Facebook-owned instant messaging app, WhatsApp, has been fined €225 million by the Irish Data Protection Commission for breaches of the Europe-wide General Data Protection Regulation (GDPR).
The fine for WhatsApp is the second largest issued since GDPR came into effect in 2018, after Amazon were fined €746 million by Luxembourg’s data protection regulator.
Stockport based Gorvins’ Solicitors explained how WhatsApp fell foul of the data protection regulations:
The main issue in the WhatsApp case was whether or not WhatsApp had been transparent enough about how it handles information and processes the personal data of its users. Helen Dixon, the Irish Data Protection Commissioner, commented that there had been a “very significant information deficit” in information given to users of the WhatsApp service where WhatsApp had only given 41% of the prescribed information to registered users and none to non-registered users.
One of the 6 principles laid out by GDPR is the “lawfulness, fairness and transparency” principle where any organisation processing any form of “personal data” must provide “specific information to data subjects to ensure fair processing” (under Articles 13 and 14 of GDPR) as well as “communicating with data subjects about their data processing rights” (under Articles 15 to 22 and 34 of GDPR).
In order to comply with the “lawfulness, fairness and transparency” principle, every organisation must provide certain prescribed information to persons whose data they are to process before or at the start of collecting their personal data and throughout the period where that data is processed. This information must be provided free of charge, in clear and plain language and in a concise, transparent, intelligible and easily accessible format.
WhatsApp have indicated that they disagree with the decision and that the fine issued is entirely disproportionate. The Irish Data Protection Commission originally proposed a fine in the region of €30-50m, however, the European Data Protection Board (made up of eight European Data Regulators) directed Ms Dixon and The Irish Data Protection Commission to increase the penalty imposed on WhatsApp. Accordingly, any appeal process which WhatsApp undertake may mean it is years before this issue is resolved and any fine paid is eventually paid.
Christian Mancier, Corporate & Commercial partner at Gorvins Solicitors and the firm’s Data Protection lead commented:
“The fundamental principle of GDPR is to provide individuals with transparency as to how an organisation uses their data and a degree of control over that data. Whilst its highly unlikely that any SME business is be on the receiving end of a €225m fine, the particular issues arising in the WhatsApp case goes to show that every organisation, regardless of size, needs to make sure they are providing the prescribed information about what they do with an individual’s personal data in a clear and concise format at the right point in their relationship with the individuals concerned. This means having a bespoke Privacy Notice which is not only clear and concise but actually reflects what that organisation does with the personal data it processes and is not simply a template notice which bears no reality to how the organisation concerned actually processes personal data.”