Facebook-owned WhatsApp has recently been slapped with multiple data breach penalties as controversy continues to rage over how it processes and protects user data.
Record fine handed down to WhatsApp
Ireland’s Data Protection Commission (DPC) has handed down the most significant fine, fining WhatsApp a record €225 MILLION (£193m) for violating the European Union’s (EU) General Data Protection Regulation (GDPR). It is the most significant fine the DPC has ever handed down and the second biggest penalty ever given to a tech company under EU legislation.
A DPC statement said the GDPR infringements “includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.”
In addition to handing down the fine, the DPC has also ordered WhatsApp to review and update its policies to ensure user data is protected within the GDPR.
Transparency is at the heart of this case, with the DPC ruling that WhatsApp only provided 41% of the required prescribed information concerning data processing to its users. At the same time, non-users (for example, people using a different messaging app whose messages can be forwarded into WhatsApp) received no information. The latter scenario amounts to denying individuals the right to control their personal data.
DPC commissioner Helen Dixon said the four “very serious” infringements for which the fine had been handed down “violated the core of GDPR.”
In a 266-page ruling outlining the case against WhatsApp, Dixon commented, “They [the infringements] go to the heart of the general principle of transparency and the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this.”
WhatsApp, which is planning to appeal the ruling, said, “WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
Fine much higher than initially proposed
The DPC is the EU’s lead data privacy regulator for tech businesses, including Facebook, whose European headquarters are in Ireland. Including this case, the DPC conducted 14 separate investigations into Facebook platforms (Facebook, WhatsApp, and Instagram) in 2020.
One notable aspect of this case is that the DPC initially proposed a far lower penalty. Dixon was set to fine WhatsApp between €30m and €50m; however, eight data regulators from EU nations rejected the proposal. Subsequently, the case was sent to the European Data Protection Board (EDPB), which ruled in July that the DPC must enforce a more significant penalty.
Commenting on this development, Dixon’s office remarked, “This decision contained a clear instruction that required the [Irish data protection commission] to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225m on WhatsApp.
“In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.”
Turkey and Russia also hand down fines
Just a day after the DPC finalised its fine, it was announced that Turkey’s Personal Data Protection Authority (KVKK) had handed down a €200,000 penalty to WhatsApp.
The Turkish case centred around confusion as to whether WhatsApp had introduced new data-sharing rules. Due to the wording of WhatsApp’s policies, the KVKK determined that WhatsApp was effectively forcing people to agree to all policies and to the transfer of their personal data as a condition of use.
Russia also handed down fines to both WhatsApp and Facebook in August for a failure to store Russian users’ data locally, which was also a finding in the Turkish case.