Whatsapp Faces €225 Million Fine
As highlighted in our previous blog, “All’s Fine under GDPR”, EU supervisory authorities, i.e. the independent public bodies monitoring and enforcing the EU GDPR, are beginning to ‘bite’ and show the extent of their enforcement powers. On the 2nd of September 2021, Whatsapp Ireland Limited was fined €225 million (£ 190.3 million GBP) fine by the Irish Data Protection Commissioner (‘DPC’) for serious breaches of data subjects’ rights under the EU GDPR.
The other critical issue was that Whatsapp had collected personal data from non-users through the use of a ‘Contact Feature’ option, wherein Whatsapp collected phone numbers from users’ contacts to determine which of these contacts already used the Whatsapp service. This approach meant that Whatsapp also collected phone numbers of non-Whatsapp users, and had multiple issues: users could not limit the collection to apply to only other users of Whatsapp, and the non-user had no way of knowing that their mobile number had been processed and would appear in the contact list of any subsequent users should they join the Whatsapp service. As Whatsapp was processing non-user personal data as a controller, without consent and without providing sufficient information, it was held to be unlawfully processing data.
Whatsapp could have avoided a large portion of the penalties if it had disclosed information in a clearer and more accessible manner. The size of the fine also shows that supervisory authorities, which have previously been criticised for their inaction, have begun to bite – and that European supervisory authorities will band together to hold companies accountable and ensure data protection standards are maintained and enforced. This means that even if certain supervisory authorities may initially appear 'easier' on companies, other authorities will hold them to account by raising objections and going to the European Data Protection Board where no resolution is reached. In this instance, the EDPB heard the objections and thus the fine levied against WhatsApp increased. Thus, businesses must be aware that they are unlikely to find respite by operating in jurisdictions which have historically been slow to act, especially in the longer term.
Finally, this fine also serves as a reminder that supervisory authorities will consider the European Competition doctrine of a Single Economic Unit, such that fines will not necessarily be limited to a subsidiary such as Whatsapp Ireland, and supervisory authorities may look further than a subsidiary when considering the effective, dissuasive and proportionate effect of an administrative fine.
If you have any queries about the data privacy regulations, please reach out to Mariel Irvine at 020 76082275, or email email@example.com.