Irish DPA fines WhatsApp €225m

The authority also reprimanded the Facebook-owned messaging platform and ordered WhatsApp to bring processing into compliance by taking a range of specified remedial actions. The company plans to appeal.

The fine is the second highest under the European Union’s GDPR, after the €746m penalty Luxembourg’s data protection authority CNPD imposed a few weeks ago on internet retailer Amazon for breaches in processing personal data.

The financial penalty – higher than the range of €30m to €50m the Irish DPC is said to have initially proposed – marks conclusion of an investigation began late in 2018.

The authority examined if WhatsApp had “discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service.”

That included information provided to data subjects about processing of information between WhatsApp and other Facebook companies.

In line with GDPR procedures, the DPC submitted a draft decision to other DPAs in the EU. Eight objected to the Irish regulator’s proposals. No consensus was reached and the matter went to dispute resolution.

The outcome was the European Data Protection Board (EDPB) adopting a binding decision.

“This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors,” the DPC said.

WhatsApp, which has set aside more than €70m for a financial penalty, said it disagreed with result and described the fine as entirely disproportionate.

The company argued it had done its utmost to ensure it offered users transparent and comprehensive information, and said it would appeal the decision.