The Irish Data Protection Commission (DPC) has fined Facebook-owned WhatsApp €225 million ($266 mn, £193 mn) over General Data Protection Regulation (GDPR) violation. This is the second-largest fine under the EU’s privacy rules. Previously in August, Luxemburg’s data protection authority slapped a record €746 million fine on Amazon.
A WhatsApp spokesperson told Reuters the fine was “entirely disproportionate” and that it would appeal. The penalty is much larger than the initial €50 million (£43 million) fine issued by the DPC in December last year.
In July this year, the European Data Protection Board (EDPB) met after eight DPCs raised objections to the initial fine. Subsequently, the EDPB issued a binding decision and instructed the Irish DPC to reassess and increase its proposed fine.
The Investigation and the Order
The investigation began in December 2018. The task before the DPC was to examine if WhatsApp discharged its transparency obligations under the GDPR – providing sufficient information to both users and non-users of its services, including information regarding how it processed and shared data with Facebook and other Facebook-owned firms.
The DPC arrived at a conclusion that WhatsApp did not clearly tell EU subjects about how it collects and uses their personal data. As such, it found WhatsApp to be in contravention of Article 14 of the GDPR. The Article provides that data controllers must provide data subjects with adequate information about how they gather and process data.
A summary published by the EDPB found the infringement to be very serious in nature. It amounts to “a high degree of negligence,” it said.
Pay the Fine, and Comply
Besides the fine, the DPC has given WhatsApp three months to clearly communicate its data collection and usage policies to the data subjects, in accordance with GDPR. This includes clearly informing non-users that their phone numbers may be uploaded to the app by their contacts.
You can read a copy of the decision here.