WhatsApp fined €225 million over obscure data sharing policies

WhatsApp has been hit with a €225 million (approximately £193 million) GDPR fine for a lack of transparency in the way the service shares user data.

The penalty, which has been issued by the Irish Data Protection Commission (DPC) and approved by the European Data Protection Board (EDPB), is several times higher than the €50 million (roughly £43 million) draft fine the Irish data regulator issued in December last year.

Following a two-year investigation, WhatsApp was found to have been unclear about the way it had processed and shared data with Facebook, as well as between WhatsApp and other Facebook-owned companies.

Specifically, the investigation found that WhatsApp violated Article 14 of GDPR, which states that data controllers must provide data subjects with sufficient information about the way data is collected and processed.

The provisional €50 million fine, issued under the one-stop-shop principle, was submitted to the Irish regulator's European counterparts for approval once it was issued. Ireland’s data watchdog was chosen as the lead supervisory authority because WhatsApp is headquartered in the country.

After eight of its counterparts raised a dispute, the EDPB issued a binding decision in July with a “clear instruction” for the Irish DPC to increase its provisional fine.

The regulator subsequently raised the level of its draft fine several times higher, alongside issuing requirements for WhatsApp to take steps to improve its GDPR compliance.

A summary published by the EDPB found the GDPR Article 14 infringements were “very serious in nature” and “severe in gravity”, with these violations amounting “to a high degree of negligence”.

WhatsApp has branded the fine “entirely disproportionate”, and claims it will appeal the penalty.

“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so," a WhatsApp spokesperson said. "We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision."

This fine is likely to be the first of many the regulator will issue against Facebook and its subsidiaries, with the regulator currently working through a backlog of cases against big tech firms. The regulator is also investigating more than 10 complaints against Facebook-owned companies alone.

This is the biggest GDPR fine issued to date, although it might soon be dwarfed if a provisional €746 million (approximately £637 million) fine issued by Luxembourg’s regulator against Amazon is finalised.