WhatsApp has been hit by a €225m fine by Ireland’s Data Protection Commission (DPC) for failing to discharge GDPR transparency obligations.
The DPC made the announcement today following the conclusion of an investigation that began in December 2018. This examined whether the popular messaging app “has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of its service.”
This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
The DPC submitted its draft decision to other data protection authorities (DPAs) across the EU under Article 60 of the GDPR in December 2020, receiving objections to its proposed actions by eight DPAs. As no consensus could be found, the dispute resolution process under Article 65 of GDPR was triggered on June 3 2021.
The European Data Protection Board (EDPB) then adopted a binding decision on the case, instructing the DPC to reassess and increase its proposed fine. This decision was based on a number of factors, including the size of Facebook’s global annual turnover, with the EDPB stating that “the proposed fine does not adequately reflect the seriousness and severity of the infringements nor has a dissuasive effect on WhatsApp IE.”
Following its reassessment, the DPC has now imposed a fine of €225m on WhatsApp, in addition to a reprimand and “an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.” In total, WhatsApp must comply with eight actions within three months, one of which is an obligation to remind users of their GDPR rights.
The decision represents the second highest financial penalty recorded for violating GDPR rules, behind the $886m fine issued to Amazon earlier this year for allegedly breaking European Union data protection laws.
Reacting to the decision, legal firm Cordery Compliance stated: “Transparency continues to be a key focus for DPAs across Europe. Organizations need to be clear over how they process data and they need to be honest about their data processing practices. Sometimes the transparency obligations under GDPR can be difficult to meet – especially in cases like this where WhatsApp was also processing data on non-users with whom it did not have a direct relationship. Just because this is hard however it doesn’t mean the obligations can simply be ignored.”
Jonathan Armstrong, partner at Cordery, expects to see more fines of this nature going forward: "This case shows us that data protection regulators in many EU countries are serious about data protection and that many are keen to raise the level of fine. It also shows us that data protection is not just about infosec — transparency is a key theme of a lot of GDPR enforcement at the moment and that's the central theme of the three highest GDPR fines. But that doesn't mean we can take the foot off the pedal on security. There are some big cases around at the moment and this won't be the last high fine we'll see."
Ioannis Fragkoulopoulos, customer security director, Obrela Security Industries, commented: “WhatsApp’s privacy terms and conditions have come under scrutiny frequently in the past and the company has had to defend its terms and conditions many times, with users leaving the platform because of ambiguities and policy changes. This fine shows just how serious the Irish government is around transparency. When consumers sign up to platforms, they need to understand exactly how their data will be used and if it will be shared with third parties. This fine will reinforce the importance of this and act as a warning to other companies to be more transparent.”
In May, a German privacy watchdog ruled that WhatsApp's privacy policy, which was updated in January 2021 to ask its users to grant WhatsApp additional powers to share their data with its parent company, Facebook, was in breach of European data protection rules.