WhatsApp has been hit with a €225 million ($265 million) financial penalty for failing to comply with the transparency requirements of the EU’s General Data Protection Regulation (EU).
The Irish Data Protection Commission (DPC) launched an enquiry into WhatsApp about data processing transparency in December 2018. It has taken more than 2 and a half years for a final decision to be made, but it could take even longer for any financial penalty to be paid as WhatsApp is appealing the decision and the appeals process can be lengthy in Ireland.
There have been many complaints about potential GDPR violations by WhatsApp and its parent company Facebook, but these were not amalgamated into the DPC investigation which was narrow in scope. The DPC was focused on investigating WhatsApp’s compliance with the GDPR transparency provisions, which require companies that process the personal data of EU citizens to provide clear and easy to understand information to user of their products and services about how personal data will be processed and shared.
The DPC said “severe” violations of GDPR Articles 12-14 had been discovered during the investigation, including the failure to provide users and non-users of its messaging app with clear, transparent, or sufficient information about the level of data processing that would be performed. Non-users of the app were also affected, as app users can provide the WhatsApp with permissions to access the personal data of others stored in a smartphone address book, which includes phone numbers but often other data of non-app users.
WhatsApp was found to have provided insufficient granularity about the legal basis for some data processing activities and the transfer of personal data to non-EEA jurisdictions. While each of the violations was significant, together they constituted severe breaches of the GDPR’s transparency requirements.
The DPC is the lead data protection authority as WhatsApp has its EU base in Dublin, but given the nature of data processing, which crosses borders, a draft decision was published in December 2020 for review by other appropriate data protection authorities. That draft decision proposed a financial penalty of between €30-€50 million.
Eight data protection authorities objected to the financial penalty and called for it to be substantially increased, with the dispute ending up at the European Data Protection Board (EDPB) when an agreement between the data protection authorities could not be reached. According to the EDPB, its decision “contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.”
The transparency failures were determined to violate Article 5(1)(a) of the GDPR due to the “gravity and the overarching nature and impact of the infringements.” The EDPB also determined that the turnover of Facebook should be taken into consideration when calculating the financial penalty, which saw the penalty increased to €225 million. WhatsApp has also been ordered to make changes to correct the transparency issues and was given three months to make those changes.
WhatsApp will appeal the decision and penalty. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” said WhatsApp in a statement.