The Irish Data Protection Commission (DPC) has imposed a record €225 million ($267m) financial penalty on WhatsApp for ‘severe’ violations of the EU General Data Protection Regulation (GDPR).
WhatsApp, which is owned by Facebook, is the most popular messaging application worldwide with approximately 2 billion active users a month and the third most popular social media network behind Facebook and YouTube. Since its parent company has its European base in Dublin, Ireland, the DPC is the lead data privacy regulator within the European Union and is responsible for enforcing compliance with the GDPR.
An investigation was launched in December 2018 into the transparency of personal data sharing between WhatsApp and other Facebook companies. The investigation took two years to conclude, with the initial decision issued in December 2020.
Several complaints had been fined with the DPC over alleged WhatsApp privacy issues, but the investigation from which the financial penalty stemmed was particularly narrow in scope. The DPC conducted an ‘own volition enquiry’ into WhatsApp which was only concerned with the transparency obligations of WhatsApp under the GDPR regarding the processing of app users’ personal data.
This requirement of the GDPR calls for all companies that collect or process the personal data of EU residents to have clear, open, and honest privacy policies and practices, and requires them to clearly tell users of their products and/or services how personal data will be collected, used, and shared and to obtain clear and informed consent. The DPC identified several severe transparency issues related to Articles 5(1)(a), 12, 13, and 14 of the GDPR.
The DPC has received criticism in the past over its investigation of data privacy issues at large tech companies, in terms of the time taken to complete investigations and the fines imposed when GDPR violations are discovered. After announcing the findings of its investigation, data protection authorities in eight other EU member states triggered a dispute resolution mechanism and provided clear instruction to the DPC to reassess and increase the proposed financial penalty on several grounds due to the severity of the privacy violations. Initially, the DPC had proposed a financial penalty of up to €50 million to resolve the GDPR violations.
The DPC has now announced that WhatsApp has been fined €225 million to resolve the GDPR violations discovered in its investigation, making this the largest ever financial penalty imposed by the DPC to resolve GDPR violations, although it falls well short of the €746 million GDPR penalty imposed on Amazon by the Luxembourg Data Protection Authority – Commission Nationale pour la Protection des Données (CNPD) this year.
In addition to the financial penalty, WhatsApp is required to ensure any processing of the personal data of EU residents that use its messaging app is in line with the requirements of the GDPR. WhatsApp has been provided with 3 months to make all the recommended remedial actions.
WhatsApp has disputed the findings of the DPC investigation and said the financial penalty is “entirely disproportionate” and stated it will appeal the financial penalty. “WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,” said WhatsApp in a statement about the GDPR enforcement action.
The financial penalty is significant, although it is a fraction of the maximum fine that could have been imposed, which is 4% of global annual turnover for the previous financial year. The fine amounts to just 0.08% of Facebook’s turnover so it is a drop in the ocean for the social media giant. The remedial actions required by the DPC are likely to be far more significant for WhatsApp since the processing and sharing of users’ personal data comprises a significant part of Facebook’s – and WhatsApp’s – business model.