WhatsApp has been fined €225m (£193m) for breaching GDPR by Ireland's Data Protection Commission (DPC). The fine -- the second largest GDPR fine to-date, after Luxembourg's €746m penalty against Amazon in July 2021 -- comes after a row between EU data protection authorities. The dispute went to the umbrella European Data Protection Board (EDPB), which demanded that the DPC quadruple its earlier proposed fine of €30-50m.
Whilst the significant fine -- which will be contested by WhatsApp -- will draw the headlines, the fundamental inconsistency across the EU around GDPR interpretation remains a core concern for enterprises. The case is a stellar example of it, but GDPR's labyrinthine dispute resolution process being exercised and a decision reached by the EDPB in just eight weeks will bring some hope that a degree of consistent interpretation is emerging.
John Magee, head of law firm DLA Piper’s privacy, data protection and security practice in Ireland, noted the decision "was not the DPC’s alone and showed the EU’s complex consistency and dispute resolution processes at work… The fine highlights the importance of compliance with the GDPR’s rules on transparency in the context of users, non-users and data sharing between group entities," he added in an emailed comment.
"There has been a total failure to provide the information prescribed by Articles 13(1)(c), 13(1)(d)286, 13(1)(e), 13(1)(f), 13(2)(a) and 13(2)(e)." The DPC on WhatsApp's GDPR compliance
WhatsApp GDPR fine 3 years in the making
Ireland's DPC had initially started its complex investigation om December 10, 2018 into whether WhatsApp had "discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users [i.e the phone numbers of contacts] of WhatsApp’s service", including around "processing of information between WhatsApp and other Facebook companies."
It furnished a draft decision under Article 60 GDPR to other European data watchdogs in December 2020 and received no fewer than eight objections -- including from Germany and Italy -- over its findings and fine.
The European Data Protection Board (EDPB) triggered its dispute resolution process (Article 65 GDPR) on June 3, 2021 and swiftly by EU standards adopted a binding decision eight weeks later on July 28, 2021 that sets a number of precedents. (Among its many decisions: the consolidated turnover of the parent company Facebook Inc. should be included in WhatsApp's turnover calculation when working out the record DPC fine.)
The EDPB said September 2: "The EDPB was of the opinion that the IE SA [Ireland's DPC] should amend its draft decision regarding infringements of transparency, the calculation of the fine, and the period for the order to comply." The independent body added: "Regarding transparency, the draft decision of the IE SA already identified a severe breach of Articles 12-13-14 GDPR. The EDPB identified additional shortcomings with the information provided, impacting users’ ability to understand the legitimate interests being pursued. Therefore, the EDPB requested the IE SA to include a finding of an infringement of Article 13(1)(d) GDPR in its decision.
Follow The Stack on LinkedIn
The EDPB added starkly: "Regarding WhatsApp IE’s collection of data of non-users - when users decide to use the Contact Feature functionality - the EDPB found that in the present case, the procedure used by WhatsApp IE does not lead to anonymisation of the collected personal data."
The EDPB also for the first time provided clarification on the interpretation of Art. 83(3) GDPR, it noted, determining that "when faced with multiple infringements for the same or linked processing operations, all the infringements should be taken into consideration when calculating the amount of the fine.
It added: "This is notwithstanding the duty on SAs to take into account the proportionality of the fine and to respect the maximum fine amount set out by the GDPR."
"Nuances and many variables..."
Whatsapp meanwhile had argued in part that "Articles 12 to 14 GDPR collectively, by their very nature, also afford latitude to controllers in relation to how they achieve compliance, as underlined by the [Transparency Guidelines] which explicitly recognises that there are “nuances and many variables which may arise in the context of the transparency obligations of a specific sector, industry or regulated area”.
That view was slapped down by the DPC, which noted that "this statement [in the GDPR transparency guidelines] is simply a reflection of the fact that there is no “one size fits all” approach to transparency. In fact, I consider that WhatsApp has taken this statement from the Transparency Guidelines out of context, as its objective is to explain how the Transparency Guidelines are generally applicable to all controllers, irrespective of sector, industry or regulated area and to explain why the guidelines did not specifically focus on, or consider, the particular application of the transparency principle in any particular sector, industry or regulated area."
Under Article 13 of GDPR (which mandates that "data subjects" are given clear information on how their data is being processed), the DPC noted meanwhile that "it was a needlessly frustrating exercise that required the extensive and repeated search of the Privacy Policy and related material to try and piece together the full extent of the information that had been provided in relation to any individual category of Article 13.."
General Counsels, CDOs and other interested readers can view the full 266-page final DPC decision here.