The Data Protection Commission (DPC) has fined WhatsApp Ireland €225m for infringements of data protection rules.
It is the largest fine ever imposed by the DPC and the second largest penalty ever levied on an organisation under EU data laws.
The regulator has also ordered the messaging service to bring its processing into compliance by taking a range of specified remedial actions.
Unsurprisingly, WhatsApp has said it disagrees with the decision, claims the penalties are entirely disproportionate and has stated it will appeal the ruling.
The probe was launched by the DPC three years ago, after new rules on data protection were brought into force by the EU. The inquiry examined whether WhatsApp had met its obligations under the General Data Protection Regulation (GDPR) regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services.
This included the transparency of information provided to users about the processing of their data between WhatsApp and other Facebook companies.
In December of last year, having concluded its investigation, the DPC sent its draft decision to other European data regulators for consideration, as required by the GDPR.
However, eight of around 40 of those authorities disagreed with the draft conclusions, including the DPC’s proposed fine of up to €50m.
Because the DPC was not able to reach a consensus with the other regulators on how to proceed, the case was referred to the European Data Protection Board (EDPB) earlier this summer and it made its binding ruling at the end of July which the DPC must now enforce.
“This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp,” the DPC said in a statement.
“In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.”
However, WhatsApp Ireland, which had previously set aside €77.5m for a possible fine, has said it does not agree with the decision and is committed to providing a secure and private service.
“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” said a WhatsApp spokesperson.
“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,”
An appeal can be made either to the Irish High Court or directly to the European Court of Justice, and would likely focus on the size of the fine.
It is understood that WhatsApp believes the fine is not about its data sharing practices but the level of detail provided in its 2018 privacy policy.
Sources close to the company, which is owned by Facebook, said rather than making its policy shorter and less complicated, the decision would mean it would have to add even more information to its already long and complicated privacy policy.
The company is also understood to feel that the fine is out of step with previous GDPR related fines.
Under the regulation, firms can face fines of up to €20m or 4% of total annual global turnover the preceding year, which is higher.
The largest GDPR fine to date, some €746m, was imposed during the summer on Amazon by authorities in Luxembourg.
In 2019, Google was fined €50m by the French data protection authority for lacking transparency, inadequate information and lack of valid consent in ad personalisation.
Fines go back to the exchequer of the countries in which they are levied.