data privacy Government sector News Regulatory Technology

WhatsApp fined $267m for violating GDPR


WhatsApp Ireland Ltd. has been fined $267 million (€225 million) by the country’s Data Protection Commission (DPC) over non-compliance with the European Union’s General Data Protection Regulation (GDPR).

In an announcement by the Irish DPC, it concluded a GDPR investigation into WhatsApp Ireland Ltd., which started on 10th December 2018, where it examined whether WhatsApp discharged its GDPR transparency obligations with respect to the “provision of information and the transparency of that information to both users and non-users of WhatsApp’s service”. This even included the processing of information between WhatsApp and other companies owned by its parent company, Facebook. This essentially meant that WhatsApp was fined because it failed to inform its users how WhatsApp data could be used by Facebook for other purposes as well.

On what basis was WhatsApp fined

As mentioned before, the investigation began on 10th December 2018, and following an initial investigation, it was reported that the Irish officials wanted to fine WhatsApp €50 million (approx. $59 million). However, the initial fine was vetoed by other data protection agencies that are a part of the European Data Protection Board (EDPB). The EDPB, which is considered the “watchdog” of data privacy in the EU, also made Irish regulators assess other GDPR violations by WhatsApp, thus resulting in the much higher fine announced yesterday.

“On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC. This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp.”

via the DPC announcement published on September 2, 2021

To summarize the findings of the DPC, WhatsApp is in violation of 4 GDPR articles:

“Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject (lawfulness, fairness, and transparency)”

“Transparent information, communication and modalities for the exercise of the rights of the data subject”

“Information to be provided where personal data are collected from the data subject”

“Information to be provided where personal data have not been obtained from the data subject”

Full report released

The DPC and EDPB have released a full report about the decision to fine WhatsApp over the non-compliance with the above-mentioned GDPR provisions. As per the report, the breakup of the fine is as follows:

  • €90 million for the violation of Article 5(1)(a)
  • €30 million for the violation of Article 12
  • €30 million for the violation of Article 13
  • €75 million for the violation of Article 14

A detailed breakup of the issues are given below:

Source: The Record

Max Schrems, an Austrian lawyer, activist, and the chair of, put out a statement about the decision of the DPC. It is well known that noyb and Schrems have a number of cases pending before the DPC (including the one on WhatsApp) and have been closely monitoring the situation of the DPC since 2011.

“We welcome the first decision by the Irish regulator. However, the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial €50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.”

via a statement issued by Max Schrems and noyb

It is to be noted that this is the biggest fine issued by the Irish regulators, and the second-biggest fine issued for violating GDPR provisions after Amazon’s $886 million fine by Luxembourg’s National Commission for Data Protection in July 2021.

In a canned statement by WhatsApp, the tech company claims that the decision reflects their situation in 2018, and not in 2021. They also said that they plan to appeal against the decision by the DPC.

About the author

Arjun Ramprasad

Arjun Ramprasad is an undergraduate law student from Symbiosis Law School, Hyderabad with a flair for anything technology. If not here, you can find him performing on various stages as a percussionist.

Add Comment

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.