WhatsApp was hit with a €225 million fine for violating the General Data Protection Regulation (GDPR), the European Union’s sweeping data protection law that has been in effect for more than three years.
The fine represents the highest ever penalty levied by the Irish Data Protection Commission, which serves as the primary data protection authority for WhatsApp and the messaging app company’s parent Facebook, which has its EU headquarters based in Ireland. It is also the second-highest penalty ever issued under GDPR violations. That higher penalty, sent to Amazon by Luxembourg’s National Commission for Data Protection, was for a massive $886 million.
WhatsApp said it disagreed with the Irish Data Protection Commission’s (DPC) findings, which were based on an investigation which began in December 2018, into whether WhatsApp failed to transparently tell both users and non-users about how their data was handled.
“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” WhatsApp said in response to the penalty. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
Interestingly, the Irish DPC said that, when it shared its findings with other EU member-states’ own data regulators, eight of those regulators disagreed. During a follow-on dispute resolution process, the Irish DPC was told that it should actually increase its initial penalty amount.
Max Schrems, the legal activist who has proven himself to possibly be the largest thorn in Facebook’s side, welcomed the Irish DPC’s decision, but warned about the likely prolonged legal battle ahead, as WhatsApp will probably fight the penalty in court.
“In the Irish court system this means that years will pass before any fine is actually paid. In our cases we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork,” Schrems wrote. “I can imagine that the DPC will simply not put many resources on the case or ‘settle’ with WhatsApp in Ireland. We will monitor this case closely to ensure that the DPC is actually following through with this decision.”
“[T]he information that has been provided, regarding WhatsApp’s relationship with the Facebook Companies and the data sharing that occurs in the context of that relationship, is spread out across a wide range of texts and a significant amount of the information provided is so high level as to be meaningless,” the Irish DPC said. In a similar set of findings regarding WhatsApp’s data-sharing relationship with Facebook, the Irish DPC said “it is unsatisfactory that the user has to access information as to the identity of the Facebook Companies on Facebook’s website and for the information to be broken up over three or four different ‘articles’ that each link back to one another in a circular fashion. There is no reason why this information could not be hosted, in a concise piece of text, on WhatsApp’s website.”