WhatsApp Facing Potential €50m GDPR Penalty for Transparency Failings

Following a preliminary judgement released by the Data Protection Commission (DPC) in Ireland, which has been shared with other European Union-based data protection regulation bodies for further review, WhatsApp may be sanctioned with a penalty of up to €50m for breach the transparency requirement of the General Data Protection Regulation.

The DPC has published the judgement, and accompanying report, revealing the breach which is linked to the messaging platform not adequately advising European-Union based users in relation to how data gathered in relation to them would be shared.

The amount of the penalty is currently under review, due to the consultation with the EU data protection agencies but could be the largest penalty associated with GDPR to date. AS per the GDPR legislation, which became enforceable on May 25 2018, a fine of between €30m and €50m may be applied for this breach. In addition to this a directive may be issued that will force Whatsapp to introduced new measures, and change to existing process, relating to how it manages users’ data, particularly in relation to how users are informed of how their private data will be used.

The consultation with the other EU data regulation authorities must take place due to the requirement that multinational companies with possible breaches of GDPR  are considered cross-border. They must be reviewed by a lead supervisory authority, in this case the DPC, before a ruling will be considered by all relevant bodies.

The DPC said: “The DPC has provisionally concluded this investigation and we sent a draft decision to our fellow EU Data Protection Authorities on December 24, 2020 (in accordance with Article 60 of the GDPR in order to commence the co-decision-making process) and we are waiting to receive their comments on this draft decision. When the process is completed and a final decision issued, it will make clear the standard of transparency to which WhatsApp is expected to adhere as articulated by EU Data Protection Authorities.”

It was reported by the Irish Times that WhatsApp has set aside €77.5m in its budget to cover possible GDPR fines. WhatsApp is owned by Facebook and this ruling represents the latest action taken against the social media giant in relation to breaches of the data privacy legislation. Other actions taken against Facebook, and it’s subsidiaries, around the world include: