WhatsApp Slapped With $267m GDPR Fine For Sharing Data

Executives at Facebook were handed some bad news on Thursday by the Irish Data Protection Commission (DPC).

The DPC ruled on Thursday that WhatsApp will be fined 225m euros (£193m or $267m) by Ireland’s data watchdog for breaching data processing regulations, after pressure from the EU privacy watchdog to increase its initial fine.

The DPC said the fine came after an investigation that had “commenced on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service.”

WhatsApp fine

Concerns have been ongoing for years, and stem from when Facebook acquired WhatsApp in 2014.

Soon after that acquisition, the messaging app modified its terms of service, informing users it would share their data with its new parent.

That didn’t sit well with European watchdogs, and the move spurred a number of regulatory actions against Facebook in Europe.

And now the Irish DPC has reached its conclusion about the matter.

“On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC,” the Irish regulator said. “This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp.”

The Irish DPC took the lead in this case because WhatsApp’s owner, Facebook, has its EU headquarters in Ireland.

The DPC had originally proposed to fine WhatsApp between 30 to 50m euros, but the EDPB told the DPC to increase the fine, which it has now done.

And the DPC was not finished there.

“In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions,” it said.

Large fine

The 225 euro fine is the largest fine ever from the Irish Data Protection Commission, and it is the second-highest fine issued under EU GDPR rules.

The largest ever EU GDPR fine came last month, when Luxembourg’s National Commission for Data Protection fined Amazon 746 million euros (£637m or $886.6m) over alleged violations of GDPR privacy law relating to advertising data.

Amazon is contesting that penalty.

Meanwhile it is understood that the Irish regulator had 14 major inquiries into Facebook and its subsidiaries WhatsApp and Instagram open as of the end of last year.

This particular case however centres around regulatory disapproval of WhatsApp failing to tell Europeans how their personal information is collected and used, as well as how WhatsApp shares data with Facebook.

Facebook is likely to fight this DPC ruling in the courts, which could take years.