Ireland’s data privacy watchdog imposed a record fine of € 225 million (£ 193 million) on WhatsApp for violating EU data protection rules.
The Dublin-based Data Protection Commission (DPC) announced the decision Thursday after a three-year investigation into the messaging app, which is owned by Facebook. He ordered WhatsApp to correct its policies to protect personal data.
WhatsApp called the fine “completely disproportionate” and said it would appeal.
It is the largest fine imposed by the DPC, which has pan-European powers, and the second largest imposed on a technology company under EU law.
The watchdog said WhatsApp had committed “serious” and “serious” breaches of the general data protection regulation (GDPR), a landmark rule on transparency that became applicable in 2018.
“This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies,” it said in a statement.
At 266 page resolution Commissioner Helen Dixon said the company provided only 41% of the prescribed information to users of its service. Non-users, whose messages sent in other applications could be forwarded to the platform by WhatsApp users, did not obtain information, denying them the right to control their personal data.
Four “very serious” breaches violated the core of GDPR, Dixon said. “They go to the heart of the general principle of transparency and the fundamental right of the person to the protection of their personal data that derives from the free will and the autonomy of the person to share their personal data in a voluntary situation like this.”
The violations affected an “extremely high” number of people, the watchdog said.
WhatsApp, which was bought by Facebook in 2014, contested the ruling. “WhatsApp is committed to providing a safe and private service. We have worked to ensure that the information we provide is transparent and complete and will continue to do so. We do not agree with today’s decision regarding the transparency that we provide to people in 2018 and the sanctions are completely disproportionate. “
The messaging application is used by a quarter of the world’s population. Since acquiring Facebook, digital rights advocates have accused Mark Zuckerberg of breaking a promise to respect the privacy of WhatsApp users’ data.
The DPC is the main data privacy regulator in the EU for Facebook and other large tech firms that have their European headquarters in Ireland. Last year you had 14 major inquiries about Facebook, WhatsApp, and Instagram, which is also owned by Facebook.
Some other European watchdogs have alleged that the Irish agency lacks resources, is slow and weak when it comes to punishing privacy violations – accusations Dixon has rejected.
The record fine does not necessarily indicate sharper teeth in Dublin. When Dixon finished his research on WhatsApp last year, he came up with a lot more modest fine they reportedly range from € 30 million to € 50 million.
Eight data regulators in other EU countries rejected that. The issue was referred to the European Data Protection Board (EDPB), which oversees the GDPR. In July it issued a binding ruling, which the Irish watchdog must now enforce.
“This decision contained a clear instruction that required the [Irish data protection commission] to reevaluate and increase its fine proposal based on a series of factors contained in the EDPB’s decision and after this reevaluation, the DPC has imposed a 225 million euro fine on WhatsApp, “said Dixon’s office.
“In addition to the imposition of an administrative fine, the DPC also imposed a reprimand along with an order for WhatsApp to make its processing comply with compliance by adopting a series of specific corrective measures.”
John Magee, a data privacy specialist at the DLA Piper law firm, said: “A striking aspect of that process was the increase in the size of the fine from a range of € 30 million to € 50 million first proposed by the DPC.
“The fine highlights the importance of compliance with the GDPR rules on transparency in the context of users, non-users and the exchange of data between group entities.”
George is Digismak’s reported cum editor with 13 years of experience in Journalism