WhatsApp fined €5.5m over GDPR breaches

Latest in a series of Meta fines

WhatsApp hit with €5.5m fine by Irish privacy regulator over GDPR breaches

Image:
WhatsApp hit with €5.5m fine by Irish privacy regulator over GDPR breaches

Ireland's Data Protection Commission (DPC) has imposed a €5.5 million fine on WhatsApp for General Data Protection Regulation (GDPR) breaches dating back to 2018.

In addition to the penalties, the Meta-owned platform has been ordered to bring its data processing operations into conformity within next six months.

The DPC is the EU's main privacy regulator handling Big Tech firms like Meta, due to how many have their local headquarters in the country.

The DPC opened its investigation into WhatsApp in response to a complaint from a German data subject on 25th May 2018 - the very same day the GDPR came into force.

The complaint claimed that WhatsApp Ireland updated its Terms of Service prior to 25th May 2018, informing users they would have to accept them if they wanted to continue using the service after the GDPR came into force.

As a result, users had to consent to the processing of their personal data just to open the app.

Making service provision conditional to a user consenting to unnecessary data processing is banned under the GDPR. WhatsApp Ireland got around this by insisting the data processing was required for the performance of the contract it had made with its users when they agreed to the amended Terms of Service.

Contrary to that declared stance, the complainant argued that the messaging platform was really trying to utilise consent as a legal justification for processing user data.

They claimed WhatsApp's actions violated GDPR Article 7 Recitation 32, which states user consent 'should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data', without influence, pressure, or elements that introduce imbalance in the data subject's decision.

After a thorough examination, the DPC concluded that forced consent did not constitute an Article 7 violation for WhatsApp Ireland, since the service did not rely on user permission to provide its service or use it as a legal basis for processing personal user data.

However, in the process of its investigation the regulator found that WhatsApp Ireland had violated Articles 12 and 13 of the GDPR by failing to explicitly state the legal basis or precise justifications for the requested data processing.

The DPC has previously levied significant fines on WhatsApp for the same reasons, however, and would not impose further financial penalties on that issue.

Instead, the recent €5.5 million fine is the result of a breach of GDPR Article 6 on 'lawfulness of processing,' which demands transparency, lawfulness and fairness in data protection operations.

WhatsApp intends to appeal the ruling because it feels its service is operating in a way that complies with the law.

The ruling is the latest in a series of significant penalties Ireland's DPC has imposed against Meta, WhatsApp's parent company.

In September 2021, the DPC issued a financial penalty of €225 million against WhatsApp for breaching European data privacy rules.

The DPC fined Meta-owned Instagram a record €405 million in September last year, for violating the GDPR and failing to protect children's data.

Finally, in November 2022, the regulator imposed a €265 million fine on Meta for failing to protect the personal details of 533 million Facebook users that were leaked in April 2021.