WhatsApp Ireland Ltd. has been fined $267 million (€225 million) by the country’s Data Protection Commission (DPC) over non-compliance with the European Union’s General Data Protection Regulation (GDPR).
In an announcement by the Irish DPC, it concluded a GDPR investigation into WhatsApp Ireland Ltd., which started on 10th December 2018, where it examined whether WhatsApp discharged its GDPR transparency obligations with respect to the “provision of information and the transparency of that information to both users and non-users of WhatsApp’s service”. This even included the processing of information between WhatsApp and other companies owned by its parent company, Facebook. This essentially meant that WhatsApp was fined because it failed to inform its users how WhatsApp data could be used by Facebook for other purposes as well.
On what basis was WhatsApp fined
As mentioned before, the investigation began on 10th December 2018, and following an initial investigation, it was reported that the Irish officials wanted to fine WhatsApp €50 million (approx. $59 million). However, the initial fine was vetoed by other data protection agencies that are a part of the European Data Protection Board (EDPB). The EDPB, which is considered the “watchdog” of data privacy in the EU, also made Irish regulators assess other GDPR violations by WhatsApp, thus resulting in the much higher fine announced yesterday.
To summarize the findings of the DPC, WhatsApp is in violation of 4 GDPR articles:
- Article 5(1)(a), which states that
“Personal data shall be processed lawfully, fairly, and in a transparent manner in relation to the data subject (lawfulness, fairness, and transparency)”
- Article 12, which talks about
“Transparent information, communication and modalities for the exercise of the rights of the data subject”
- Article 13, which talks about
“Information to be provided where personal data are collected from the data subject”
- and Article 14, which talks about
“Information to be provided where personal data have not been obtained from the data subject”
Full report released
The DPC and EDPB have released a full report about the decision to fine WhatsApp over the non-compliance with the above-mentioned GDPR provisions. As per the report, the breakup of the fine is as follows:
- €90 million for the violation of Article 5(1)(a)
- €30 million for the violation of Article 12
- €30 million for the violation of Article 13
- €75 million for the violation of Article 14
A detailed breakup of the issues are given below:
Max Schrems, an Austrian lawyer, activist, and the chair of noyb.eu, put out a statement about the decision of the DPC. It is well known that noyb and Schrems have a number of cases pending before the DPC (including the one on WhatsApp) and have been closely monitoring the situation of the DPC since 2011.
It is to be noted that this is the biggest fine issued by the Irish regulators, and the second-biggest fine issued for violating GDPR provisions after Amazon’s $886 million fine by Luxembourg’s National Commission for Data Protection in July 2021.
In a canned statement by WhatsApp, the tech company claims that the decision reflects their situation in 2018, and not in 2021. They also said that they plan to appeal against the decision by the DPC.