Facebook-owned WhatsApp is facing a fine of up to €50m (£44m) for breaching GDPR by failing to be clear about sharing user data with its parent company, in the second case which the Irish Data Protection Commission has had to run it past its EU counterparts before it can issue a penalty.
According to insiders, who have spoken to the Politico website, under the Irish DPC’s draft findings, WhatsApp is facing a fine “in the range” of €30m and €50m over this lack of transparency; it could also be ordered to change the way it handles user data.
The investigation into the breach was completed back in August 2019, although at the time Irish Commissioner Helen Dixon conceded it was likely to take months rather than days to arrive at a formal decision, due to a statutory process of “examination and analysis”.
Some 18 months later, and the ball is at last rolling again but, under the GDPR one-stop shop mechanism for cross-border cases, the Irish DPC has to get approval for the penalty from other EU members’ data protection authorities (DPAs).
However, this is easier said than done. Last year’s €450,000 (£410,000) Twitter fine took months to go through the same process, following strong objections made by the other EU DPAs over the level of the penalty.
In the end, the European Data Protection Board – which is made up of all the DPAs in the EU – was forced to intervene and the ruling was sanctioned by a majority verdict.
Even so, the issue fuelled concerns that the one-stop shop regime was simply unworkable.
The French appear to have already given up on it. In December, regulator CNIL fined Google and Apple a total of €135m (£123m) for cookie violations under the France’s data protection legislation and not GDPR. This meant that the investigation did not have to go through the Irish Data Protection Commission or be approved by other EU states.
Meanwhile, privacy organisation NOYB, fronted by Austrian Max Schrems, recently filed two complaints against Apple, in Germany and Spain, also under the ePrivacy Directive, insisting the move was a deliberate attempt not to trigger the cooperation mechanism of GDPR.
There has been no official comment about the WhatsApp, ruling either from the Irish or EU regulators.
Exposed: Row over ‘paltry’ Twitter fine threatens GDPR
Twitter fined just €450,000 in first major Irish ruling
Ça alors! French shun GDPR to clout Google and Amazon
Apple cut to the core by new unlawful tracking claims
Irish data regulator ‘go-slow’ triggers judicial review
The end is nigh: EU chiefs finally sanction Twitter fine
ICO and Irish DPC ‘among the worst GDPR enforcers’
Irish data regulator issues first GDPR ruling in two years
EU chiefs force review of Irish draft GDPR Twitter ruling
WhatsApp and Twitter facing first major GDPR rulings