Following an investigation into WhatsApp Ireland Ltd, the Irish data regulator (DPC) has issued Facebook’s popular WhatsApp chat app with the second-largest GDPR fine of €225m.
The eye-watering fine of €225 million follows an investigation that started way back on 10 December 2018.
The DPC had submitted a draft decision to all Concerned Supervisory Authorities (CSAs) under Article 60 GDPR in December 2020. After objections from eight CSAs, the DPC was able to start the dispute resolution process (Article 65 GDPR) on 3 June 2021 and on 28 July 2021, the European Data Protection Board (EDPB) decided to impose the fine on WhatsApp under Article 65(1)(a) GDPR.
..And a Reprimand
In addition to the fine, the DPC has imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.
The DPC has said that the investigation, which led to the fine, related to WhatsApp’s GDPR transparency obligations regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This included information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
The problem with WhatsApp’s consumer services (not WhatsApp for Business), which is ‘explained’ in an 89-page document, appears to be that the descriptions of who ‘interests’ are, in relation to other business services and partners, are that they are not described in a transparent and intelligible form. In other words, it seems that the EDPB thought that WhatsApp may not have supplied enough information to users about how their data is processed, and that its privacy policies (which have been subject to several updates), may not be clear enough.
WhatsApp has said that it disagrees with the decision about the transparency it provided to users in 2018 and has described the penalties as “entirely disproportionate”.
Not The Only One
Even though this is a bad-break for WhatsApp, it is not the only big tech company to have found itself in trouble with data regulators. For example, in July, Amazon received a staggering $885 million fine over data privacy, and in 2020, Twitter was fined €450,000 after a GDPR infringement.
Data Sharing For EU Users
What Does This Mean For Your Business?
Even though one of the attractions of WhatsApp is its security and privacy, due to its end-to-end encryption, this fine indicates that there appears to have been, in 2018, a bit of grey area in terms of how user-data is processed and some of the meaning in the app’s privacy policies. The problem appears to have been serious enough to warrant (according to the EDPB) the second biggest GDPR fine ever. The news comes on the back of EU WhatsApp users having to accept their data being shared with Facebook (from February this year). All this may be making WhatsApp users, particularly those who use WhatsApp for business, nervous about their privacy on the app in terms of details about their business and the passing on of their data (for targeted advertising). Also, Facebook has faced significant trust issues with users since the Cambridge Analytica unauthorised data-sharing scandal plus having to share data with Facebook may be off-putting and may make them think about looking around for other possible secure comms apps. This fine represents some very poor publicity for WhatsApp at a time when it has been trying to compete with the likes of Snapchat and Apple, while nevertheless getting some good headlines too by announcing new features like its ‘View Once’ feature for photos and videos, and its ‘disappearing messages’ feature.