WhatsApp could face €50 million GDPR fine

A person holding a smartphone with the WhatsApp logo displayed on screen
(Image credit: Shutterstock)

WhatsApp faces a fine of up to €50 million (roughly £44 million) for violations of GDPR in a preliminary judgement reached by the Irish data protection regulator and forwarded to European counterparts for review.

Under the Irish Data Protection Commission’s (DPC’s) draft findings, WhatsApp failed to live up to transparency requirements, and therefore might receive one of the largest GDPR penalties to date, according to Politico.

The preliminary ruling was made over a case in which WhatsApp was accused of not properly informing its EU users about how it would share their data with Facebook.

The judgement was determined in December 2020 before it was sent to fellow European data regulators to assess and agree upon.

The penalty could fall in the region of between €30 million and €50 million while WhatsApp may be required to change how it handles user data, according to Politico. Once ratified, this would be the second judgement the Irish DPC will have made under the one-stop-shop principle.

Under this principle, multinational companies with potential violations that are cross-border in nature will be investigated by a lead supervisory authority on behalf of the wider EU. In this case, and in the case of many other tech companies, Irish regulators are nominated as the lead authority given these companies are based in Ireland.

Twitter was the first company the Irish DPC fined under the one-stop-shop principle for breaching GDPR rules. The firm was ordered to pay €450k (approximately £409,000) for alerting the watchdog to a series flaw on its platform nearly two weeks after its discovery. This constituted a violation because GDPR defines a clear disclosure window of 72 hours for potential breaches or security incidents.

The latest case against WhatsApp is just one of several investigations the Irish DPC currently has on the go. As of February 2020, the Irish DPC was looking into 21 potential violations by multinational tech companies, including Facebook, Google and Tinder. The cases have since continued to rack up, including a probe against Facebook-owned Instagram after children were given the option to switch to a public-facing business account.

Many of these investigations have been ongoing for months and years, with several expected to come to a conclusion in 2021, much like the probe against WhatsApp.

The messaging service has, incidentally, come under fire recently for a controversial privacy update in which users were being asked to share their data with Facebook to continue using the service. Following widespread online criticism, and a shift among users to alternative platforms, WhatsApp delayed the controversial update for businesses.

Keumars Afifi-Sabet
Features Editor

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.