The Irish Data Protection Commission (DPC) on Thursday announced a fine of 5.5 million euros (U.S. $5.9 million) against WhatsApp under the General Data Protection Regulation (GDPR) for forcing users to consent to updated terms and conditions or lose access to the service.
The penalty is the third the Irish DPC has assessed against Meta businesses this year for similar violations of the GDPR. On Jan. 4, the regulator announced fines of €210 million (then-U.S. $223 million) against Facebook and €180 million (then-U.S. $191 million) against Instagram.
Meta plans to appeal all three fines.
Like the other two cases, WhatsApp told users ahead of the GDPR’s effective date in May 2018 they would either need to consent to new terms and conditions regarding how the platform would use their personal data or leave. Acceptance, said WhatsApp, would constitute a “contract” and a legal basis for processing personal data to help improve the platform’s security and service levels.
The Irish DPC took the view while WhatsApp might have breached the GDPR’s principle on transparency over the way it failed to properly notify users about the changes, the regulator did not initially consider forced consent a breach of the rules.
Once again, however, the European Data Protection Board (EDPB) intervened and disagreed, saying reliance on a contract legal basis amounts to a contravention of Article 6(1) on lawful processing.
As part of the enforcement action, WhatsApp was ordered to bring its data processing operations into compliance within six months. A WhatsApp spokesperson said the company “strongly believes that the way the service operates is both technically and legally compliant” and disagreed with the decision.
Questions are bound to arise again as to why it has taken the Irish DPC—the EU’s lead supervisory authority for many Big Tech firms—4 1/2 years to reach a decision, why it failed to reach a consensus with other EU data regulators, and why its original decision needed to be changed by the EDPB.
The Irish DPC said its determination to fine WhatsApp just €5.5 million took into consideration its €225 million (then-$267 million) penalty against the company in September 2021 for largely the same failings over the same period.
In a blog post, privacy campaigner Max Schrems criticized the Irish DPC for issuing what he deemed a relatively low penalty and for limiting the scope of the investigation to Meta’s use of data to enable service and security improvements rather than looking at how WhatsApp uses personal data to steer behavioral advertising (as in the Facebook and Instagram decisions).
The EDPB directed the Irish DPC to investigate whether WhatsApp is processing and exchanging data with third parties to drive ad revenues. The Irish DPC countered by saying the EDPB does not have the authority to make such an instruction or “direct an authority to engage in open-ended and speculative investigation.” It is considering taking its case to the Court of Justice of the European Union, Europe’s supreme court, to prevent potential EDPB overreach.