The Data Protection Commission (DPC) has imposed a record fine on WhatsApp. The chat service has to pay an amount of 225 million euros for violating European privacy laws and regulations. It has not been transparent enough to users about what data the company collects and shares with other companies, including parent company Facebook.
DPC launches investigation into WhatsApp in 2018
The investigation into WhatsApp began in December 2018. The Irish regulator was tasked with investigating whether the chat service adhered to the transparency obligations laid down in the General Data Protection Regulation (GDPR). The European privacy law requires companies that collect and process personal data that users know what data is involved, for what purposes this data is collected and with which companies this information is shared.
From day one, the DPC conducted the investigation under its own steam. That’s why Europe works with a one-stop-shop mechanism or one-stop-shop system: the regulator of the country where the head office of the company in question is located must investigate the matter. Since WhatsApp is headquartered in Dublin, the matter ended up on the DPC’s board. The Irish privacy watchdog acted on behalf of other European regulators, including the Dutch Data Protection Authority.
Fine amounts to 225 million euros
In December 2020, two years after the investigation started, the DPC sent a draft report to all concerned regulators. Eight European regulators objected, saying the investigation was too limited because the Irish researchers looked at only a small number of elements of the chat service’s data collection practices.
To cut the knot, the European Data Protection Board (EDPB) took a binding decision at the end of July. In it, the European interest group instructed the DPC to reassess and possibly increase the fine decision based on a number of factors included in the EDPB’s decision. After the Irish regulator had again looked at the fine decision, it decided to set the fine at 225 million euros.
WhatsApp makes these mistakes according to the Irish regulator
The fine decision (PDF), which has 266 pages, states that WhatsApp violated the GDPR in several ways. For example, the chat service processes all telephone numbers from the user’s contact list, even if it includes people who do not have WhatsApp on their smartphone. The phone numbers of non-users are run through a hashing algorithm, but before that happens, this data can be traced back to individuals. When WhatsApp processes data from non-users, it acts as a controller rather than a data processor, the regulator said.
The DPC also notes that WhatsApp is not transparent enough to users on several levels about the data it collects and for what purposes. For example, the chat service says that it can share data with other companies of parent company Facebook, including Instagram. However, it remains unclear whether users are required to accept the sharing of their data in order to use the chat service. WhatsApp thus violates Article 13 of the GDPR.
Finally, the Irish regulator says WhatsApp is not “fair and transparent” about the collection of data, which is a violation of Article 5 of the GDPR. It states, among other things, that personal data must be processed in a manner that is ‘lawful, fair and transparent towards the data subject. The article also lays the foundation for minimal data processing, which is also known as data minimization. The article also states that the controller must take ‘appropriate technical or organizational measures to ensure that information security is in order.
WhatsApp is going to fight a fine
A spokesperson for WhatsApp tells Reuters news agency that he finds the fine of 225 million euros “completely disproportionate”. “WhatsApp is committed to providing a secure and private service. We have worked to ensure that the information we provide is transparent and complete and will continue to do so. We disagree with today’s decision on the transparency we provided to people in 2018. And the penalties are completely disproportionate,” the spokesperson said.
He confirms that WhatsApp will appeal against the fine. The fine of 225 million euros is the highest fine imposed by the DPC to date. It is not the highest GDPR fine ever handed out. Last month, Amazon was fined 746 million euros by the Luxembourg privacy watchdog CNPD.
Catch up on more articles here
Follow us on Twitter here