WhatsApp Slapped a Record $225M Euro Fine for Breaching Europe’s GDPR

The Irish data protection regulator on Thursday slapped the Facebook-owned messaging app with a record 225 million euro ($266 million) fine after the EU privacy watchdog pressured Ireland to raise the penalty for the company’s privacy breaches. Though WhatsApp maintains that the fine was “entirely disproportionate” and that it would appeal. Still, the Irish fine is significantly less than the record $886.6 million euro fine meted out to Amazon by the Luxembourg privacy agency in July. 

WhatsApp has been under investigation by the Irish DPC, its lead data supervisor in the European Union, since December 2018 — several months after the first complaints were fired at WhatsApp over how it processes user data under Europe’s General Data Protection Regulation (GDPR), once it begun being applied in May 2018. “This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies,” the Irish regulator said in a statement.

A WhatsApp spokesperson said in a statement the issues in question-related to policies in place in 2018 and the company had provided comprehensive information. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.” EU privacy watchdog the European Data Protection Board said it had given several pointers to the Irish agency in July to address criticism from its peers for taking too long to decide in cases involving tech giants and for not fining them enough for any breaches.

It said a WhatsApp fine should take into account Facebook’s turnover and that the company should be given three months instead of six months to comply. Europe’s landmark privacy rules, known as GDPR, are finally showing some teeth even if the lead regulator for some tech giants appears otherwise, said Ulrich Kelber, Germany’s federal commissioner for data protection and freedom of information.

Data regulators from eight other European countries triggered a dispute resolution mechanism after Ireland shared its provisional decision in relation to the WhatsApp inquiry, which started in December 2018. In July, a meeting of the European Data Protection Board issued a “clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained”, the Irish regulator said. “Following this reassessment the DPC has imposed a fine of 225 million euros on WhatsApp,” it said.

The Irish regulator also reprimanded and ordered WhatsApp to bring its processing into compliance by taking “a range of specified remedial actions”. The Irish regulator had 14 major inquiries into Facebook and its subsidiaries WhatsApp and Instagram open as of the end of last year. Schrems said he would monitor the company’s appeal closely. “It is to be expected that this case will now be before the Irish Courts for years and it will be interesting if the DPC is actively defending this decision before the Courts, as it was forced to make such a decision by its EU colleagues at the EDPB.”