Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

€2 a Month €5 a Month One-off amount
WhatsApp logo. Alamy Stock Photo
GDPR

WhatsApp Ireland fined €5.5 million for breaches of GDPR

The Data Protection Commission also announced that WhatsApp Ireland has six months to bring its data processing operations into compliance.
1.38pm, 19 Jan 2023
13.2k
5

WHATSAPP IRELAND HAS been fined €5.5 million for breaches of GDPR.

The Data Protection Commission (DPC) has also announced that WhatsApp Ireland has been given six months to bring its data processing operations into compliance.

The EU’s General Data Protection Regulation, or GDPR, was adopted in 2016 and came into force on 25 May, 2018.

GDPR’s primary aim is to enhance people’s control and rights to their personal data.

The DPC inquiry concerned a complaint made on 25 May, 2018.

In advance of 25 May 2018, the date on which the GDPR came into operation, WhatsApp Ireland updated its Terms of Service.

Users were informed that if they wished to continue to have access to the WhatsApp service following the introduction of the GDPR, existing (and new) users were asked to click “agree and continue” to indicate their acceptance of the updated Terms of Service.

The WhatsApp services would not be accessible if users declined to do so.

In a statement issued today, the DPC outlined that WhatsApp Ireland considered that a  contract was entered into between WhatsApp Ireland and the user, upon the user accepting the updated Terms of Service.,

WhatsApp Ireland also took the position that the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, including the provision of service improvement and security features, so that such processing operations was lawful under GDPR regulations.

However, the complainant contended that, contrary to WhatsApp Ireland’s stated position, WhatsApp Ireland was seeking to rely on consent to provide a lawful basis for its processing of users’ data.

The complainant argued that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, WhatsApp Ireland was “forcing” them to consent to the processing of their personal data for service improvement and security.

The complainant argued that this was in breach of the GDPR.

Following a “comprehensive investigation”, the DPC found that information in relation to the legal basis relied on by WhatsApp Ireland was not clearly outlined to users.

This was described as a “breach of its obligations in relation to transparency” and resulted in users having “insufficient clarity as to what processing operations were being carried out on their personal data, and for what purposes”.

While the DPC considered this to be in contravention of GDPR, it did not impose a fine because WhatsApp Ireland had already been hit with a substantial fine of €225 million for similar breaches over the same period.

The DPC then went on to consider whether WhatsApp Ireland was obliged to rely on consent as its legal basis in connection with the delivery of the service, including for service improvement and security purposes.

While there was disagreement with peer regulators in the EU over this issue, the European Data Protection Board (EDPB) found that WhatsApp Ireland “was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security”.

In light of this additional infringement of the GDPR, the DPC imposed an administrative fine of €5.5 million on WhatsApp Ireland, and ordered WhatsApp Ireland to bring its processing operations into compliance with the GDPR within six months.

The EDPB has also directed the DPC to conduct a fresh investigation that would span all of WhatsApp Ireland’s processing operations in order to determine if it complies with the relevant obligations under the GDPR.

However, the DPC’s said its decision “does not include reference to fresh investigations of all WhatsApp data processing operations”.

The DPC added that this “direction is problematic in jurisdictional terms” and that this “direction may involve an overreach on the part of the EDPB”.

The DPC will bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction, which the DPC said would result in an “open-ended and speculative investigation”.

Making a difference

A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

For the price of one cup of coffee each week you can make sure we can keep reliable, meaningful news open to everyone regardless of their ability to pay.

Support us Learn More

Author
Diarmuid Pepper
diarmuidpepper@thejournal.ie
@Diarmuid_9
Send Tip or Correction
Read Next
More Stories
Related Tags
Your Voice
Readers Comments
5
This is YOUR comments community. Stay civil, stay constructive, stay on topic. Please familiarise yourself with our comments policy here before taking part.
Leave a Comment
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.

    Leave a commentcancel