Irish Watchdog Fines WhatsApp $266 Million for ‘Severe’ Breaches of Privacy Law

By Katabella Roberts
Katabella Roberts
Katabella Roberts
Katabella Roberts is a reporter currently based in Turkey. She covers news and business for The Epoch Times, focusing primarily on the United States.
September 2, 2021 Updated: September 2, 2021

The Irish Data Protection Commission (DPC) has imposed a record 225-million-euro ($266 million) fine on WhatsApp Ireland for infringements of data protection rules on Sept. 2. It follows an inquiry into the messaging app’s transparency around sharing personal data with other Facebook companies.

The sanction on the messaging service, which is owned by Facebook, is the largest fine ever imposed by the DPC and the second largest penalty ever levied on an organisation under EU data laws.

Ireland’s DPC, which is the lead data privacy regulator for Facebook within the European Union, said the issues related to whether WhatsApp conformed in 2018 with EU data rules about transparency and how it handles information.

The DPC’s investigation commenced on Dec. 10, 2018 and examined whether WhatsApp had discharged its General Data Protection Regulation (GDPR) transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of its service.

“This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies,” the Irish regulator said in a statement.

The DPC concluded its investigation last year, and sent a draft decision to all Concerned Supervisory Authorities (CSAs) for consideration, as required by GDPR.

WhatsApp
WhatsApp app is seen on a smartphone in this illustration taken on July 13, 2021. (Dado Ruvic/Illustration/Reuters)

The DPC subsequently received objections from eight CSAs and was unable to reach consensus with the authorities on the subject matter of the objections, including the DPC’s proposed fine of up to 50 million euros ($59 million), and triggered the dispute resolution process on June 3, 2021.

Because the DPC was not able to reach a consensus with the other regulators on how to proceed, the case was referred to the European Data Protection Board (EDPB) on July 28, 2021.

The DPC said the decision “contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.”

Following this, the DPC imposed a fine of 225 million euros on WhatsApp.

In addition to the imposition of an administrative fine, the DPC also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of remedial actions.

WhatsApp said the fine was “entirely disproportionate” and that it would appeal.

“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” a WhatsApp spokesperson told Reuters.

“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” the spokesperson’s statement added.

An appeal can be made either to the Irish High Court or directly to the European Court of Justice.

The Irish regulator had 14 major inquiries into Facebook and its subsidiaries WhatsApp and Instagram open as of the end of last year.

Reuters contributed to this report.

Katabella Roberts is a reporter currently based in Turkey. She covers news and business for The Epoch Times, focusing primarily on the United States.