it disagreed with the DPC’s sanctions, which it described as “entirely disproportionate”. The firm said it had done its utmost to ensure it offered users transparent and comprehensive information, and that it would appeal the decision.
John Magee, who heads up the privacy, data protection and security practice at law firm DLA Piper’s Irish office, said: “The decision was not the DPC’s alone and showed the EU’s complex consistency and dispute resolution processes at work.
Read more about Facebook and data regulation Latest twist in long-running legal battle sees Facebook lose legal bid to prevent the Irish Data Protection Commissioner suspending its transfer of data about European citizens to the US. The Irish Data Protection Commission has launched an ‘own volition’ inquiry into the leak of data from 500 million Facebook profiles. An opinion from the European Court of Justice has the potential to lead to a flood of privacy complaints against Facebook if upheld. “An eye-catching aspect of that process was the increase in the size of the fine from a range of €30m to €50m first proposed by the DPC. The fine highlights the importance of compliance with the GDPR’s rules on transparency in the context of users, non-users and data sharing between group entities.”
Ioannis Fragkoulopoulos, customer security director at Obrela Security Industries, added: “WhatsApp’s privacy terms and conditions have come under scrutiny frequently in the past and the company has had to defend its terms and conditions many times, with users leaving the platform because of ambiguities and policy changes.
“This fine shows just how serious the Irish government is around transparency. When consumers sign up to platforms, they need to understand exactly how their data will be used and if it will be shared with third parties. This fine will reinforce the importance of this and act as a warning to other companies to be more transparent.”
However, while welcoming the regulator’s decision, noyb.eu chair and activist lawyer Max Schrems, who has several cases before the DPC in Ireland, said the fine needed to be put in perspective.
“The DPC gets about 10,000 complaints per year since 2018 and this is the first major fine,” said Schrems. “The DPC also proposed an initial €50m fine and was forced by the other European data protection authorities to move towards €225m, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.”
In a statement, Schrems said he would be monitoring proceedings closely as it was highly likely that this case will be tied up in the Irish courts for some time to come.
“WhatsApp will surely appeal the decision,” he said. “In the Irish court system, this means that years will pass before any fine is actually paid. In our cases, we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork.
“It will be very interesting to see if the DPC will actually defend this decision fully, as it was basically forced to make this decision by its European counterparts.”