WhatsApp slapped with second-largest GDPR fine of €225m
Instant messaging and VOIP service WhatsApp has been hit with a whopping €225 million fine after Ireland’s privacy watchdog found it had breached EU data protection rules.
The announcement wraps up an investigation that began in December 2018, after the General Data Protection Regulation (GDPR) took effect.
This is the largest fine to date from the Irish Data Protection Commission, and the second-highest under EU GDPR rules.
Topping the list, Amazon was fined a record €746 million fine for processing personal data in violation of GDPR rules at the end of July.
An investigation by the watchdog found WhatsApp broke strict regulations in relation to transparency of data shared with other companies also owned by parent firm Facebook, which bought WhatsApp in 2014 for approximately $19 billion.
In addition, the Irish Data Protection Commission said yesterday it was ordering WhatsApp to take "remedial actions", to ensure its processing complies with EU rules.
The commission said the case against WhatsApp looked at whether Facebook followed GDPR requirements to be transparent for both users as well as those who didn't use its service, including how people's data is processed between WhatsApp and other Facebook companies, including Instagram.
WhatsApp said it disagreed with the decision, as the fine was disproportionate, and said it planned to appeal.
The instant messenger company noted it is committed to providing a secure and private service. "We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”
Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, believes the fine will be significantly reduced in court as has been seen with other major cases.
“The judicial process to get a final and enforceable decision will likely take several years. It's very unlikely any Europeans, whose privacy rights were allegedly violated by WhatsApp, will get any compensation.”
He adds that privacy experts argue GDPR does not serve its initial purpose of being a consistent pan-European privacy legislation that is capable of protecting personal data and deterring privacy violations.
“Given the growing disagreement between European DPAs on GDPR enforcement priorities and imposition of penalties, these concerns become even more real today. Moreover, data subjects are reluctant to enforce their rights under GDPR as it’s always time-consuming and may require a complex and costly process to litigate for penny compensation, if any.”
Kolochenko adds that GDPR is comprehensive and balanced, but its enforcement lacks teeth, and without an overhaul, impunity for GDPR violations will become the norm.