The Irish digital authority announced a fine of 225 million euros ($267 million) over WhatsApp mobile messages on Thursday, following an investigation requested by the European Data Protection Authority following changes in its use of personal information.
It’s the highest penalty imposed by the Irish regulator and the second highest by a digital regulator in Europe, after the €746m fine imposed on Amazon in July in Luxembourg for failing to comply with users’ private information rules.
The investigation into WhatsApp, launched by the Irish Data Protection Commission (DPC) in December 2018, sought to determine whether the app was “complying with its transparency obligations” in terms of informing users how their data was used.
This included reporting how information was shared between WhatsApp and other companies in the Facebook group, which owns the popular mobile messaging app.
As a result of this investigation, the DPC imposed a “€225 million fine on WhatsApp”, the agency announced in a statement, calling on the Facebook subsidiary to comply with EU data protection rules.
The Irish regulator has jurisdiction in this case since the US digital giant Facebook is headquartered in Europe in this country.
The European Union’s General Data Protection Regulation (GDPR), in effect since 2018, gives regulators greater power to protect consumers from digital giants such as Facebook, Google, Apple and Twitter, which have attracted a pro-transaction attorney general, and have chosen Ireland as their headquarters.
The GDPR allows regulators to fine these groups up to 4% of their global turnover.
WhatsApp challenges ‘disproportionate’ penalties –
A WhatsApp spokesperson responded in a brief statement: “WhatsApp is committed to providing a secure and private service. We have worked to ensure that the information we provide is transparent and complete and will continue to do so.”
He stressed, “We do not agree with today’s decision regarding the transparency we offer people in 2018, and the penalties are completely disproportionate,” noting that the company will appeal this decision.
After receiving the first findings from the Irish authority, the European regulator, which includes 27 European national data protection bodies, called in July for “quickly new investigations” and proposed increased penalties.
At the request of the German regulator after controversial changes to the terms of use of mobile messaging, the European body wanted more information about the use that Facebook intended to make of its affiliates’ data. In particular, on the cross-possibilities associated with the use of unique identifiers.
In its decision, the DPC cited “very serious violations” of transparency and a “very significant lack of information” provided to the user.
The Irish regulator noted that “failure to comply with the principle of transparency may undermine other core principles of data protection”, including “principles of fairness and accountability”.
Complaints against Facebook and other digital giants are growing in Europe, although some NGOs accuse the Irish regulator of being too complacent, with Ireland benefiting from tax revenue from multinational companies based in the country.
Max Schrems, a prominent figure in the struggle to protect personal data, explained in a statement that “DBC” had proposed an initial fine of 50 million euros and was forced by other European authorities to increase it to 225 million euros. Founder of the NGO “None of Your Business”.
