WhatsApp fined €225m for GDPR transparency failings

Out-Law News | 03 Sep 2021 | 7:54 am | 3 min. read

Ireland’s Data Protection Commission (DPC) has fined WhatsApp €225 million for failings of transparency under EU data protection laws and ordered the company to amend its practices within three months.

The fine concerns failures identified with the information the company provided European users and non-users about how it processes their data and about their rights as data subjects.

WhatsApp said it disagrees with the decision and believes the penalties imposed on it are “entirely disproportionate”. The company plans to appeal, according to a report by the Irish Times.

The final fine imposed of €225m is much greater than the DPC had originally proposed to serve WhatsApp. It reflects interventions made by other European authorities.

Carney Andreas

Andreas Carney

Partner

The decision highlights the impact that the dispute resolution procedure under Article 65 of the GDPR can have on decisions made by authorities at a national level

In late 2020, following an investigation that began in 2018, the DPC indicated its intention to serve WhatsApp with a fine of between €30m and €50m over breaches it said the company was responsible for under Articles 12, 13 and 14 of the EU General Data Protection Regulation (GDPR). However, as the case concerned not just Irish consumers but those from across Europe too, the DPC was required to consult other data protection authorities in the EU on its actions under the GDPR’s ‘one stop shop’ mechanism.

Some authorities, including those in France, Germany and the Netherlands, raised objections with the DPC’s draft decision and, when a compromise could not be agreed, the matter was referred to the European Data Protection Board (EDPB) for a binding decision, which has now been published.

The final decision issued by the DPC reflects additional findings of infringement made by the EDPB, which include that WhatsApp breached the principle of transparency under Article 5 of the GDPR – a fact that on its own accounts for €90m of the overall final fine imposed.

The WhatsApp case is the second cross-border GDPR enforcement case that the DPC has led on investigating that the EDPB has issued a binding decision on. In December 2020 the EDPB endorsed a draft decision that the DPC had reached in a case involving Twitter. In doing so, the EDPB effectively determined that the other authorities that had raised objections in that case had failed to clearly demonstrate that there were significant risks posed by the DPC's draft decision as regards the fundamental rights and freedoms of data subjects, as required by the GDPR.

The EDPB took a different view of the DPC’s draft decision in the WhatsApp case, ordering the Irish regulator to reflect its additional findings of infringements of transparency and its views on how the level of fine should be calculated in its final decision. It also ordered the DPC to revise down, from six months to three months, the period that WhatsApp should be given to change its data processing to comply with the GDPR.

Under the GDPR, fines of up to 4% of a company’s annual global turnover, or €20m, whichever is highest, can be imposed for the most serious breaches – which include those falling under Articles 5, 12, 13 and 14 of the regulation, as was relevant in this case.

In assessing how the fine to be imposed against WhatsApp should be calculated, the EDPB ordered the DPC to factor in the turnover of all the component companies falling under the umbrella of Facebook Inc, WhatsApp’s parent company. It also clarified that the total turnover of a company is a factor that can be considered for ensuring the actual level of penalty decided upon is “effective, proportionate and dissuasive”, as the regulation requires, and is not just relevant for determining what the maximum possible penalty that can be imposed under the GDPR is.

The EDPB also provided guidance on the application of Article 83(3) of the GDPR, which concerns how fines should be calculated in certain cases. That provision states that the total amount of the fine must not exceed the amount specified for the gravest infringement identified in cases where it is found that an organisation has intentionally or negligently infringed several provisions of the GDPR in respect of “the same or linked processing operations”. 

The DPC had argued that Article 83(3) restricted it to capping its total fine against WhatsApp no higher than “the amount specified for the gravest infringement” – this being for the breach of Article 14 as the DPC regarded it. However, the EDPB disagreed.

In a statement, the EDPB said that “when faced with multiple infringements for the same or linked processing operations, all the infringements should be taken into consideration when calculating the amount of the fine”, provided that the level of fine is proportionate and does not exceed the maximum penalty that can be imposed under the GDPR.

Dublin-based data protection law expert Andreas Carney of Pinsent Masons, the law firm behind Out-Law, said: “The decision is multi-faceted. It provides a meaningful reference point for the interpretation of certain GDPR provisions for the first time, notably how the calculation of a fine is influenced by a finding of several infringements under Article 83(3). It also highlights the impact that the dispute resolution procedure under Article 65 of the GDPR can have on decisions made by authorities at a national level, both in terms of the findings themselves and the size of fines imposed, perhaps signalling a greater move toward establishing consistency in enforcement across member states.”