Ireland fines WhatsApp €225m for breaking EU data protection rules


Ireland’s Data Protection Commission (DPC) has fined WhatsApp €225 million for breaking EU rules on user privacy.

The authority said that WhatsApp Ireland had failed to provide the necessary data protection information to users.

It’s the largest fine ever issued by the DPC and the second-largest imposed on an organisation under EU data protection laws.

The Facebook-owned messaging platform was also cited for failing to meet its “transparency obligations”.

Why was WhatsApp fined?

The initial fine given to WhatsApp was increased by the European Data Protection Board due to “a number of factors”, the DPC added.

The body, which is the lead data privacy regulator for Facebook within the European Union, said the issues related to whether WhatsApp conformed in 2018 with EU data rules about transparency.

“This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies,” the Irish regulator said in a statement.

A WhatsApp spokesperson said in a statement that the issues in question-related to policies in place in 2018.

“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” the spokesperson said.

What does the ruling say?

The decision by the DPC released on Thursday reads:

“An administrative fine, pursuant to Articles 58(2)(i) and 83, addressed to WhatsApp, in the amount of €225 million. For the avoidance of doubt, that fine reflects the infringements that were found to have occurred, as follows: i. In respect of the infringement of Article 5(1)(a) of the GDPR, a fine of €90 million; ii. In respect of the infringement of Article 12 of the GDPR, a fine of €30 million; iii. In respect of the infringement of Article 13 of the GDPR, a fine of €30 million; and iv. In respect of the infringement of Article 14 of the GDPR, a fine of €75 million.”

But what does this actually refer to?

5.1 (a) – WhatsApp failed to process users’ personal data in a lawful, fair and transparent way.

12 – WhatsApp failed to make information provide information on how data is collected “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”. This includes making information easy for child to understand if the information is addressed to them.

13 – WhatsApp failed to inform users where data was stored, details of someone users can contact, and purposes why collected and who receives data.

14 – WhatsApp failed to inform users when their personal data was obtained and processed from third parties and where this data came from.

How did it get to this?

The DPC has been criticised in the past by other European regulators for taking too long to reach decisions involving tech giants and for not fining them enough for any breaches.

Data regulators from eight other European countries triggered a dispute resolution mechanism after Ireland shared its provisional decision in relation to the WhatsApp inquiry, which started in December 2018.

In July, a meeting of the European Data Protection Board issued a “clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained”, the Irish regulator said.

“Following this reassessment the DPC has imposed a fine of €225 million on WhatsApp,” it said.

What happens now?

The Irish regulator also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking “a range of specified remedial actions”.

The Irish regulator had 14 major inquiries into Facebook and its subsidiaries WhatsApp and Instagram open as of the end of last year.

WhatsApp has also been ordered to take a number of actions to bring its data policies in line with strict EU regulations.

WhatsApp said the fine was “entirely disproportionate” and that it would appeal.