THE IRISH DATA Protection Commissioner (DPC) has fined WhatsApp Ireland a record €225 million after a GDPR investigation into how it shares user data with other Facebook-owned social media platforms.
It’s the largest fine the DPC has ever levied against a company in its history.
The second-largest was a €450,000 penalty handed out to Twitter last December for its handling of a data breach.
The investigation stemmed from a DPC inquiry, which began in 2018, into WhatsApp Ireland and its compliance with European transparency rules under GDPR.
Incorporated in 2017, WhatsApp Ireland is the Facebook subsidiary’s main corporate entity in Europe. The Irish DPC has responsibility for oversight of the social media platform because Facebook and WhatsApp’s European headquarters are based in Dublin.
The DPC investigation examined whether WhatsApp has met its GDPR transparency obligations to users and non-users of WhatsApp’s service.
This included information provided to users about the processing of information between WhatsApp and other Facebook companies.
Last December, the DPC sent its initial draft decision to Europe’s overarching privacy watchdog, the European Data Protection Board (EDPB), which is made up of 27 EU national data regulators.
But the EPDB itself issued its own decision in July after the Irish DPC was unable to reach a consensus with eight other regulators on the matter.
On foot of July’s EDPB decision, the Irish DPC was required to increase the size of its initial fine.
“This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision,” the Irish watchdog said in a statement this morning.
“Following this reassessment the DPC has imposed a fine of €225 million on WhatsApp.”
In addition, the DPC has also formally reprimanded the Facebook-owned company, “along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions”.
WhatsApp said it would appeal the decision.
“We disagree with the decision today,” the company said in a statement, calling the penalties “entirely disproportionate”.
Earlier this year, the Irish DPC’s handling of complaints about WhatsApp sparked a public row between Data Protection Commissioner Helen Dixon and Ulrich Kelber, Germany’s chief data protection watchdog.
In an open letter in March, Kelber said attacked the Irish office over the speed with which it can deal with complaints.
Specifically, Kelber claimed that he has sent “more than 50 complaints about WhatsApp” to the Irish commissioner, “none of which had been closed to date”.
He complained of the Irish DPC’s office “extremely slow case handling, which falls significantly behind the case handling progress of most EU and especially German supervisors”.
Additional reporting by AFP
To embed this post, copy the code below on your site
have your say