WhatsApp faces €225m fine for breaching privacy regulations
The Irish Data Protection Commission (DPC) has slammed €225 million (~$267 million) on Facebook-owned WhatsApp after an investigation found it in breach of users’ data privacy.
The Irish DPC is Ireland’s lead data supervisor in the European Union. Since 2018, the regulator said the messaging app has been under investigation over issues involving whether WhatsApp supplied enough information to users about how their data was processed and if its privacy policies were clear enough. The European General Data Protection Regulation (GDPR) begun being applied in May 2018.
WhatsApp has described the fine as “entirely disproportionate” and would be appealed. While the fine is the largest from Ireland so far, it is significantly less than the record $886.6 million EU fine slammed on Amazon by the Luxembourg privacy agency in July.
“The fine will undoubtedly be appealed by Facebook and will likely be significantly reduced in court as we already witnessed with other major cases. The judicial process to get a final and enforceable decision will likely take several years. It’s very unlikely any Europeans, whose privacy rights were allegedly violated by WhatsApp, will get any compensation,” said Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network.
The GDPR provides that entities processing people’s data must be clear, open, and honest with the people on how their information is being utilised. The DPC’s decision considered whether WhatsApp fulfills transparency obligations to both users and non-users of its service (WhatsApp may, for example, upload the phone numbers of non-users if a user agrees to it ingesting their phone book which contains other people’s personal data); as well as looking at the transparency the platform offers over its sharing of data with its parent entity Facebook.
The European Data Protection Board said it had given the Irish agency several pointers to address criticism from its peers that it took too long to decide in cases involving tech giants and for not fining them enough for any breaches.
Apart from the fine, the agency ordered WhatsApp to take a number of actions to improve the level of transparency it offers users and non-users – giving the tech giant a three-month deadline for making all the ordered changes.
However, some privacy experts have said the GDPR does not serve its initial purpose of being consistent pan-European privacy legislation capable of protecting personnel data and deter privacy violations.
“Given the growing disagreement between European DPAs on GDPR enforcement priorities and imposition of penalties, these concerns become even more real today. Moreover, data subjects are reluctant to enforce their rights under GDPR as it’s always time-consuming and may require a complex and costly process to litigate for penny compensation if any,” said Kolochenko. “GDPR is a comprehensive, balanced and well-thought law – but its enforcement needs an overhaul, otherwise, impunity for GDPR violations will become a norm.”