After a lengthy investigation by the European Union’s lead data regulator Ireland’s Data Protection Commission (DPC), the popular messaging service WhatsApp owned by social media giant Facebook has been fined $267m on how they process user data.
The first allegations of data handling misuse were made back in early 2018, and the DPC began its investigation into WhatsApp in December 2018, months after the European Union passed the infamous General Data Protection Regulation (GDPR) in May of the same year.
One of the fundamental provisions of the GDPR is that companies who handle data about their users must be ‘clear, open, honest and transparent with how their information and data will be used and handled.
The DPC found that WhatsApp had breached the provisions of GDPR over how their handle data, giving a multitude of reasons. For example, WhatsApp may receive data such as phone numbers of people who do not use their services if a WhatsApp user syncs their phone contact information with the service. WhatsApp, therefore, has access to several phone numbers without the phone number holders’ consent. The DPC looked at other instances where WhatsApp handled personal data of both users and non-users and found that they were also not transparent to the people the data belonged to.
The DPC found WhatsApp had infringed a string of transparency obligations set out in the GDPR, such as Articles 5(1)(a), 12, 13 and 14.
The DPC handed out a sized financial penalty of $267m to WhatsApp as well as an order to improve transparency on how they handle user and non-user data. WhatsApp has a three-month deadline to implement all of the changes set out in the order.
WhatsApp disputed the decision, saying:
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.”
The concerns over transparency obligations was only a fraction of the complaints lodged against WhatsApp. The tech giant was also accused of breaching regulations over how they process data altogether. However, in this case, the DPC was explicitly only concerned about if WhatsApp had met the standard of the transparency obligations. Therefore, further legal proceedings against WhatsApp over data processing may be imminent.
Prior to this decision, Ireland’s DPC had only issued one major judgement against big tech companies over how they process and handle data. Back in December 2020, the DPC found Twitter liable for a data breach and fined them a mere $550,000. Twitter had also failed to notify the DPC of the breach within 72 hours, and as such, they had infringed Articles 33(1) and 33(5) of the GDPR.
That is the basis of WhatsApp’s appeal – that the financial penalty given out to them is incredibly disproportionate compared to the judgment of Twitter’s case. The financial penalty given to WhatsApp is approximately 400x that of Twitter’s data breach.
Following the judgment, noyb, the group that advocate for complete online privacy founded by a European long term privacy campaigner, said that:
“We welcome the first decision by the Irish regulator. However, the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial €50M fine and was forced by the other European data protection authorities to move towards €225M, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.”
The BEUC, known as the European Consumer Protection Association, also reacted to the DPC’s findings:
The legal proceedings will continue as WhatsApp continues to dispute the decision, and aims to reduce the financial penalty given to them, labelling the fine as ‘disproportionate’. However, many argue that the fine imposed is still not heavy enough, given the sheer amount of revenue WhatsApp generates. Therefore, many fear that WhatsApp will not take the judgment seriously since there are no real financial consequences as a result of mishandling user and non-user data.