The Data Protection Commission (DPC) has fined WhatsApp Ireland €225 million for violating data protection rules.
It is the largest fine ever imposed by a DPC and the second largest penalty imposed on any organization under EU data laws.
The regulator also ordered the messaging service to make its processing compliant by taking a set of specific corrective actions.
WhatsApp said it did not agree with the decision, claimed the penalties were completely disproportionate and stated that it would appeal the ruling.
The DPC acts as the main supervisory authority for WhatsApp across Europe.
The investigation was launched by the DPC three years ago, after the European Union brought new rules on data protection into effect.
We need your consent to download this rte-player contentWe use the RTE operator to manage additional content that can set cookies on your device and collect data about your activity. Please review their details and accept them to upload content.Manage Preferences
The inquiry examined whether WhatsApp has fulfilled its obligations under the General Data Protection Regulation (GDPR) regarding the provision of information and the transparency of that information to both users of WhatsApp services and non-users.
This included the transparency of information provided to users about the processing of their data between WhatsApp and other Facebook companies.
In December last year, having concluded its investigation, the DPC sent a draft of its decision to other European data regulators for consideration, in accordance with the requirements of the General Data Protection Regulation (GDPR).
However, eight of about 40 of these authorities did not agree to the draft conclusions, including the DPC’s proposed fine of up to 50 million euros.
As the DPC was unable to reach consensus with other regulators on how to proceed, the case was referred to the European Data Protection Board (EDPB) earlier this summer and issued its binding ruling at the end of July that the DPC must now enforce.
“This decision contained clear instructions asking the DPC to re-evaluate and increase the proposed fine based on a number of factors included in the EDPB decision and after this re-evaluation, the DPC imposed a fine of €225 million on WhatsApp.” DPC said in a statement.
“In addition to imposing an administrative fine, the DPC has also imposed a reprimand along with WhatsApp’s order to make its processing compliant by taking a set of specific corrective actions.”
However, WhatsApp Ireland, which previously set aside €77.5 million for a possible fine, said it did not agree with the decision and was committed to providing a secure and private service.
A WhatsApp spokesperson said: “We have worked to ensure that the information we provide is transparent and comprehensive and will continue to do so.”
“We disagree with the decision today about the transparency we gave people in 2018 and the penalties are completely disproportionate. We will appeal that decision,” she added.
An appeal can be made either to the Irish High Court or directly to the European Court of Justice, and is likely to focus on the size of the fine.
We need your consent to download this rte-player contentWe use rte-player to manage additional content that can set cookies on your device and collect data about your activity. Please review their details and accept them to upload content.Manage Preferences
It is also understood that the company feels that the fine is not in line with previous GDPR-related fines.
Under the regulation, companies can face fines of up to 20 million euros or 4% of the previous year’s total annual global turnover, which is higher.
The biggest fine in GDP to date, around 746 million euros, was slapped over the summer on Amazon by authorities in Luxembourg.
In 2019, Google was fined 50 million euros by the French data protection authority for its lack of transparency, insufficient information and a lack of valid consent in the allocation of ads.
Fines return to the treasury of the countries in which they are collected.
The Data Protection Commission has come under constant criticism from other data protection regulators in Europe for not taking sufficiently tough action against big tech companies operating outside Ireland.
Last December it fined Twitter €450,000 for the data breach, its first major financial penalty imposed on a large multinational tech company.
According to its latest annual report, DPC has a large number of investigations underway into other major tech companies, including multiple inquiries into Facebook, Apple, Instagram, Google and Twitter.
“Spécialiste de la télévision sans vergogne. Pionnier des zombies inconditionnels. Résolveur de problèmes d’une humilité exaspérante.”