WhatsApp fined €225 million over obscure data sharing policies

This finalised penalty is almost five times larger than the draft fine the Irish data regulator issued in December 2020

WhatsApp has been hit with a €225 million (approximately £193 million) GDPR fine for a lack of transparency in the way the service shares user data.

The penalty, which has been issued by the Irish Data Protection Commission (DPC) and approved by the European Data Protection Board (EDPB), is several times higher than the €50 million (roughly £43 million) draft fine the Irish data regulator issued in December last year.

Following a two-year investigation, WhatsApp was found to have been unclear about the way it had processed and shared data with Facebook, as well as between WhatsApp and other Facebook-owned companies.

Specifically, the investigation found that WhatsApp violated Article 14 of GDPR, which states that data controllers must provide data subjects with sufficient information about the way data is collected and processed.

The provisional €50 million fine, issued under the one-stop-shop principle, was submitted to the Irish regulator's European counterparts for approval once it was issued. Ireland’s data watchdog was chosen as the lead supervisory authority because WhatsApp is headquartered in the country.

After eight of its counterparts raised a dispute, the EDPB issued a binding decision in July with a “clear instruction” for the Irish DPC to increase its provisional fine.

Related Resource

Cloud migration of your data infrastructure

Explore why the most efficient way forward is data-driven

Rows of blue lights in a tunnel -whitepaper from AWSFree download

The regulator subsequently raised the level of its draft fine several times higher, alongside issuing requirements for WhatsApp to take steps to improve its GDPR compliance.

A summary published by the EDPB found the GDPR Article 14 infringements were “very serious in nature” and “severe in gravity”, with these violations amounting “to a high degree of negligence”.

WhatsApp has branded the fine “entirely disproportionate”, and claims it will appeal the penalty.

“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so," a WhatsApp spokesperson said. "We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision." 

This fine is likely to be the first of many the regulator will issue against Facebook and its subsidiaries, with the regulator currently working through a backlog of cases against big tech firms. The regulator is also investigating more than 10 complaints against Facebook-owned companies alone.

This is the biggest GDPR fine issued to date, although it might soon be dwarfed if a provisional €746 million (approximately £637 million) fine issued by Luxembourg’s regulator against Amazon is finalised.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022