General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

Facebook's WhatsApp Hit With $266 Million GDPR Fine

Transparency Shortfalls Cited, as WhatsApp Accused of Not Revealing Data Sharing
Facebook's WhatsApp Hit With $266 Million GDPR Fine

Ireland's Data Protection Commission has fined WhatsApp 225 million euros ($266 million) after finding that it violated the EU's General Data Protection Regulation by failing to disclose to users how their data was being shared with parent company Facebook.

See Also: How Enterprise Browsers Enhance Security and Efficiency

In addition to the fine, the 266-page decision by the DPC, which enforces GDPR compliance in Ireland, orders WhatsApp to bring its processing into compliance by implementing eight remedial actions within the next three months.

WhatsApp says it will appeal the decision, which follows a three-year investigation by the DPC. WhatsApp contends that the fine is "out of step with previous GDPR-related fines" levied against other technology giants.

"We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so," a WhatsApp spokesperson tells Information Security Media Group. "We disagree with the decision today regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate."

EU Board Ordered Higher Fine

Ireland's Data Protection Commission says that after consulting other EU countries' privacy watchdogs, it initially proposed a fine in the range of 30 million euros to 50 million euros.

But the European Data Protection Board, which is an independent European body charged with helping to maintain consistent enforcement of privacy regulations across the region, reviewed the WhatApp case and on July 28 issued a binding decision instructing the DPC to reassess and increase its proposed fine. The DPC says that based on the board's instructions, it increased the fine to 225 million euros.

"An eye-catching aspect of that process was the increase in the size of the fine from a range of 30 million to 50 million euros first proposed by the DPC," says John Magee, who heads law firm DLA Piper's privacy, data protection and security practice in Ireland. "The fine highlights the importance of compliance with the GDPR's rules on transparency in the context of users, non-users and data sharing between group entities."

WhatsApp has now received the second-highest fine ever issued so far under GDPR, outranked only by an $885 million fine against Amazon, which was issued in July, says Jonathan Armstrong, a compliance and technology lawyer with London-based law firm Cordery.

Another notable aspect about this case is that it "went through the EDPB's harmonization process," thus signaling the level of fines the board deems to be appropriate for this type of case, and suggesting that "more high fines might be on the way," he says.

WhatsApp Charged With Negligence

Helen Dixon, Ireland's commissioner for data protection, says WhatsApp was guilty of negligence because it was not clear to end users how WhatsApp was sharing users' data with its parent company.

The Data Protection Commission began an investigation in December 2018, seven months after GDPR went into full effect, into whether WhatsApp had met its GDPR transparency obligations.

The investigation was spurred by 88 complaints made against WhatsApp regarding user data transparency that were forwarded by the supervisory authorities of eight EU member states, the DPC said.

Ireland's DPC led the Facebook investigation because Facebook's European operations are headquartered in Dublin, which means that under GDPR's "one stop shop" provisions, the local data protection authority takes the lead on all privacy investigations.

The DPC says it "examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp's service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies."

The DPC says it found that WhatsApp's practices infringed four specific parts of GDPR:

  • Article 5, covering principles relating to processing of personal data;
  • Article 13, covering information to be provided when personal data gets collected from a data subject;
  • Article 14, covering information to be provided when personal data has not been obtained from a data subject;
  • Article 15, which concerns a data subject's right to access their personal data from a controller.

"In terms of the character of the infringements, my view is that they each ought to be classified as negligent," Dixon says. "Such a classification, in my view, reflects carelessness on the part of the controller or processor concerned."

Facebook Calls Fine 'Out of Step'

In a detailed statement responding to the decision, Facebook says that the fine is not about data sharing but about the level of detail the company provided in its previous privacy policy in 2018, which Facebook says it has since updated.

"We support regulation that encourages companies to protect people's private information. WhatsApp has gone beyond many companies' privacy efforts, protecting people's personal conversations with end-to-end encryption. We do not keep logs of who everyone is messaging and do not share your contacts with Facebook," the company says.

Facebook also notes that the fine is much higher than those imposed on other companies cited for similar issues. "The fine we have received is out of step with previous GDPR related fines - for example, in 2019, Google, a company twice the size of Facebook, was fined 50 million euros for 'lack of transparency, inadequate information and lack of valid consent regarding ads personalization,'" the company says.

But Dixon says the seriousness of the allegations leveled against WhatsApp warranted a high fine in part to dissuade others from failing to comply in full with Europe's privacy regulation.

"I am satisfied that the fines proposed above do not exceed what is necessary to enforce compliance with GDPR, taking into account the size of WhatsApp's user base, the impact, or the infringements - individually and collectively - on the effectiveness of the data subject rights enshrined in chapter III of the GDPR," she says.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.