Facebook's WhatsApp Hit With $266 Million GDPR FineTransparency Shortfalls Cited, as WhatsApp Accused of Not Revealing Data Sharing
Ireland's Data Protection Commission has fined WhatsApp 225 million euros ($266 million) after finding that it violated the EU's General Data Protection Regulation by failing to disclose to users how their data was being shared with parent company Facebook.
In addition to the fine, the 266-page decision by the DPC, which enforces GDPR compliance in Ireland, orders WhatsApp to bring its processing into compliance by implementing eight remedial actions within the next three months.
WhatsApp says it will appeal the decision, which follows a three-year investigation by the DPC. WhatsApp contends that the fine is "out of step with previous GDPR-related fines" levied against other technology giants.
"We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so," a WhatsApp spokesperson tells Information Security Media Group. "We disagree with the decision today regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate."
EU Board Ordered Higher Fine
Ireland's Data Protection Commission says that after consulting other EU countries' privacy watchdogs, it initially proposed a fine in the range of 30 million euros to 50 million euros.
But the European Data Protection Board, which is an independent European body charged with helping to maintain consistent enforcement of privacy regulations across the region, reviewed the WhatApp case and on July 28 issued a binding decision instructing the DPC to reassess and increase its proposed fine. The DPC says that based on the board's instructions, it increased the fine to 225 million euros.
"An eye-catching aspect of that process was the increase in the size of the fine from a range of 30 million to 50 million euros first proposed by the DPC," says John Magee, who heads law firm DLA Piper's privacy, data protection and security practice in Ireland. "The fine highlights the importance of compliance with the GDPR's rules on transparency in the context of users, non-users and data sharing between group entities."
WhatsApp has now received the second-highest fine ever issued so far under GDPR, outranked only by an $885 million fine against Amazon, which was issued in July, says Jonathan Armstrong, a compliance and technology lawyer with London-based law firm Cordery.
Another notable aspect about this case is that it "went through the EDPB's harmonization process," thus signaling the level of fines the board deems to be appropriate for this type of case, and suggesting that "more high fines might be on the way," he says.
WhatsApp Charged With Negligence
Helen Dixon, Ireland's commissioner for data protection, says WhatsApp was guilty of negligence because it was not clear to end users how WhatsApp was sharing users' data with its parent company.
The Data Protection Commission began an investigation in December 2018, seven months after GDPR went into full effect, into whether WhatsApp had met its GDPR transparency obligations.
The investigation was spurred by 88 complaints made against WhatsApp regarding user data transparency that were forwarded by the supervisory authorities of eight EU member states, the DPC said.
Ireland's DPC led the Facebook investigation because Facebook's European operations are headquartered in Dublin, which means that under GDPR's "one stop shop" provisions, the local data protection authority takes the lead on all privacy investigations.
The DPC says it "examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp's service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies."
The DPC says it found that WhatsApp's practices infringed four specific parts of GDPR:
- Article 5, covering principles relating to processing of personal data;
- Article 13, covering information to be provided when personal data gets collected from a data subject;
- Article 14, covering information to be provided when personal data has not been obtained from a data subject;
- Article 15, which concerns a data subject's right to access their personal data from a controller.
"In terms of the character of the infringements, my view is that they each ought to be classified as negligent," Dixon says. "Such a classification, in my view, reflects carelessness on the part of the controller or processor concerned."
Facebook Calls Fine 'Out of Step'
"We support regulation that encourages companies to protect people's private information. WhatsApp has gone beyond many companies' privacy efforts, protecting people's personal conversations with end-to-end encryption. We do not keep logs of who everyone is messaging and do not share your contacts with Facebook," the company says.
Facebook also notes that the fine is much higher than those imposed on other companies cited for similar issues. "The fine we have received is out of step with previous GDPR related fines - for example, in 2019, Google, a company twice the size of Facebook, was fined 50 million euros for 'lack of transparency, inadequate information and lack of valid consent regarding ads personalization,'" the company says.
But Dixon says the seriousness of the allegations leveled against WhatsApp warranted a high fine in part to dissuade others from failing to comply in full with Europe's privacy regulation.
"I am satisfied that the fines proposed above do not exceed what is necessary to enforce compliance with GDPR, taking into account the size of WhatsApp's user base, the impact, or the infringements - individually and collectively - on the effectiveness of the data subject rights enshrined in chapter III of the GDPR," she says.