On September 2, the Irish digital authority (Data Protection Commission, DPC), struck WhatsApp, a subsidiary of social media giant Facebook, with a record fine of 225 million euros for violating European regulations on the protection of personal data (GDPR). This fine is the largest ever imposed by the Irish regulator and the 2nd largest by a digital regulator in Europe.
The DPC’s investigation commenced on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
Following a lengthy and comprehensive investigation, the DPC submitted a draft decision to all Concerned Supervisory Authorities (CSAs) under Article 60 GDPR in December 2020. The DPC subsequently received objections from eight CSAs. The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and triggered the dispute resolution process (Article 65 GDPR) on 3 June 2021.
On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC. This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB's decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp.
In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.
A spokesperson for WhatsApp denounced "grossly disproportionate sanctions", indicating that the company would appeal. "WhatsApp is committed to providing a secure and private service. We have worked to ensure that the information we give is transparent and complete and we will continue to do so," he added.
In July, Amazon had been fined 746 million euros in Luxembourg for non-compliance with European regulations on the private data of Internet users. An amount never before reached in the EU for this type of offense.