The Irish Data Protection Commission has finally bared its teeth, imposing a €225m (£219m) fine on WhatsApp for severe breaches of GDPR, but only after pressure from other European regulators to increase the sanction from a proposed €50m (£44m).
The penalty follows an inquiry into the messaging app’s transparency around sharing personal data with other Facebook companies.
Slamming WhatsApp for a “very significant information deficit” among four violations of GDPR, Commissioner Helen Dixon said the company provided only two-fifths of the prescribed information to users of its service and none to non-users about how it shared their data.
“All four infringements are in my view very serious in nature,” she said in a 266-page ruling. “They go to the heart of the general principle of transparency and the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this.”
The impact was “particularly severe” on non-users of WhatsApp, who were denied the right to exercise control over their personal data, Dixon said. The breaches affected an “extremely high” number of people, but the published ruling was redacted to obscure the estimated number.
The investigation into the breach was completed back in August 2019, although at the time Dixon conceded it was likely to take months rather than days to arrive at a formal decision, due to a statutory process of “examination and analysis”.
Back in February this year, the regulator sought approval for its proposed penalty of up to €50m (£44m) from other EU members’ data protection authorities under the GDPR one-stop shop mechanism for cross-border cases.
And in July, a meeting of the European Data Protection Board issued a “clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained”, the Irish regulator said, leading to the 350% rise in the penalty.
This is the second time the EDPB has intervened in an Irish DPC ruling. Last year’s €450,000 (£410,000) Twitter fine took months to go through the same process, following strong objections made by the other EU authorities over the level of the penalty. In the end the ruling was sanctioned by a majority verdict.
Perhaps unsurprisingly WhatsApp said it disagreed with the decision, claiming the penalties are “entirely disproportionate”.
A spokesperson said: “WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.” The company added that is would launch an appeal against the fine.
If it stands, the fine would be the second largest ever issued under GDPR, following the €746m (£636m) penalty issued by the Luxembourg’s National Commission for Data Protection against Amazon, which is also being challenged.
The former record fine is against Google; a €50m (£44m) penalty issued in January 2019 for failing to be transparent in its consent policies.
Related stories
Warning for all data firms as Amazon faces €746m fine
Irish GDPR investigations ‘hampered by ancient tech’
EU regulators mull €50m Irish GDPR fine for WhatsApp
Exposed: Row over ‘paltry’ Twitter fine threatens GDPR
Twitter fined just €450,000 in first major Irish ruling
Irish data regulator ‘go-slow’ triggers judicial review
GDPR fines near €300m as Italian stallions lead way
GDPR three years on: ‘The aperitif to a cookieless world’
Google must ditch ‘forced consent’, French court rules
Google ruling puts digital marketing industry on alert
Google hit for €50m as French issue first GDPR fine