Skip to content

Illustration by Security Management

WhatsApp Hit With Second-Largest GDPR Fine

The Irish Data Protection Commission (DPC) issued a new record high fine against WhatsApp for breaching privacy regulations under the European Union’s General Data Protection (GDPR) rules. 

The commission levied the €225 million (approximately $267 million) fine due to an investigation that began in December 2018 into whether WhatsApp, a Facebook-owned messaging service, was sufficiently transparent in its information-handling practices.  

The Irish DPC’s investigation looked into concerns about the clarity of the service’s privacy policies and if the app provided users with enough information on how their data was processed and shared with Facebook. Since the investigation began, WhatsApp has updated its policies several times.  

The 265-page decision limited the investigation’s findings to the platform’s transparency obligations, according to TechCrunch. The GDPR, which became effective in 2018, orders organizations to be clear, open, and honest with users about how their data is used or shared.  

Along with the fine, which is the second-highest to be levied under the GDPR rules, the commission also ordered WhatsApp to adjust its privacy policies and notification practices to comply with the EU’s privacy policies, according to CNBC. The company was given three months to change its policies and practices.  

“Max Schrems, an Austrian lawyer and privacy activist who has filed several complaints with authorities in Ireland against Facebook, welcomed Thursday’s decision but said the fine by the Data Protection Commission was still too small,” The New York Times reported. “The GDPR allows fines of up to 4 percent of global revenue.” 

Facebook’s EU headquarters are located in Ireland, making the DPC the top regulator of the company within Europe.  

WhatsApp said it disagrees with the decision and the steepness of the fine. It plans to appeal the decision, which could stall payment of the fine for years. 

“The fine...will likely be significantly reduced in court as we already witnessed with other major cases,” said Ilia Kolochenko, founder of ImmuniWeb and member of Europol Data Protection Experts Network. “The judicial process to get a final and enforceable decision will likely take several years. It’s very unlikely any Europeans, whose privacy rights were allegedly violated by WhatsApp, will get any compensation.”

The GDPR also required the Irish DPC to submit its decision to other national data authorities. Eight countries, including France, Germany, and Italy, also objected to the DPC’s decision. 

“Given the growing disagreement between European DPAs on GDPR enforcement priorities and imposition of penalties, these concerns become even more real today,” Kolochenko added. “Moreover, data subjects are reluctant to enforce their rights under GDPR as it’s always time-consuming and may require a complex and costly process to litigate for penny compensation if any.”

“Some disagreed with the Irish regulator about which specific articles of GDPR had been broken or the way the fine had been calculated, among other issues,” BBC News reported. “And in late July, the European Data Protection Board told the Irish DPC to tweak its finding, ‘reassess’ its proposed fine of €30-50m, and amend its decision ‘by setting out a higher fine amount.’” 

There are several other GDPR-related cases still waiting to be dealt with, and Kolochenko noted that unless enforcement of GDPR is overhauled, impunity for such violations will be normalized. “The Irish Data Protection Commission still has open about two dozen other investigations into big tech companies like Google, Twitter, and Facebook, including a second case involving WhatsApp,” ABC News reported.