The Irish Data Protection Commission (“DPC”) fined Facebook’s WhatsApp with EUR 225 million in its latest EU data protection ruling. The fine is the second largest of its kind in the EU. So far, only Amazon paid more in a privacy case in the EU.
The DPC said in its ruling on September 2 that WhatsApp’s policies were not in line with the EU’s General Data Protection Regulation (“GDPR”), noting it registered breaches of Article 5(1)(a) as well as Articles 12 through 14. The breaches particularly include the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. As a result, WhatsApp will have to take a series of additional actions to comply with EU rules.
WhatsApp said in a statement following the ruling that the fine is “entirely disproportionate” and that they “disagree” with the DPC’s decision. The tech company may still challenge the decision in court.
The move from the DPC came after eight stakeholders objected to the DPC’s initial, smaller fine. The group failed to reach a consensus on the fine, triggering a dispute resolution mechanism before the European Data Protection Board (“EDPB”). In a ruling in July, the EDPB ordered the Irish watchdog to increase the fine.
The WhatsApp data protection ruling came three years after the Irish watchdog started its investigation into the case.
See more Gecić Law articles on WhatsApp and Data Protection here and here.