The Irish Data Protection Commissioner (DPC) has imposed a record EUR 225 million fine on WhatsApp Ireland Limited for breaching the General Data Protection Regulation’s (GDPR) transparency obligations ‘with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service’, including information about the processing of their data between WhatsApp and other Facebook companies.
So how did we end up here? Well, you need to cast your mind back three years to when this all began. The DPC, as the lead supervisory authority for WhatsApp in Europe, launched an inquiry looking at WhatsApp’s compliance with transparency obligations under the GDPR. After a comprehensive investigation (that took two years) the DPC submitted its draft decision to all Concerned Supervisory Authorities (CSA), as is required under Article 60 GDPR. Eight CSAs took issue with the draft decision and failing to reach a consensus the DPC had no option but to trigger the Article 65 GDPR dispute resolution process in June 2021. Little over a month later the European Data Protection Board (EDPB) adopted a binding decision, which was notified to the DPC. The EDPB made it clear that the DPC had to reassess their initial proposed fine of EUR 30 million – EUR 50 million to a ‘higher fine amount’ based on a number of factors set out in their decision and this reassessment led us to this record fine, a reprimand and a shortened time frame to comply with the remedial measures (from six months to three months). The EDPB’s ‘go back and think again’ will have done nothing to dispel a long-held view in Europe that Ireland is too lenient when it comes to policing data protection.
Not only is the fine colossal (in regulatory terms: the largest ever imposed by the DPC, and second to only the EUR 746 million fine imposed on Amazon in July ), the decision itself is 266 pages long! Those in a hurry might like to head direct to Appendix A and its summary of Directions and Findings to navigate to the relevant provisions.
This battle is not over yet as unsurprisingly WhatsApp disagrees with the decision, stating the penalties are disproportionate and that they plan to appeal the ruling. WhatsApp can appeal to the Irish High Court or to the European Court of Justice. It is expected the size of the fine will be the main ground for appeal, especially as it far exceeds the EUR 450,000 fine the DPC imposed on Twitter in December 2020 following the first ever use of the Article 65 GDPR dispute resolution mechanism.
And a certain privacy activist is nonplussed… While welcoming the ‘first decision by the Irish regulator’ Max Schrems stated:
‘…the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial €50 million fine and was forced by the other European data protection authorities to move towards €225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.’
Finally, will this put a lid on the widely reported public row between the German Federal Commissioner for Data Protection and Freedom of Information (FCDPDI) and the DPC? Unlikely given the row was over the speed with which the DPC can deal with complaints and the fact it has many outstanding complaints, including ‘more than 50 complaints about WhatsApp’ from the FCDPDI alone! Is this a clash of cultures or an unfortunate by-product of Ireland’s ability to attract the big US tech companies? Only yet more time will tell!