Ireland shakes up GDPR enforcement with $267M fine against WhatsApp

Additionally, the Irish DPC issued a reprimand and ordered WhatsApp, a subsidiary of social media giant Facebook, to bring its data processing practices into compliance by adopting “a range of specified remedial actions.”

The penalty is by far the largest to date handed out by the Irish DPC, the primary EU overseer of Facebook, Google, Twitter, and other tech giants. It is dwarfed by a €746 million (U.S. $886 million) GDPR fine proposed against Amazon by the Luxembourg National Commission for Data Protection in July for unlawful processing of personal data.

The Amazon fine and related data privacy improvements the company must make have yet to be formally announced by the Luxembourg regulator.

When compared to Amazon’s GDPR fine, the Irish DPC’s action against WhatsApp stands out for two significant reasons. First, it exposes how inconsistently regulators think in terms of applying GDPR fines; and second, the 266-page decision is replete with compliance lessons.

The backstory: In December 2018, the Irish DPC launched an investigation specifically into WhatsApp’s transparency obligations after receiving numerous complaints from users and nonusers alike concerning the company’s data processing activities. The Irish DPC further received a mutual assistance request from the German Federal Data Protection Authority that addressed the potential sharing of personal data between WhatsApp and other Facebook units (Facebook acquired WhatsApp in 2014).

Following a two-year investigation, the Irish DPC concluded WhatsApp failed in its transparency obligations, specifically in violation of Articles 12, 13, and 14 of the GDPR. Because WhatsApp’s service entails cross-border processing throughout the European Union, this triggered a co-decision-making process required by Article 60 of the GDPR. In December 2020, the Irish DPC submitted its draft decision to all concerned supervisory authorities.

The findings: Eight countries objected to the agency’s findings for a variety of reasons. Some supervisory authorities argued about the specific GDPR violations at issue, while others claimed the Irish DPC’s proposed fine (in the range of €30-50 million) was “ineffective, disproportionate, and non-dissuasive.” Ireland’s proposed penalty appeared based off France’s €50 million fine against Google under the law in January 2019, which multiple authorities claimed was not a comparable benchmark.

Another country said the six-month deadline the Irish DPC gave WhatsApp to get into compliance was too long.

Failure to reach a consensus triggered the dispute resolution process, as required under Article 65 of the GDPR. On July 28, the European Data Protection Board (EDPB) adopted a binding decision instructing the Irish DPC to “reassess” and increase its original proposed fine. The EDPB based its decision on several factors. Following this reassessment, the Irish DPC imposed the final €225 million fine.

Additionally, the agency has ordered WhatsApp to take eight remedial actions. One requires the company to revise its privacy policy and remind users of their data subject rights under the GDPR. Under the EDPB’s order, WhatsApp has three months to get into compliance.

WhatsApp said it will appeal the enforcement action. “We disagree with the decision … regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate,” the company said in a statement.

European privacy campaigner Max Schrems, who founded privacy advocacy group noyb, welcomed the decision but added, “The DPC is still extremely dysfunctional.” The agency gets about 10,000 complaints per year, he said, “and this is the first major fine.”

The Irish DPC in December announced a €450,000 (then-U.S. $547,000) fine against Twitter for failing to report a data breach within 72 hours that left many scratching their heads. Some EU data protection authorities thought the sanction should have been as high as €22 million, though Ireland has stood by its decision.

Last year, WhatsApp set aside €77.5 million for possible fines arising from the Irish DPC’s investigation. Its parent company Facebook booked €302 million, as it and its affiliates are the subject of nearly a dozen other probes in Ireland under the GDPR.