Share this article on:
WhatsApp has been fined €225 million ($265 million) by the Irish Data Protection Commission (DPC) for violations of the EU General Data Protection Regulation’s (GDPR) requirements for transparency about the processing of the personal data of EU data subjects.
The DPC launched an inquiry into WhatsApp in December 2018 which was focused on a narrow aspect of GDPR compliance, which solely looked at compliance with the data processing transparency requirements of the GDPR.
The DPC identified several “severe” violations of the GDPR. The violations included a lack of transparency about the sharing of personal data of app users with companies owned by its parent company Facebook, a failure to provide users and non-users of its app with clear, transparent, or sufficient information about the level of data processing, a lack of sufficient granularity regarding the legal basis for some of the data processing activities, and WhatsApp’s statement about the transfer of data to non-EEA jurisdictions was deemed to be adequate. The DPC determined WhatsApp had failed to meet the transparency requirements of Articles 12-14 of the GDPR and issued a draft decision in December 2020 suggesting a financial penalty of between €30-€50 million to resolve the case.
The Irish DPC is the lead supervisory authority in the EU as WhatsApp and its parent company Facebook have their European base in Dublin, Ireland; however, since the data processing activities of WhatsApp spans several countries, the draft decision of the DPC was reviewed by other supervisory authorities in the EU. 8 of those supervisory authorities objected to the DPC’s draft decision and called for a far greater financial penalty to be imposed.
The objections were referred to the European Data Protection Board (EDPB) as the Irish DPC was unable to reach an agreement with the objecting supervisory authorities. According to the EDPB, “This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.”
The EDPB determined that the turnover of Facebook should have been taken into consideration when determining an appropriate GDPR fine since the DPC had presented both Facebook and WhatsApp as a single undertaking in the draft decision. The total turnover of both the parent company and the subsidiary therefore needed to be considered. The failure to ensure transparency was determined to be in violation of Article 5(1)(a) of the GDPR due to the “gravity and the overarching nature and impact of the infringements.”
Following the ruling of the EDPB, the DPC increased the financial penalty fourfold. In addition to the financial penalty, WhatsApp has been ordered to bring its data processing in line with the GDPR.
WhatsApp has issued a statement announcing its intention to appeal the fine. The appeals process is likely to take some time, so it may well be years before the fine is actually paid.
The financial penalty is the highest ever imposed by the Irish DPC to resolve GDPR violations. Should the penalty stand, it will be the second largest fine to resolve GDPR violations to date, behind the €746 million financial penalty imposed on Amazon by the Luxembourg supervisory authority in July. That penalty is also being appealed.