WhatsApp Fined $267M for GDPR Breach in Europe

Facebook’s WhatsApp Faces Significant Fine from European Regulators

After a considerable period, Facebook is now experiencing increased scrutiny due to Europe’s data protection regulations. Ireland’s Data Protection Commission (DPC) has recently announced a €225 million (~$267 million) penalty for WhatsApp.

Investigation Details

The messaging application, owned by Facebook, has been under investigation by the Irish DPC – its primary data supervisory authority within the European Union – since December 2018. This investigation commenced several months after initial complaints were lodged concerning WhatsApp’s handling of user data under the General Data Protection Regulation (GDPR), which became enforceable in May 2018.

The DPC’s investigation, initiated independently – known as an “own volition” enquiry – focused on an audit of WhatsApp’s “transparency” obligations, despite numerous specific complaints received.

GDPR Transparency Requirements

A fundamental tenet of the GDPR is the requirement for organizations processing personal data to be clear, open, and honest with individuals regarding the utilization of their information.

The DPC’s decision, documented in a 266-page report, concludes that WhatsApp did not meet the transparency standards mandated by the GDPR.

Scope of the Enquiry

The enquiry assessed whether WhatsApp adequately fulfilled its transparency obligations to both its users and non-users. This included examining instances where WhatsApp might upload phone numbers of non-users with user consent to access their phone book, containing personal data of others.

Furthermore, the investigation considered the transparency surrounding data sharing between WhatsApp and its parent company, Facebook – a contentious issue following a privacy policy change announced in 2016, predating GDPR enforcement.

Findings of the DPC

The DPC identified several transparency infringements by WhatsApp, encompassing articles 5(1)(a), 12, 13, and 14 of the GDPR.

Alongside the substantial financial penalty, WhatsApp has been directed to implement measures to enhance transparency for both users and non-users, with a three-month deadline for compliance.

WhatsApp’s Response

In a statement, WhatsApp contested the findings, labeling the penalty “entirely disproportionate” and announcing its intention to appeal.

Limitations of the Investigation

It is important to note that the DPC’s enquiry was specifically limited to WhatsApp’s transparency obligations.

The regulator did not investigate broader complaints regarding the legal justification WhatsApp uses for processing personal information, issues that have been raised against Facebook’s data practices for over three years.

Consequently, the DPC will likely continue to face criticism regarding the speed and methodology of its GDPR enforcement.

Prior Enforcement Actions

Prior to this decision, Ireland’s regulator had issued only one major cross-border ruling against a “Big Tech” company – a $550,000 fine levied against Twitter in December for a historical security breach.

WhatsApp’s penalty is significantly larger, indicating a more severe breach of GDPR regulations, according to EU regulators.

Significance of Transparency

Transparency is a cornerstone of the GDPR. While a security breach may reflect operational shortcomings, a consistent lack of openness regarding data usage within an adtech-driven business model appears more deliberate.

Companies operating in Europe are increasingly being compelled to be forthright about their data handling practices.

Evaluating the Effectiveness of GDPR

The recent ruling concerning WhatsApp is poised to reignite discussions regarding the efficacy of the General Data Protection Regulation (GDPR), particularly in its ability to hold the world’s most influential corporations – notably those operating online – accountable.

The EU’s primary data protection regulation mandates consensus among all relevant regulatory bodies across its 27 Member States for cross-border cases. While the GDPR’s “one-stop shop” system aims to simplify compliance for businesses operating across borders by channeling complaints and investigations through a lead regulator—typically based on the company’s primary EU establishment—objections to the lead supervisory authority’s findings, including proposed penalties, can be lodged, as demonstrated in the WhatsApp case.

Initially, Ireland suggested a penalty for WhatsApp potentially reaching €50 million. However, several other EU regulators voiced concerns regarding the proposed decision. Consequently, the European Data Protection Board (EDPB) intervened and issued a binding decision this summer to resolve the disagreements.

This collaborative process, though challenging, compelled the Irish Data Protection Commission (DPC) to increase the fine levied against WhatsApp. A similar scenario unfolded with the DPC’s initial draft decision regarding Twitter, where a significantly smaller penalty was initially proposed.

Despite the inherent time constraints involved in resolving disputes among the EU’s numerous data protection agencies—the DPC submitted its initial WhatsApp decision for review in December, and it took over six months to address all concerns regarding WhatsApp’s hashing practices—the fact that adjustments are being made to its decisions, either through joint agreement or consensus driven by the EDPB, suggests the system is functioning, albeit slowly and imperfectly.

Nevertheless, Ireland’s data protection authority will likely continue to face scrutiny for its prominent role in handling GDPR complaints and investigations. Some critics allege that the DPC selectively prioritizes certain issues for detailed examination, while neglecting others, thereby creating a bottleneck in the effective enforcement of data protection rights throughout the EU.

This criticism leads to the assertion that technology giants like Facebook may still enjoy considerable leniency in their adherence to European privacy regulations.

However, while a €267 million penalty represents a relatively small sum for Facebook’s vast financial resources, directives requiring changes to the data processing practices of large adtech companies hold the potential to significantly alter problematic business models.

Further time is needed to ascertain whether these broader directives will achieve their intended impact.

In response to the DPC’s WhatsApp decision, noyb—the privacy advocacy group established by prominent European privacy advocate Max Schrems—stated: “We acknowledge the first decision by the Irish regulator. However, the DPC receives approximately ten thousand complaints annually since 2018, and this is the first substantial fine. The DPC initially proposed a €50 million fine and was compelled by other European data protection authorities to increase it to €225 million, which remains only 0.08% of the Facebook Group’s turnover. The GDPR allows for fines up to 4% of turnover. This illustrates the ongoing dysfunction within the DPC.”

Schrems also highlighted that noyb currently has several pending cases before the DPC, including those concerning WhatsApp.

Furthermore, they expressed concerns about the duration of the appeals process and questioned whether the DPC would vigorously defend a sanction it was compelled to increase by other EU DPAs.

“WhatsApp will undoubtedly appeal the decision. Within the Irish court system, this means years may pass before any fine is actually paid. In our cases, we often felt the DPC prioritized headlines over thorough investigation. It will be interesting to observe whether the DPC will fully defend this decision, as it was essentially forced upon it by its European counterparts. It is conceivable that the DPC will allocate limited resources to the case or seek a settlement with WhatsApp in Ireland. We will closely monitor this case to ensure the DPC fully implements this decision.”

Update: The European consumer protection association BEUC—which has also filed complaints against Facebook-owned WhatsApp—characterized the decision as “long overdue” in a separate statement.

David Martin, its digital policy team leader, added: “This sends a strong message to Facebook and its subsidiaries that violating EU data protection rules carries consequences. It also demonstrates the crucial role of the European Data Protection Board in enforcing the GDPR, as the Irish data protection authority was compelled by its EU counterparts to adopt a stricter position. We hope that consumer authorities will heed this decision and promptly address BEUC’s separate complaint against WhatsApp regarding its unfair pressure on users to accept recent changes to its terms and conditions and privacy policy.”