WhatsApp hit with €225 million fine for GDPR violations

WhatsApp hit with €225 million fine for GDPR violations

WhatsApp was hit with a €225 million fine for violating the General Data Protection Regulation (GDPR), the European Union’s sweeping data protection law that has been in effect for more than three years.

The fine represents the highest ever penalty levied by the Irish Data Protection Commission, which serves as the primary data protection authority for WhatsApp and the messaging app company’s parent Facebook, which has its EU headquarters based in Ireland. It is also the second-highest penalty ever issued under GDPR violations. That higher penalty, sent to Amazon by Luxembourg’s National Commission for Data Protection, was for a massive $886 million.

WhatsApp said it disagreed with the Irish Data Protection Commission’s (DPC) findings, which were based on an investigation which began in December 2018, into whether WhatsApp failed to transparently tell both users and non-users about how their data was handled.

“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” WhatsApp said in response to the penalty. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

Interestingly, the Irish DPC said that, when it shared its findings with other EU member-states’ own data regulators, eight of those regulators disagreed. During a follow-on dispute resolution process, the Irish DPC was told that it should actually increase its initial penalty amount.

Max Schrems, the legal activist who has proven himself to possibly be the largest thorn in Facebook’s side, welcomed the Irish DPC’s decision, but warned about the likely prolonged legal battle ahead, as WhatsApp will probably fight the penalty in court.

“In the Irish court system this means that years will pass before any fine is actually paid. In our cases we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork,” Schrems wrote. “I can imagine that the DPC will simply not put many resources on the case or ‘settle’ with WhatsApp in Ireland. We will monitor this case closely to ensure that the DPC is actually following through with this decision.”

The Irish DPC said its investigation into WhatsApp began after it received several complaints from users and non-users after the passage of GDPR. In its final decision, the Irish DPC said it found that WhatsApp had failed to comply with several components of Articles 12, 13, and 14 of GDPR, which relate to how a company transparently tells its users and non-users about how their data is handled. In particular, the Irish DPC investigated whether WhatsApp was transparent about how it shared personal data with its parent company Facebook, and it slammed WhatsApp for keeping information either vague or behind too many separate FAQ and privacy policy pages.

“[T]he information that has been provided, regarding WhatsApp’s relationship with the Facebook Companies and the data sharing that occurs in the context of that relationship, is spread out across a wide range of texts and a significant amount of the information provided is so high level as to be meaningless,” the Irish DPC said. In a similar set of findings regarding WhatsApp’s data-sharing relationship with Facebook, the Irish DPC said “it is unsatisfactory that the user has to access information as to the identity of the Facebook Companies on Facebook’s website and for the information to be broken up over three or four different ‘articles’ that each link back to one another in a circular fashion. There is no reason why this information could not be hosted, in a concise piece of text, on WhatsApp’s website.”

Though WhatsApp disagreed with the Irish DPC’s findings overall, the data regulator’s claims of lacking transparency are not, by any means, new allegations. Just this year, WhatsApp walked itself into a firestorm when it scared users into thinking that their accounts would be deactivated if they refused to agree to a new privacy policy. The problem? It was two-fold, actually—user accounts would not be deactivated (they’d simply be egregiously stymied) and most of the privacy policy changes that users were upset about had actually already been put into place.

WhatsApp eventually walked back its threat to disable key features for users who refused to accept the new privacy policy—which it messaged as not-a-deactivation—but a great deal of damage had already been done. Users had already flocked to competitors in January, and there has been little indication that they’ve returned.  


David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.