• Mariel Irvine

Whatsapp Faces €225 Million Fine

As highlighted in our previous blog, “All’s Fine under GDPR”, EU supervisory authorities, i.e. the independent public bodies monitoring and enforcing the EU GDPR, are beginning to ‘bite’ and show the extent of their enforcement powers. On the 2nd of September 2021, Whatsapp Ireland Limited was fined €225 million (£ 190.3 million GBP) fine by the Irish Data Protection Commissioner (‘DPC’) for serious breaches of data subjects’ rights under the EU GDPR.

At the time of writing, this fine is one of the largest so far, with multiple European supervisory authorities coming together deliberate on the key issues. The main reasons for the penalties were a lack of transparency and communication with users and non-users. Although Whatsapp had a privacy policy and other documentation in place, the information within was too fragmented, broad, and ambiguous for users to be adequately informed about their data, how it was being used and why, and with whom it was shared.

The other critical issue was that Whatsapp had collected personal data from non-users through the use of a ‘Contact Feature’ option, wherein Whatsapp collected phone numbers from users’ contacts to determine which of these contacts already used the Whatsapp service. This approach meant that Whatsapp also collected phone numbers of non-Whatsapp users, and had multiple issues: users could not limit the collection to apply to only other users of Whatsapp, and the non-user had no way of knowing that their mobile number had been processed and would appear in the contact list of any subsequent users should they join the Whatsapp service. As Whatsapp was processing non-user personal data as a controller, without consent and without providing sufficient information, it was held to be unlawfully processing data.

Lessons Learned

Whatsapp could have avoided a large portion of the penalties if it had disclosed information in a clearer and more accessible manner. The size of the fine also shows that supervisory authorities, which have previously been criticised for their inaction, have begun to bite – and that European supervisory authorities will band together to hold companies accountable and ensure data protection standards are maintained and enforced. This means that even if certain supervisory authorities may initially appear 'easier' on companies, other authorities will hold them to account by raising objections and going to the European Data Protection Board where no resolution is reached. In this instance, the EDPB heard the objections and thus the fine levied against WhatsApp increased. Thus, businesses must be aware that they are unlikely to find respite by operating in jurisdictions which have historically been slow to act, especially in the longer term.

In addition, the DPC’s criticisms of WhatsApp’s Privacy Policy, Legal Basis note, and other information pages demonstrate that having a policy is not sufficient: it is the contents of the policies which is important. These documents must be easy to navigate and give sufficient information for users to be able to make fully informed decision and inform all data subjects of the consequences that will flow from the processing and control of their data.

Finally, this fine also serves as a reminder that supervisory authorities will consider the European Competition doctrine of a Single Economic Unit, such that fines will not necessarily be limited to a subsidiary such as Whatsapp Ireland, and supervisory authorities may look further than a subsidiary when considering the effective, dissuasive and proportionate effect of an administrative fine.

If you have any queries about the data privacy regulations, please reach out to Mariel Irvine at 020 76082275, or email irvine@marielirvine.com.

Sources: Enforcement Tracker, DPC announces Whatsapp inquiry, BBC Article

2 views0 comments