Following an investigation that started in December of 2018, the Irish Data Protection Commission has announced a €225 million fine on WhatsApp for allegedly violating GDPR transparency obligations. The investigation examined whether WhatsApp has discharged its GDPR transparency requirements in accordance with EU regulations with regards to both users and non-users of the company's messaging service. It is the second large EU privacy fine against an American tech giant this year and the second largest since the GDPR came into effect in 2018.
GDPR, or General Data Protection Regulation, regulates data protection and privacy in the European Union (EU) and the European Economic Area (EEA). Formulated by the European Commission in 2016, it aims to protect the privacy of EU citizens with regard to the processing of personal data and regulating how such information may be collected and disseminated within the territory and beyond. The regulation has been the basis for many investigations into a number of leading American tech companies since it went into effect three years ago.
In a statement issued Thursday, Ireland's Data Protection Commission (DPC) announced the massive fine on the Facebook-owned instant messaging service for failing to disclose to EU residents about what it does with user data. In addition to the fine, the agency also issued a reprimand along with an "order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions." As part of the deal, the DPC gave WhatsApp three months to ensure compliance with all GDPR provisions and with other European privacy laws in order to escape further censure.
WhatsApp Intends To Appeal
Speaking to the media following the announcement of the DPC's decision, WhatsApp said the company would appeal against the fine. "We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate," a spokesperson was noted saying, according to the BBC. WhatsApp is also committed towards ensuring information shared "is transparent and comprehensive," according to the same statement.
The latest salvo from Europe against a US tech giant comes a little over one month after Luxembourg's privacy regulator, the CNPD, issued a massive fine against Amazon for allegedly violating GDPR regulations. In that case, the agency issued a record €750 million fine against the Seattle-based online retail behemoth for improperly using customer data in advertising. This is also the second notable judgement issued by the DPC against an American tech firm following a €450,000 fine issued against Twitter last December for failing to properly declare a massive data breach that affected thousands of users.
Source: Data Protection Commission