8 September 2021 | By Marten Männis
WhatsApp fined €225 million, second-largest fine under the GDPR
In September 2021, the Irish Data Protection Commission (DPC) fined Facebook-owned WhatsApp €225 million for breaching privacy rules pursuant to the GDPR. The decision, a first major fine imposed by the Irish data watchdog and the second-highest fine GDPR-related fine, is the culmination of a three-year investigation.
Following the entry into force of the GDPR in 2018, the DPC received many complaints from individual data subjects regarding how WhatsApp processes its user data. In addition, total of 88 complaints made against WhatsApp have been transmitted to the DPC by several national supervisory authorities, including from Germany, the Netherlands, Austria, Spain, the United Kingdom, France, Finland, and Poland.
The investigation by the DPC amounted to an ‘own volition’ enquiry, which means that the watchdog specified the extent of the investigation, focusing on the transparency obligations of the company. The investigation had three major components: transparency in the context of non-users; transparency in the context of users; and transparency in the context of sharing of user personal data between WhatsApp and its sister companies.
An example of transparency in the context of non-users would be having a user allow the company access to the contacts data on the user’s phone, where much of the information pertains to individuals who do not use the service.
The investigation ultimately found several infringements by the company. Though the initial proposed fine by the DPC hovered between €30-50 million, the objections by several other national data watchdogs and the European Data Protection Board, the fine was ultimately raised to €225 million.
The infringed articles
The infringement of Article 5(1)(a) of the GDPR was deemed to be finable for €90 million. The article in question concerns whether personal data is processed lawfully, fairly and in a transparent matter pursuant to the data subject.
For the infringement of Article 12 of the GDPR, the company was fined €30 million. The article obligates data controllers to take appropriate measures to provide information in a transparent and legible manner to the data subject and responds to any requests on its actions without undue delay.
For the infringement of Article 13 of the GDPR, WhatsApp was also fined €30 million. The article obligates data controllers to provide the relevant information to the data subject when their personal data is collected, including the purpose of which the data is collected for.
Finally, for the infringement of Article 14 of the GDPR, the company was fined €75 million. This article applies obligates data controllers to provide relevant information in circumstances, where personal data has yet to be collected.
WhatsApp disagreed with the decision and asserted that the transparency they have provided, which sparked the investigation, was appropriate and that the penalties imposed were entirely disproportionate. It argued during the investigation that no evidence has been put forth to support claims of any harm or risk to users or non-users from the alleged infringements. As the decision will be appealed in the Irish Courts, it will take years for the final decision to materialise.
Max Schrems, Chair at noyb.eu, a European Center for Digital Rights, welcomed the decision and criticised the DPC, as this is the first major fine they have imposed, even though the number of complaints the watchdog receives is exponentially more. Furthermore, he noted that the €225 million fine, upped from an initial €50 million, is still just 0.08% of the annual turnover of the Facebook Group, far less than the 4% of turnover that the GDPR permits imposing.