Data Protection Commission

Data Protection Commission fines WhatsApp Ireland €225m

The penalty is the second largest under Europe’s revamped data protection standards.

The Data Protection Commission (DPC) has fined WhatsApp Ireland €225m for infringements of data protection rules.

It is the largest fine ever imposed by the DPC and the second largest penalty ever levied on an organisation under EU data laws.

The regulator has also ordered the messaging service to bring its processing into compliance by taking a range of specified remedial actions.

Unsurprisingly, WhatsApp has said it disagrees with the decision, claims the penalties are entirely disproportionate and has stated it will appeal the ruling.

The probe was launched by the DPC three years ago, after new rules on data protection were brought into force by the EU. The inquiry examined whether WhatsApp had met its obligations under the General Data Protection Regulation (GDPR) regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services.

This included the transparency of information provided to users about the processing of their data between WhatsApp and other Facebook companies.

In December of last year, having concluded its investigation, the DPC sent its draft decision to other European data regulators for consideration, as required by the GDPR.

However, eight of around 40 of those authorities disagreed with the draft conclusions, including the DPC’s proposed fine of up to €50m.

Because the DPC was not able to reach a consensus with the other regulators on how to proceed, the case was referred to the European Data Protection Board (EDPB) earlier this summer and it made its binding ruling at the end of July which the DPC must now enforce.

“This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp,” the DPC said in a statement.

“In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.”

However, WhatsApp Ireland, which had previously set aside €77.5m for a possible fine, has said it does not agree with the decision and is committed to providing a secure and private service.

“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” said a WhatsApp spokesperson.

“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,”

An appeal can be made either to the Irish High Court or directly to the European Court of Justice, and would likely focus on the size of the fine.

It is understood that WhatsApp believes the fine is not about its data sharing practices but the level of detail provided in its 2018 privacy policy.

Sources close to the company, which is owned by Facebook, said rather than making its policy shorter and less complicated, the decision would mean it would have to add even more information to its already long and complicated privacy policy.

The company is also understood to feel that the fine is out of step with previous GDPR related fines.

Under the regulation, firms can face fines of up to €20m or 4% of total annual global turnover the preceding year, which is higher.

The largest GDPR fine to date, some €746m, was imposed during the summer on Amazon by authorities in Luxembourg.

In 2019, Google was fined €50m by the French data protection authority for lacking transparency, inadequate information and lack of valid consent in ad personalisation.

Fines go back to the exchequer of the countries in which they are levied.

We and our partners store or access information on devices, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for the purposes described below. You may click to consent to our and our partners’ processing for such purposes. Alternatively, you may click to refuse to consent, or access more detailed information and change your preferences before consenting.

Your preferences will apply to this website only. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. You can change your preferences at any time by returning to this site or visit our privacy policy.

Privacy Settings saved!
Privacy Settings

We and our partners store or access information on devices, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for the purposes described below. You may click to consent to our and our partners’ processing for such purposes. Alternatively, you may click to refuse to consent, or access more detailed information and change your preferences before consenting. Your preferences will apply to this website only. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. You can change your preferences at any time by returning to this site or visit our privacy policy.

When you use our Services, Rapid Mobile and our partners may use cookies and similar technologies (“cookies”) to store or retrieve information, including information about you, your use of our Services or your device. It is used to make our Services work as you expect them to, to enable analysis of your use and, because our Services are supported by advertising, to enable the delivery of ads that are more relevant to you. The information does not directly identify you. Because we respect your right to privacy, you can choose not to allow some types of cookies and processing. Click on the different category headings to find out more and change our default settings. Not allowing some types of cookies may impact your experience of our Services and what we are able to offer.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Used by Spamshield to stop spam signups.
  • _wpss_h_
  • _wpss_p_

For shopping cart and order processing two cookies will be stored. These cookies are strictly necessary and can not be turned off.
  • woocommerce_cart_hash
  • woocommerce_items_in_cart

In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

Confirm my Choices