WhatsApp (owned by Facebook) announced that it intends to appeal against the ruling by the Irish Data Protection Commission, which imposes a large fine under the General Data Protection Regulation 2016/679 (“GDPR”), because the privacy policies did not accurately inform users of how their personal data was processed. The highest fines of this kind so far are Amazon’s August 2021 €746m (from Luxembourg’s data protection authority for a data breach relating to cookie consent) and Twitter’s €450m (relating to a mismanagement of a data leak during an understaffed Christmas period).
The case highlights the need for tailored, specific, and informative privacy policies – which provide al third parties, customers, and clients with real information about the data processing undertaken by a business, whether this is as a limited company or a sole trader.
An appeal will take time to hear and no fines will be paid by WhatsApp until the outcome of the case.
European privacy campaigners are critical that the Irish Data Protection Authority receives tens of thousands of complaints under the GDPR each year, but that this is the first significant fine. They label the Irish authority as “highly dysfunctional”.
The significance of this fine for UK business
Despite the recent announcement by the UK to develop data protection in the UK away from the GDPR, this ruling is still important to UK businesses trading within the EU, who will need to comply with the GDPR in their dealings with EU based individuals. Furthermore, the UK has not yet introduced a new regime and for the time being, the UK GDPR is still in place.