On 2 September 2021, Ireland’s data protection authority Data Privacy Commission (DPC), announced that it has issued a decision to fine Facebook-owned instant messaging service WhatsApp Ireland €225 million (or $267 million) after a three-year investigation.
The binding decision was issued after the European Data Protection Board (EDPB) intervened and required the DPC (lead supervisory authority for WhatsApp Ireland), to reassess the initially proposed fine regarding infringements of transparency, the calculation of the fine, as well as the timeframe for WhatsApp to comply.
It is the second-largest GDPR fine issued so far, surpassed only by the €746 million ($888 million) fine issued to Amazon.com.
1. Infringements of transparency
In addition to the DPC’s findings, the EDPB stated that WhatApp had committed a severe breach of the General Data Protection Regulation (Article 12, Article 13, and Article 14) related to the information to be provided to individuals.
EDPB identified additional shortcomings with the information provided, impacting individuals’ ability to understand the legitimate interests being pursued.
2. Calculation of the fine
The EDPB decided that the turnover of an undertaking, although not exclusively relevant for the determination of the fine amount, has to be taken into consideration to ensure the fine is proportionate and effective.
In this case, the EDPB decided to include the consolidated turnover of the parent company (Facebook Inc.) into the calculation.
3. Compliance timeframe
The initial DPC decision provided a six-month compliance period for Whataspp to bring its processing operations into compliance.
However, under the influence of the EDPB, DPC shortened the compliance period to three months in order to highlight the importance of GDPR’s transparency obligations.
WhatsApp’s response
WhatsApp has objected to the penalty as disproportionate and said that it would file an appeal stating: “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
On November 10, WhatsApp was granted permission to challenge the fine in Ireland’s High Court.