WhatsApp was fined 225 million euros by Ireland’s data watchdog for violating privacy regulations. This is the largest fine ever received from the Irish Data Protection Commission (DPC) and the second highest under EU GDPR rules. Facebook, which owns WhatsApp, has its EU headquarters in Ireland, and the Irish regulator is the lead authority for the tech giant in Europe.
WhatsApp said it disagreed with the decision and the severity of the fine and plans to appeal. The fine is related to an investigation that began in 2018 about whether WhatsApp was transparent enough about how it handles information. The issues involved were highly technical, including whether WhatsApp provided enough information to users about how their data was processed and whether their privacy policies were clear enough. These policies have been updated several times since then.
“WhatsApp is committed to providing a secure and private service,” a company spokesperson said. “We have worked and will continue to do so to ensure that the information we provide is transparent and comprehensive. We disagree with today’s decision on the transparency we provided to people in 2018, and the penalties are completely disproportionate.”
GDPR rules allow massive fines of up to 4% of the offending company’s global turnover. The Irish Data Protection Commission said it submitted its decision to other national data authorities “after a lengthy and thorough investigation” under GDPR, and has received appeals from eight countries, including Germany, France and Italy.
Some disagreed with the Irish regulator on which specific articles of the GDPR were violated or how the fine was calculated, among other issues. And in late July, the European Data Protection Board told the Irish DPC to change its finding, “re-evaluate” the proposed 30-50m euro fine and change its decision by “fixing a higher fine”.
“This shows that DPC is still highly dysfunctional,” privacy campaigner Max Schrems said, welcoming the decision. “DPC has been receiving around 10,000 complaints a year since 2018, and this is the first major fine.” And because of WhatsApp’s planned appeal, “in the Irish court system this will mean we’ll see years before any fines are actually paid.”
The Irish DPC also formally condemned WhatsApp and ordered it to “make its operation appropriate”. Not only has Amazon been fined more for breaking GDPR rules in a case that it also fiercely defends. In July, Luxembourg’s regulator fined Amazon €746m for saying it did not comply with data processing laws.