Why did the EU issue a €225 million GDPR fine to Whatsapp?

• The GDPR fine relates to a 2018 investigation on whether WhatsApp has been transparent enough about how it handles information
• The penalty is more than 4x what the watchdog had initially proposed and is the 2nd-largest under Europe’s revamped data protection standards
• Ireland’s Data Protection Commissioner ordered WhatsApp to bring its data-processing activities into compliance via a number of remedial actions

In 2018, the Irish Data Protection Commission commenced an investigation against Whatsapp under the European Union’s General Data Protection Regulation (GDPR). A lengthy process followed until Ireland’s Data Protection Commissioner (DPC) ended up imposing a GDPR fine of €225 million (approximately US$270 million) on the Facebook-owned messaging platform.

It is a vastly substantial increase in fine from the first proposed range of between €30 to €50 million (approx. US$35.6 to US$59 million). The decision marks the end of an investigation dating back to December 2018, concerning allegations that WhatsApp had failed to discharge its transparency obligations with regard to the provision of information to users and non-users of its service.

One of the largest sanctions issued under the GDPR, and the largest to date in Ireland, the fine comes after Ireland triggered a formal dispute resolution process, required to resolve disagreements with other EU privacy regulators over the size of the eventual penalty.  The amount is also considerably higher than the €77.5 million Facebook earmarked for likely privacy fine against WhatsApp last November. 

GDPR first came into force in 2018, allowing regulators to slap companies with penalties of up to 4% of their annual revenue if they mishandle people’s data. Most recently, Luxembourg’s data protection authorities imposed a record-setting €746 million fine on Amazon in July.

Whatsapp’s grave transparency issues

It might have taken a while, but a final fine amount was agreed upon following the adoption of a binding decision by the European Data Protection Board (EDPB). This binding decision instructed the DPC to substantially increase the fine and impose a reprimand. DPC has also ordered WhatsApp to bring its data-processing activities into compliance through a number of remedial actions.

Underlying most of Data Protection Commissioner Helen Dixon’s findings are the rights guaranteed under Article 13 of the GDPR, whereby data controllers (in this case WhatsApp Ireland) are required to provide data subjects (WhatsApp users) with clear information about how their data is being stored and used, what categories of data are being processed, and for what purpose.

On these fronts, the Irish DPC found WhatsApp Ireland to be lacking, severely so in some cases. The investigation itself didn’t look at exactly how or why WhatsApp Ireland shares user data with other Facebook companies. It was solely focused on how much clear information the messaging app supplies to users and non-users about its data collection procedures.

Some of the information provided by WhatsApp is described as “unnecessarily ambiguous” and “ill-defined” in the report. Users are often required to negotiate multiple links to get to the material they’re looking for on the WhatsApp website. “At the end of this exercise”, the report continues, “the use of qualifying language leaves the reader questioning what, exactly, is meant by the ‘Facebook Companies.’”

Whatsapp’s privacy policy: ‘Needlessly frustrating exercise’

Separately, due to the plethora of linked materials, an “abundance of text” and the fact that “certain key information has been set out in an entirely separate notice with only a single link”, the inquiry found engaging with WhatsApp’s Privacy Policy to be a “needlessly frustrating exercise” during the investigation.

It “required the extensive and repeated search of the Privacy Policy and related material to try and piece together the full extent of the information that had been provided”. Perhaps the investigation’s most serious findings related to WhatsApp’s obligation to inform users about the purpose of and legal basis for data processing. The DPC found that the company often used multiple bases to “ground” certain processing operations.

WhatsApp, for its part, said it was being transparent by indicating that it potentially relies on different legal bases, for processing user data “in different circumstances”. But Dixon wrote in her decision that it was “surprising” that WhatsApp considers “patent ambiguity to represent transparency”, given the clarity of the EU’s Transparency Guidelines.

Not only was WhatsApp found to be in breach of its obligations to users, but non-users were similarly — if not more severely — affected, the DPC found.  Dixon’s final 250-plus page decision sends a clear message —  the importance of compliance with the GDPR’s rules to mass tech platforms operating within EU member states.