An investigation by Ireland’s privacy watchdog found that WhatsApp broke stringent regulations in relation to the transparency of data shared with other companies. As a result, the company has been fined €225m (£193m) after EU data protection rules violation. The penalty is the second-highest under the GDPR rules and the biggest ever issued by the commission in Ireland, beating a €400,000 (£344,000) fine given to Twitter for a security breach.
The Data Protection Commission also ordered WhatsApp to undertake “remedial measures” on Thursday in order to ensure that its processing meets EU standards. WhatsApp, however, stated the fine was out of proportion and that the decision was going to be appealed.
The fine concerns an investigation started in 2018 into the transparency of WhatsApp’s data management. The issues raised included whether WhatsApp gave sufficient information to users about how their data was being managed and if its privacy policies were explicit. Since then, these policies have repeatedly been amended.
“WhatsApp is committed to providing a secure and private service,” a company spokesperson said.
“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate.”
The Irish DPC has stated that it has presented its decision, as required by GDPR, to other national data authorities, “following a lengthy and comprehensive investigation.” Eight countries, including Germany, France and Italy, have reportedly objected.
And in late July, the European Data Protection Board told the Irish DPC to tweak its finding, “reassess” its proposed fine of €30-50m (£26-43m) and amend its decision “by setting out a higher fine amount”.
The DPC has been criticised in the past by other European regulators for taking too long to reach decisions involving tech giants and for not fining them enough for any breaches. In July, a European Data Protection Board meeting issued a “clear instruction that required the DPC to reassess and increase its proposed fine based on a number of factors contained”, the Irish regulator said.
“This shows how the DPC is still extremely dysfunctional”, privacy campaigner Max Schrems said, welcoming the decision.
“The DPC gets about 10,000 complaints per year since 2018 – and this is the first major fine,” he said.
And considering WhatsApp’s appeal, “in the Irish court system, this will mean that we will see years before any fine is actually paid.”