Ireland’s Data Protection Commission (“DPC”) on Thursday fined Meta-owned WhatsApp Ireland €5.5 million (US$6 million) for breaching the EU’s General Data Protection Regulation (GDPR) related to its service in the country.
Besides the fine, Ireland’s DPC has given the social media giant a period of six months to bring its data processing operations in line with GDPR rules or face further action.
The recent fine by the DPC comes as a major blow to Meta, as it was recently fined 390 million euros by the same body when its other subsidiaries, Instagram and Facebook, were found flouting the GDPR rules.
Coming to WhatsApp, the decision made by the DPC is the conclusion of an inquiry concerning a complaint made on May 25, 2018, by a German data subject about the WhatsApp service.
The complainant challenged WhatsApp’s new rules requiring users to accept the new ‘contract’ terms to access their services when the GDPR came into effect in 2018.
According to the platform’s updated Terms of Service, users who wished to continue to have access to their WhatsApp service following the introduction of the GDPR had to choose the updated Terms of Service. In the event they declined the terms, their services would not be accessible.
In other words, WhatsApp was effectively forcing users to agree to data processing if they wanted to continue using the services, which the complainant argued was in breach of the GDPR. The complainant believed that the users should be a choice about the data which is processed.
Following a comprehensive investigation by the DPC, the watchdog found WhatsApp guilty to be “in breach of its obligations in relation to transparency”, as it did not provide sufficient clarity about how data processing and for what purposes this was done.
The DPC found that WhatsApp Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data.
WhatsApp Ireland is “not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security,” it added and said that the legal basis for the service’s data processing is in breach of EU law.
The final decision of the fine adopted by the DPC on January 12, 2023, follows the three binding decisions by the EU’s data protection regulator, the European Data Protection Board (EDPB), in early December.
Besides the fine, the EDPB has also purported to direct the DPC to conduct a fresh investigation regarding the following:
“WhatsApp IE’s processing operations in its service in order to determine if it processes special categories of personal data (Article 9 GDPR), processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR.”
In response to the DPC’s decision made on Thursday, Meta said it will appeal against the decision and would look to overturn it.
“We strongly believe that the way the service operates is both technically and legally compliant. We rely upon the contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service,” a WhatsApp spokesperson said.
“We disagree with the decision and we intend to appeal.”