By Staff Writer
Ireland’s Data Protection Commission (DPC) has concluded a long-running investigation into breaches of European Union General Data Protection Regulations (GDPR) by WhatsApp Ireland Ltd, fining the popular messaging platform AU$359 million.
The investigation found WhatsApp breached GDPR transparency obligations regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp.
Facebook purchased WhatsApp in 2014 in a $16 billion cash and stock deal. Now the most popular messaging app worldwide, WhatsApp has over two billion active monthly users.
But the DPC’s investigation established that WhatsApp failed to provide information on how data is collected “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
The investigation also found WhatsApp did not inform users about where they stored data and how to access that data. The app also failed to notify users when third parties obtained and used their personal data and where this data came from.
The DPC concluded its investigation in late 2020 and submitted it to the European Data Protection Board (EDPB) for approval. According to the three-year-old GDPR, companies are regulated by the laws of the country that serves as their European base.
Like many other tech companies, Facebook is based in Ireland due to low corporate tax rates. Ireland’s DPC became the lead agency in a pan-European investigation into WhatsApp privacy breaches. Under GDPR law, companies can be fined as much as 4% of their annual sales.
The privacy agencies of eight other EU nations lodged objections to the DPC’s December 2020 draft submission to the EDPB.
“The DPC was unable to reach consensus with the Concerned Supervisory Authorities on the subject matter of the objections and triggered the dispute resolution process (Article 65 GDPR) on 3 June 2021,” a statement from the DPC reads.
Included in those objections was the DPC recommended penalty of $59 million. Other EU nations said it did not reflect the seriousness of the breaches. At issue was not just the severity of the privacy breaches but the number of breaches. In late July, the EDPB adopted a binding decision and notified the DPC.
“This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.”
The handling and length of the WhatsApp investigation has seen the DPC heavily criticized. The agency has 28 privacy probes underway but is reportedly underfunded and under-resourced. Ireland’s Parliament recently accused the DPC of failing to protect Irish interests.
Meanwhile, WhatsApp had set aside nearly $124 million to pay any fines. That amount is now a significant shortfall on the final fine.
“We disagree with the decision today regarding the transparency we provided to people in 2018,” WhatsApp said in statement. “The penalties are entirely disproportionate. We will appeal this decision.”
Friday’s DPC announcement capped an expensive week for WhatsApp in Europe. On Friday, Turkey’s Personal Data Protection Authority also fined WhatsApp $310,000 for unrelated privacy breaches.