Facebook-owned WhatsApp was fined a record EUR 225 million (roughly Rs 1,951 crores) by the Irish data protection regulator under Europe’s General Data Protection Regulations (GDPR) on Thursday, after the EU privacy watchdog pressured Ireland to raise the penalty for the company’s privacy breaches. WhatsApp said the fine was “entirely disproportionate” and that it would appeal. Still, the Irish fine is significantly less than the record $886.6 million euro fine meted out to Amazon by the Luxembourg privacy agency in July. Austrian privacy campaigner Max Schrems, who has taken on Facebook in several privacy cases, said the initial fine was 50 million euros.
Ireland’s Data Privacy Commissioner (DPC), the lead data privacy regulator for Facebook within the European Union, said the issues related to whether WhatsApp conformed in 2018 with EU data rules about transparency. “This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies,” the Irish regulator said in a statement. A WhatsApp spokesperson said in a statement the issues in question related to policies in place in 2018 and the company had provided comprehensive information.
“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” the spokesperson said. EU privacy watchdog the European Data Protection Board said it had given several pointers to the Irish agency in July to address criticism from its peers for taking too long to decide in cases involving tech giants and for not fining them enough for any breaches.
It said a WhatsApp fine should take into account Facebook’s turnover and that the company should be given three months instead of six months to comply. Europe’s landmark privacy rules, known as GDPR, are finally showing some teeth even if the lead regulator for some tech giants appears otherwise, said Ulrich Kelber, Germany’s federal commissioner for data protection and freedom of information.
“What is important now is that the many other open cases on WhatsApp in Ireland are finally decided on so that we can take faster and longer strides towards the uniform enforcement of data protection law in Europe,” he told Reuters. Data regulators from eight other European countries triggered a dispute resolution mechanism after Ireland shared its provisional decision in relation to the WhatsApp inquiry, which started in December 2018.
In July, a meeting of the European Data Protection Board issued a “clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained”, the Irish regulator said. “Following this reassessment the DPC has imposed a fine of 225 million euros on WhatsApp,” it said. The Irish regulator also reprimanded and ordered WhatsApp to bring its processing into compliance by taking “a range of specified remedial actions”.
The Irish regulator had 14 major inquiries into Facebook and its subsidiaries WhatsApp and Instagram open as of the end of last year.
Schrems said he would monitor the company’s appeal closely. “It is to be expected that this case will now be before the Irish Courts for years and it will be interesting if the DPC is actively defending this decision before the Courts, as it was forced to make such a decision by its EU colleagues at the EDPB,” he said.