The second largest ever financial penalty to resolve GDPR violations has been imposed on WhatsApp by the Irish Data Protection Commission (DPC). WhatsApp has been fined €225 million ($265 million) for violations of the data processing transparency requirements of the General Data Protection Regulation (EU). The fine is the second GDPR financial penalty of 2021 to exceed €100 million and follows Amazon’s €746 million financial penalty, which was announced by the Luxembourg data protection authority in July.
The DPC has been criticized for the length of time it has taken to conduct investigations and also for the relatively low financial penalties imposed so far. Under the GDPR, the maximum financial penalty is 4% of global annual turnover for the previous fiscal year, yet fines imposed so far have fallen well below that level. In the case of WhatsApp, the proposed financial penalty was in the region of €30-50 million, but after reviewing the DPC decision, eight data protection authorities called for the financial penalty to be increased.
The DPC is the lead data protection authority in this case as WhatsApp has its EU base in Dublin, but the draft decision released in December 2020 was sent for review by other data protection authorities due to the cross-border data processing activities. The dispute could not be resolved so the case went before the European Data Protection Board (EDPB), which gave the DPC clear instruction to increase the financial penalty “on the basis of a number of factors contained in the EDPB’s decision.” The DPC was also required to give consideration to the global turnover of WhatsApp’s parent company – Facebook – when determining the financial penalty, which saw the penalty increased to €225 million.
The violations of the GDPR discovered by the DPC were of a technical nature and related to transparency about data processing. WhatsApp was determined to have violated GDPR Articles 12-14 for failing to provide app users with clear, transparent, or sufficient information about the level of data processing, and the “gravity and the overarching nature and impact of the infringements” was determined to be a violation of Article 5(1)(a) of the GDPR which requires personal data to be “processed lawfully, fairly and in a transparent manner in relation to the data subject.
WhatsApp has stated it will appeal the penalty. That process could take some time and it may be years before any fine is paid should the appeal fail. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” said WhatsApp.