WhatsApp’s record €225m fine underscores serious transparency issues

It may take some time, but the €225 million fine imposed on WhatsApp Ireland this week is the second largest penalty ever imposed for breaching the EU’s General Data Protection Regulation (GDPR).

Certainly, this is a point in the ocean for an entity in the Facebook « family of companies », where the parent company refers to the aggregate group.

And yes, the Irish Data Protection Commission (DPC) initially proposed a fine of €50 million before forcing the European Data Protection Board (EDPB) to up the ante.

WhatsApp has disputed the results of the DPC and EDPB and the size of the fine, which you may be able to reduce on appeal.

But the latest 250-page decision by Data Protection Commissioner Helen Dixon, dated August 20 but published this week, could be significant for GDPR implementation across the bloc and its interaction with powerful « big tech » companies across the EU.

As US privacy expert Omar Tenney said, the magazineThe fine and its global context emphasize “the need for companies to develop strategies for privacy, compliance and risk mitigation programmes.”

While the dispute between the Irish DPC and the EDPB over the calculation of the fine took center stage after the decision was published this week, the vast majority of Dixon’s findings were not contested by the other European supervisory authorities in the Council.

The findings also seem to reveal a lot about WhatsApp Ireland’s approach to transparency obligations under the GDPR so far – and leave no doubt about the seriousness of the breaches involved.

needlessly vague

Most of Dixon’s results are based on rights under Article 13 of the General Data Protection Regulation (GDPR).

It’s very simple and basic – data controllers (in this case WhatsApp Ireland) are required to provide data subjects (WhatsApp users) clear information about how their data is stored and used, the categories of data that are processed and for what purpose.

On these fronts, the Irish DPC has found that WhatsApp Ireland does not exist, and strongly in some cases.

The investigation itself did not look at how or why WhatsApp Ireland shared user data with other Facebook companies. He was just focusing on the amount of clear information the messaging app provides to users and non-users about its data actions.

On that front, some of the information provided by WhatsApp was described as « unnecessarily vague » and « unspecified » in the report.

Users are often required to negotiate multiple links to access the materials they are looking for on the WhatsApp website.

“At the end of this exercise,” the report continues, “the use of qualified language leaves the reader wondering what exactly ‘Facebook companies’ mean.

Separately, due to the large number of linked material, an « abundance of text » and the fact that « certain basic information was placed in a completely separate notice with only one link », the inquiry found handling of WhatsApp’s privacy policy while the investigation was an « exercise ». Unnecessarily frustrated. »

« It required extensive and repeated research of the privacy policy and related materials to attempt to piece together the full range of information that was provided. »

Call feature

Perhaps the most serious finding of the investigation relates to the company’s obligation to inform users of the purpose and legal basis for data processing.

DPC has found that a company often uses multiple rules to « establish » certain processing operations.

For its part, WhatsApp said it was transparent by noting that it relies on different legal bases to process user data « in different circumstances ».

But Dixon wrote in her decision that it was « surprising » that WhatsApp considered « patent opacity to be transparency, » given the clarity of the European Union’s transparency guidelines.

The DPC found that WhatsApp not only violated its obligations to users, but non-users were similarly, if not more seriously affected.

This is because when a WhatsApp user turns on the app’s ‘calling feature’ – allowing them to add their friends’ phone numbers to their contact list on the app – they have enabled Whatsapp to access those details, even the number of non-users.

By appeal, WhatsApp told the DPC that it does not process the phone numbers of non-users as a data controller but as a data processor on behalf of the users.

When this happens, these numbers are stored for a brief period before deletion and no other information that could potentially identify a non-user is obtained.

But the DPC found that absolutely no information was given to non-users about this process by WhatsApp, nor were they told of its purpose.

One consequence of this lack of transparency is that a non-user who is considering signing up for WhatsApp has no knowledge that, once registered, their contact details will automatically appear in other users’ contact lists.

And the DPC found that non-users who later became WhatsApp users were ‘marked’.

WhatsApp has been asked to rectify this by providing relevant information to non-users in a concise, transparent, understandable and easily accessible form, using clear and clear language.

main focus

Perhaps unsurprisingly, the row between Dixon’s office and the EDPB over calculating the fine has been a primary focus in the hours since the decision was published this week.

Helen Dixon and her office have, after all, been placed under intense scrutiny due to their workload and importance as the leading European regulator for many multinational companies headquartered in Ireland.

Regardless, WhatsApp’s decision itself should make it clear to companies like Facebook exactly what their transparency obligations under the General Data Protection Regulation (GDPR) are.

“Combined with a €746 million GDP fine against Amazon in Luxembourg, the Irish data protection regulatory fine in the WhatsApp case is creating a perfect storm for global companies as they struggle to make sense of the increasingly complex and fractured legal landscape,” said Omar Tine. the magazine.

“Three years after the GDPR went into effect, the drumbeat of multi-million-euro fines heralds a new era of data protection enforcement — and compliance.”