After being hit with a €225 million fine from the Irish Data Protection Commission in late 2021, WhatsApp is now looking at a follow-on fine of €5.5 million for other General Data Protection Regulation (GDPR) violations.
The more recent case involves a lack of transparency in its disclosures to users about how their data was processed, but the relatively small fine amount was determined in part because of the earlier and larger penalty that also imposed terms that would overlap with what WhatsApp would be ordered to do to remedy this newer violation.
Irish DPC: Insufficient transparency, and consent in WhatsApp data collection
The GDPR violations pertain to Articles 12 and 13(1)(c) requirements that platform users be clearly informed of the legal basis under which their personal information is being collected.
The Irish DPC has given WhatsApp six months to remedy the issue, but the company was already working under similar requirements due to its 2021 fine (which also involved Facebook and Instagram) for forcing users to agree to a new privacy policy to continue using the service.
At €225 million, that fine was considerably larger, and this more recent fine was not as heavy as it might have been due to the terms of that decision still being fairly recent. It could be increased, however, if WhatsApp does not come into compliance within the given time limit.
That was the Irish DPC’s line of reasoning, but the European Data Protection Board (EDPB) does not necessarily agree. The DPC has signed on to WhatsApp’s argument that it is entitled to a contract-based approach to meeting GDPR consent requirements, something that a number of other EU national data protection regulators have objected to. A December 2022 referendum on the issue ended in a referral to the EDPB for review, and it has since issued a decision that WhatsApp should not be allowed to use a contract basis for its data collection.
The binding decision is still pending formal adoption, but when it is in effect it will require investigations into WhatsApp’s data processing GDPR violations to be re-opened; the Irish DPC appears to be drawing a line at this possibility, saying that the EDPB does not have the authority to order generalized investigations of this nature and that it may take the case to the Court of Justice of the EU if the issue is pressed.
