WhatsApp fined 5.5m euro by Ireland’s data watchdog

19 January 2023, 15:24

Mobile phone screen with apps
WhatsApp fined over data breach. Picture: PA

The fine relates to transparency breaches of GDPR.

WhatsApp has been fined more than five million euro by Ireland’s data watchdog over data protection breaches.

The 5.5 million euro fine was imposed on WhatsApp Ireland by the Data Protection Commission (DPC) for breaches of the EU’s GDPR (General Data Protection Regulation).

The penalty was described as “administrative” and is relatively low in comparison to other sanctions imposed on Meta-owned services in Ireland in recent months.

WhatsApp has signalled an intent to appeal the decision.

In a draft ruling, the DPC initially did not propose issuing a fine for the GDPR transparency breaches it identified.

However, it has now moved to impose the sanction on the direction of the European Data Protection Board (EDPB), which reviewed the commission’s original findings.

The commission has also directed the Meta-owned instant messaging service to bring its data processing operations into compliance within six months.

The DPC fined WhatsApp 225 million euro over transparency breaches in a previous case.

New WhatsApp feature
WhatsApp argued that users agreeing to updated terms and conditions amounted to a contract with them (Nicholas T Ansell/PA)

The latest fine comes after a WhatsApp user complained about how the app had asked users to agree to accepting its updated terms of service when GDPR came into effect in May 2018.

At the time, WhatsApp Ireland informed users that if they wanted to use the app they had to click “agree and continue” to accept the terms of service and, if they declined to do so, then they would be unable to access it.

The user argued WhatsApp was “forcing” them to consent to the processing of their personal data for service improvement and security.

The complainant contended that was a GDPR breach.

While the forced consent claim was not upheld by the DPC, it found that WhatsApp was in breach of its obligations in relation to transparency.

However, as the commission had imposed the “very substantial fine” of 225 million euro on WhatsApp in 2021 for similar and other transparency breaches, it did not initially propose issuing another fine.

WhatsApp Ireland had argued that acceptance of the updated terms of service saw the user enter a contract with it.

It further contended that the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, and that included the provision of service improvement and security features.

The DPC initially ruled that GDPR did not preclude WhatsApp Ireland’s reliance on the contract legal basis it asserted.

After some other data watchdogs in Europe disagreed with this aspect of the DPC’s draft determination, the commission referred the matter to the EDPB to issue a final resolution.

The EDPB’s binding determination backed the DPC’s findings in relation to transparency and also identified a further breach.

However, it disagreed on the contract legal basis issue, ruling that WhatsApp Ireland was not entitled to rely on it as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.

The DPC has adopted the EDPB’s resolution, resulting in the 5.5 million being imposed for the additional transparency breach identified.

The EDPB has also directed the DPC to conduct a fresh investigation into WhatsApp Ireland’s “processing operations” to determine compliance with GDPR.

However, the commission has challenged whether the EDPB has the authority to direct such an investigation and said the move may involve “overreach”.

The DPC is set to bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction.

The fine is the latest in a series of sanctions imposed on Meta-owned services by the DPC in recent times.

Earlier this month, Meta was fined 390 million euro for breaches of EU data privacy rules relating to Facebook and Instagram.

The DPC and EDPB both adopted the same opposing stances on the contract legal basis issue in those cases as well.

Responding to the latest DPC ruling, a spokeswoman for WhatsApp said: “WhatsApp has led the industry on private messaging by providing end-to-end encryption and layers of privacy that protect people. We strongly believe that the way the service operates is both technically and legally compliant.

“We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service.

“We disagree with the decision and we intend to appeal.”

By Press Association

More Technology News

See more More Technology News

Hands on a laptop

Estimated 7m UK adults own cryptoassets, says FCA

A teenager uses his mobile phone to access social media,

Social media users ‘won’t be forced to share personal details after child ban’

Google Antitrust Remedies

US regulators seek to break up Google and force Chrome sale

Jim Chalmers gestures

Australian government rejects Musk’s claim it plans to control internet access

Graphs showing outages across Microsoft

Microsoft outage hits Teams and Outlook users

The Google logon on the screen of a smartphone

Google faces £7 billion legal claim over search engine advertising

A person holds an iphone showing the app for Google chrome search engine

Apple and Google ‘should face investigation over mobile browser duopoly’

UK unveils AI cyber defence lab to combat Russian threats, as minister pledges unwavering support for Ukraine

British spies to ramp up fight against Russian cyber threats with launch of cutting-edge AI research unit

Pat McFadden

UK spies to counter Russian cyber warfare threat with new AI security lab

Openreach van

Upgrade to Openreach ultrafast full fibre broadband ‘could deliver £66bn boost’

Laptop with a virus warning on the screen

Nato countries are in a ‘hidden cyber war’ with Russia, says Liz Kendall

Pat McFadden

Russia prepared to launch cyber attacks on UK, minister to warn

A Google icon on a smartphone

Firms can use AI to help offset Budget tax hikes, says Google UK boss

Icons of social media apps, including Facebook, Instagram, YouTube and WhatsApp, are displayed on a mobile phone screen

Growing social media app vows to shake up ‘toxic’ status quo

Will Guyatt questions who is responsible for the safety of children online

Are Zuckerberg and Musk responsible for looking after my kids online?

Social media apps on a phone

U16s social media ban punishes children for tech firm failures, charities say