The Data Protection Commission (DPC) has fined WhatsApp Ireland €225m for infringements of data protection rules.
It is the largest fine ever imposed by the DPC and the second largest penalty ever levied on an organisation under EU data laws.
The regulator has also ordered the messaging service to bring its processing into compliance by taking a range of specified remedial actions.
Unsurprisingly, WhatsApp has said it disagrees with the decision, claims the penalties are entirely disproportionate and has stated it will appeal the ruling.
The probe was launched by the DPC three years ago, after new rules on data protection were brought into force by the EU. The inquiry examined whether WhatsApp had met its obligations under the General Data Protection Regulation (GDPR) regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services.
This included the transparency of information provided to users about the processing of their data between WhatsApp and other Facebook companies.
In December of last year, having concluded its investigation, the DPC sent its draft decision to other European data regulators for consideration, as required by the GDPR.
However, eight of around 40 of those authorities disagreed with the draft conclusions, including the DPC’s proposed fine of up to €50m.
Because the DPC was not able to reach a consensus with the other regulators on how to proceed, the case was referred to the European Data Protection Board (EDPB) earlier this summer and it made its binding ruling at the end of July which the DPC must now enforce.
“This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp,” the DPC said in a statement.
“In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.”
However, WhatsApp Ireland, which had previously set aside €77.5m for a possible fine, has said it does not agree with the decision and is committed to providing a secure and private service.
“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” said a WhatsApp spokesperson.
“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,”
An appeal can be made either to the Irish High Court or directly to the European Court of Justice, and would likely focus on the size of the fine.
The company is also understood to feel that the fine is out of step with previous GDPR related fines.
Under the regulation, firms can face fines of up to €20m or 4% of total annual global turnover the preceding year, which is higher.
The largest GDPR fine to date, some €746m, was imposed during the summer on Amazon by authorities in Luxembourg.
In 2019, Google was fined €50m by the French data protection authority for lacking transparency, inadequate information and lack of valid consent in ad personalisation.
Fines go back to the exchequer of the countries in which they are levied.
We track anonymized user information to improve our website.
Because we respect your right to privacy, you can choose not to allow some types of cookies and processing. Click on the different category headings to find out more and change our default settings. Not allowing some types of cookies may impact your experience of our Services and what we are able to offer.
In order to use this website we use the following technically required cookies
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in. Loss of the information stored in a preference cookie may make the website experience less functional but should not prevent it from working.
This cookie enable us to detect the country of which you are visiting from.
These cookies may be set through our Services by our partners. Some have functional purposes such as capping the number of times you see an ad within a short span of time, but most, through uniquely identifying your browser and the device you use to access our Services and the processing of other information, will build a profile of your interests and show you ads more relevant to them, inferred from your browsing activity. If you do not allow these cookies, you will still receive ads but they will be less targeted and less likely to be relevant to your interests.