[German]The Irish Data Protection Commission (DPC) has served the Irish-based offshoot of Facebook subsidiary WhatsApp, which is headquartered for Europe, with a fine of 225 million euros for violations of the General Data Protection Regulation. This is the second-highest GDPR fine so far in the European Union since the GDPR came into force in May 2018.
Irish medium RTE reports in this article about the facts and that this is the highest fine the Data Protection Commission has ever imposed on a company under EU data protection rules. The Irish Data Protection Authority (DPC) acts as the lead regulator for WhatsApp in Europe. The DPC statement can be found here.
The DPA also ordered WhatsApp to bring its processing of user-related data into compliance with the European General Data Protection Regulation through a series of remedies. WhatsApp, unsurprisingly, said it disagreed with the decision. WhatsApp considers the amount of the fine to be completely disproportionate and plans to appeal the fine decision.
Investigation for three years
The investigation into violations of the General Data Protection Regulation was launched by the Irish Data Protection Authority three years ago, after the EU enacted new data protection rules in May 2018. That investigation included an examination of WhatsApp's compliance with its obligations under the General Data Protection Regulation (GDPR) regarding the provision of information and the transparency of that information to users and non-users of WhatsApp's services.
This included transparency in the information provided to users about the processing of their data by WhatsApp and other Facebook companies. In the past, there was a lot of bickering between data protection authorities about this, because other countries accused the Irish DPC of taking an unduly long time to process the projects. Last December, after completing its investigation, the DPA sent its draft decision to other European data protection authorities for review. This is required by the General Data Protection Regulation.
Interestingly, eight of about 40 of these European authorities agreed with the draft and its conclusions. This included the fine of up to 50 million euros proposed by the DPC. As the DPC was unable to reach an agreement with the other supervisory authorities on how to proceed, the case was referred to the European Data Protection Board (EDPS) earlier this summer, which issued a binding decision at the end of July that the DPC must now enforce.
"That decision included a clear instruction requiring the DPA to reassess and increase its proposed fine based on a number of factors included in the EDPS decision, and following that reassessment, the DPA imposed a fine of €225 million on WhatsApp," the DPC said in a statement.
"In addition to imposing a fine, the DPC has also issued a reprimand and ordered WhatsApp to bring its processing into compliance by taking a number of specific remedial actions.
WhatsApp caught cold
WhatsApp Ireland had set aside €77.5 million in advance for a potential fine by the DPC. The €224 million is therefore a real blow. Of course, WhatsApp is well within its rights to appeal this decision. The company stated that it disagrees with the DPC's decision and is committed to providing a secure and private service. A WhatsApp spokesperson is quoted by RTE as saying:
We have worked to ensure that the information we provide is transparent and comprehensive, and will continue to do so. We disagree with today's decision regarding the transparency we provided to people in 2018 and the penalties are completely disproportionate. We will appeal this decision.
An appeal can be made either to the Irish High Court or directly to the European Court of Justice and would likely focus on the amount of the fine. It is understood that WhatsApp's fine is not about its data sharing practices, but about the level of detail in its 2018 privacy policy.
