The Data Protection Commission (DPC) has hit WhatsApp with a record €225 million for breaches of its obligations under the EU’s GDPR data-privacy rules.
The watchdog has also reprimanded the Facebook-owned company, and has ordered it to bring its data-processing into compliance by taking “a range of specified remedial actions”.
The DPC began its investigation in December 2018. The probe examined whether WhatsApp had provided enough information to users and non-users of its service – and whether that information had been transparent enough.
This included information provided to users about the processing of information between WhatsApp and other Facebook companies.
After its investigation, the DPC submitted a draft decision to other European data regulators in December 2020. After objections from eight of these regulators, and subsequent discussions, the DPC triggered the GDPR’s dispute-resolution process.
This led to a binding ruling in July by the European Data Protection Board (EDPB), which ordered the DPC to increase its fine.
WhatsApp has indicated that it will appeal the ruling.
Data-law experts said the fine highlighted the importance of complying with GDPR rules on transparency for users, non-users, and the data-sharing between group entities.
John Magee (head of DLA Piper’s privacy, data-protection, and security practice in Ireland) said that the decision showed the EU’s “complex consistency and dispute-resolution processes at work”,
“An eye-catching aspect of that process was the increase in the size of the fine, from a range of €30m-€50m first proposed by the DPC,” he added.