WhatsApp fined 5.5m euro by Ireland’s data watchdog

WhatsApp has been fined more than five million euro by Ireland’s data watchdog over data protection breaches.

The 5.5 million euro fine was imposed on WhatsApp Ireland by the Data Protection Commission (DPC) for breaches of the EU’s GDPR (General Data Protection Regulation).

The penalty was described as “administrative” and is relatively low in comparison to other sanctions imposed on Meta-owned services in Ireland in recent months.

WhatsApp has signalled an intent to appeal the decision.

In a draft ruling, the DPC initially did not propose issuing a fine for the GDPR transparency breaches it identified.

However, it has now moved to impose the sanction on the direction of the European Data Protection Board (EDPB), which reviewed the commission’s original findings.

The commission has also directed the Meta-owned instant messaging service to bring its data processing operations into compliance within six months.

The DPC fined WhatsApp 225 million euro over transparency breaches in a previous case.

The latest fine comes after a WhatsApp user complained about how the app had asked users to agree to accepting its updated terms of service when GDPR came into effect in May 2018.

At the time, WhatsApp Ireland informed users that if they wanted to use the app they had to click “agree and continue” to accept the terms of service and, if they declined to do so, then they would be unable to access it.

The user argued WhatsApp was “forcing” them to consent to the processing of their personal data for service improvement and security.

The complainant contended that was a GDPR breach.

While the forced consent claim was not upheld by the DPC, it found that WhatsApp was in breach of its obligations in relation to transparency.

However, as the commission had imposed the “very substantial fine” of 225 million euro on WhatsApp in 2021 for similar and other transparency breaches, it did not initially propose issuing another fine.

WhatsApp Ireland had argued that acceptance of the updated terms of service saw the user enter a contract with it.

It further contended that the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, and that included the provision of service improvement and security features.

The DPC initially ruled that GDPR did not preclude WhatsApp Ireland’s reliance on the contract legal basis it asserted.

After some other data watchdogs in Europe disagreed with this aspect of the DPC’s draft determination, the commission referred the matter to the EDPB to issue a final resolution.

The EDPB’s binding determination backed the DPC’s findings in relation to transparency and also identified a further breach.

However, it disagreed on the contract legal basis issue, ruling that WhatsApp Ireland was not entitled to rely on it as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.

The DPC has adopted the EDPB’s resolution, resulting in the 5.5 million being imposed for the additional transparency breach identified.

The EDPB has also directed the DPC to conduct a fresh investigation into WhatsApp Ireland’s “processing operations” to determine compliance with GDPR.

However, the commission has challenged whether the EDPB has the authority to direct such an investigation and said the move may involve “overreach”.

The DPC is set to bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction.

The fine is the latest in a series of sanctions imposed on Meta-owned services by the DPC in recent times.

Earlier this month, Meta was fined 390 million euro for breaches of EU data privacy rules relating to Facebook and Instagram.

The DPC and EDPB both adopted the same opposing stances on the contract legal basis issue in those cases as well.

Responding to the latest DPC ruling, a spokeswoman for WhatsApp said: “WhatsApp has led the industry on private messaging by providing end-to-end encryption and layers of privacy that protect people. We strongly believe that the way the service operates is both technically and legally compliant.

“We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service.

“We disagree with the decision and we intend to appeal.”