WhatsApp GDPR fine fallout: EDPB actions shift enforcement landscape

Lawyers and data specialists suggest the sanctions imposed against the firm—including the second-highest fine total under the GDPR to date—provide a much stronger indication about the path EU data regulators will take toward enforcement in the future. They also believe the decision gives a clearer view as to how companies should process and use data and gain consumers’ consent.

The intervention of the European Data Protection Board (EDPB), the body set up to monitor GDPR implementation and enforcement, has underlined the need for DPAs to agree on the nature of any complaints, their severity, and what level of fine and remedies should be imposed to ensure compliance in the future. Eight DPAs took very different views to those of the Irish Data Protection Commission’s (DPC) initial decision, particularly regarding the size of the fine.

Ireland had proposed a fine between €30 million and €50 million, based on the way France calculated its €50 million penalty against Google, but the EDPB said there needed to be closer attention paid to WhatsApp’s global turnover, thereby more than quadrupling the final figure.

The EDPB halved the time WhatsApp must comply with the decision—down from six months to three—and ordered the firm to comply with eight specific actions, one of which is an obligation to remind users of their GDPR rights.

“The key message for organizations that have chosen Ireland as their EU HQ is the hoped-for ‘light touch’ regulatory regime is starting to harden under pressure from the rest of the EU.”

Alan Calder, Chairman, IT Governance

WhatsApp has said it will appeal the decision.

“Fines will be higher now that the EDPB has confirmed the importance of turnover, and companies will need to act rapidly to correct failings,” says Simon Taylor, partner at Forensic Risk Alliance.

Peter Borner, co-founder of consultancy The Data Privacy Group, says the fine is “further proof of the ongoing tension between the Irish DPC and the EDPB, as well as other EU supervisory authorities.” He believes the EDPB’s involvement “will likely lead to the Irish DPC increasing the level of their fines to avoid any future complaints.”

He adds, “The fine is substantial and should pose a warning to other businesses that data privacy compliance should be a part of their company’s DNA. The initial upfront cost of compliance can put people off, but neglecting it costs so much more, as demonstrated by this nine-figure sum.”

The lengthy process to agree to a majority decision has led some experts to believe EU data protection regulators must get better at working in concert on cross-border investigations if they are going to hold large companies and Big Tech firms to account. “Some of these companies have the power and resources of a nation state. It is simply unrealistic to expect any one national data regulator to be able to bring them to heel,” says Will Richmond-Coggan, director at law firm Freeths.

More positively, some opine the WhatsApp decision can only provide more clarity to a regulation and enforcement regime still largely in its infancy. Nigel Jones, co-founder of data protection specialist The Privacy Compliance Hub, says the EDPB’s decisions are useful for companies because “they act to harmonize and achieve more consistency between the decision-making of all the national regulators.”

He adds the way the EDPB looked at the calculation of the fine and slashed the time to comply with the decision “should put all companies on notice that perhaps the regulators are starting to mean business.”

Organizations might also need to reconsider their approach to GDPR compliance going forward.

“Companies should be reminded transparency and openness in the processing of data is vital for both compliance and, more importantly, building consumer trust,” says Peter Galdies, consultant at data privacy compliance specialist DQM GRC. “Complex organizations should also remember they don’t have an absolute right to move data around their subsidiary organizations as a result.”

Ireland’s role as a regulator is likely to change, with the general expectation the Irish DPC will get tougher on Big Tech firms as it continues to conduct its two dozen ongoing investigations into some of the world’s largest companies.

“The key message for organizations that have chosen Ireland as their EU HQ is the hoped-for ‘light touch’ regulatory regime is starting to harden under pressure from the rest of the EU,” says Alan Calder, chairman of information security provider IT Governance.