Facebook-owned WhatsApp has been directed to pay a 225 million euros ($266 million) fine for violating the EU’s General Data Protection Regulation after it failed to notify the users and non-users on what it does with their personal data.
The penalty was handed down by the Irish Data Protection Commission (DPC), the leading data privacy regulator for Facebook within the European Union, following an investigation started in December 2018 after the DPC received multiple complaints from "individual data subjects" (both users and non-users) regarding WhatsApp data processing activities.
"We examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp's service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies," DPC said.
In addition to the fine, the 266-page decision by the DPC directs WhatsApp to bring its processing into compliance by taking eight remedial actions within the next three months. One of WhatsApp's Spokesperson stated the penalty and said that the company provided detailed information to the users. The fine imposed by DPC is "out of step with previous GDPR-related fines" levied against other technology giants.
"We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate," said the spokesperson.
The DPC says it discovered that WhatsApp's practices violated four specific parts of GDPR:
• Article 5, covering principles relating to the processing of personal data;
• Article 13, covering information to be provided when personal data gets collected from a data subject;
• Article 14, covering information to be provided when personal data has not been obtained from a data subject;
• Article 15, which concerns a data subject's right to access their personal data from a controller.
The fine imposed on WhatsApp is the second-highest fine ever issued so far under GDPR, outranked only by an $885 million fine against Amazon, according to Jonathan Armstrong, a compliance and technology lawyer with London-based law firm Cordery.
According to Ireland's Data Protection Commission, it initially proposed a penalty in the range of 30 million euros to 50 million. But the European Data Protection Board reviewed the WhatsApp case and on July 28 issued a binding decision instructing the DPC to reassess and increase its proposed fine. The DPC says that based on the board's instructions, it increased the fine to 225 million euros.
"An eye-catching aspect of that process was the increase in the size of the fine from a range of 30 million to 50 million euros first proposed by the DPC. The fine highlights the importance of compliance with the GDPR's rules on transparency in the context of users, non-users, and data sharing between group entities," says John Magee, who heads law firm DLA Piper's privacy, data protection, and security practice in Ireland.