WhatsApp Fined €225 Million For Breaking European Data Privacy Laws

06/09/2021

WhatsApp is the most popular messaging app for various reasons. From its straightforward features, the easiness to use, and its use of phone numbers instead of accounts, have made the Facebook-owned company almost synonymous with chat.

But since the company is Facebook's, the social giant that spent billions to acquire it, needed something in return. Because WhatsApp is free for use without limitation, Facebook has made WhatsApp to collect user data, and shares that information with Facebook.

Europe is one of the regions that value online privacy the most. And because of that, Ireland's Data Protection Commission (DPC) announced that it has fined WhatsApp €225 million ($267 million) for breaking the European Union’s data privacy rules.

The DPC announced this decision in an 89-page summary (PDF), noting that WhatsApp did not properly inform European Union citizens how it handles their personal data, including how it shares that information with its parent company.

Following the announcement, WhatsApp has been ordered to make updates to its already lengthy privacy policy and change how it notifies users about sharing their data. This should bring it into compliance with Europe’s General Data Protection Regulation (GDPR), which governs how tech companies gather and use data in the European Union.

Facebook office in Dublin
Facebook's office in Grand Canal Square, in Dublin, Ireland.

The decision by the DPC began with an investigation in 2018.

"The Data Protection Commission (DPC) has today announced a conclusion to a GDPR investigation it conducted into WhatsApp Ireland Ltd. The DPC’s investigation commenced on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies."

And this fine here, is the second-largest fine levied under GDPR regulations. Before this, in July of 2021, Amazon was fined a record $887 million for breaching the EU privacy laws.

It should be noted that the initial fine on WhatsApp was supposed to be €50 million (~$59 million).

However, it was later revised to €225 million after other data protection agencies asked for a heftier penalty.

It was the European Data Protection Board (EDPB) that asked the DPC "to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.”

This reassessment resulted in the DPC in revising the fine on WhatsApp for breaching GDPR rules.

In response to the fine, a WhatsApp spokesperson shared the following statement:

"We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate."

"WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”

"We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

The Facebook-owned company plans to appeal the decision, which will likely result in a lengthy legal battle.

The Irish DPC is the lead supervisor of GDPR rules in the EU. This is because a large number of tech firms have their European headquarters based in Dublin.

EU's GDPR does not have any domestic jurisdiction in Brexit Britain as it had from May 2018.

The UK has passed its own version called the UK-GDPR, which alongside the Data Protection Act of 2018, is already put in effect.