On 2 September 2021 Ireland’s Data Protection Commission (DPC) announced a 225 million euro fine for WhatsApp and ordered the company to amend its practices within three months. It is the largest fine ever from the DPC, and the second-highest under Europe’s General Data Protection Regulation (GDPR).
The mentioned fine relates to the investigation which began in 2018, about whether WhatsApp had been transparent enough concerning the provision of information and the transparency of that information to users of WhatsApp’s service. This also includes information provided to data subjects about the processing of information between WhatsApp and other Facebook Inc companies.
Following a comprehensive investigation, the Irish data authority submitted a draft decision to all concerned supervisory authorities under Article 60 of GDPR, in December 2020. In this regard, on 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC in Ireland. This decision contained instructions that required the DPC to reconsider and increase its proposed fine based on several factors contained in the EDPB’s decision. In assessing how the fine to be imposed against WhatsApp should be calculated, the EDPB ordered the DPC to factor in the turnover of all the component companies falling under the umbrella of Facebook Inc, WhatsApp’s parent company. It also clarified that the total turnover of a company is a factor that can be considered for ensuring the actual level of penalty decided upon is “effective, proportionate and dissuasive”, as the regulation requires, and is not just relevant for determining what the maximum possible penalty that can be imposed under the GDPR is. Following the decision of EDPB, the DPC found that WhatsApp failed to disclose information under its GDPR transparency obligations and imposed a fine of 225 million euros.
In a statement by which WhatsApp representative responded to the DPC’s decision, WhatsApp denied all stated in a decision and also announced that the company will appeal the decision.
The mentioned decision that arose from the Ireland Data Protection authority shows how great consequences could be in case of GDPR infringement, and sends a strong message to all companies stated in the EU area to comply with its rules.
This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.
By Katarina Zivkovic, Senior Associate, and Miroslav Ravic, Trainee, Samardzic, Oreski & Grbovic