Split opinion on WhatsApp fine

8th October 2021

WhatsApp (owned by Facebook) announced that it intends to appeal against the ruling by the Irish Data Protection Commission, which imposes a large fine under the General Data Protection Regulation 2016/679 (“GDPR“), because the privacy policies did not accurately inform users of how their personal data was processed. The highest fines of this kind so far are Amazon’s August 2021 €746m (from Luxembourg’s data protection authority for a data breach relating to cookie consent) and Twitter’s €450m (relating to a mismanagement of a data leak during an understaffed Christmas period).

The case highlights the need for tailored, specific, and informative privacy policies – which provide al third parties, customers, and clients with real information about the data processing undertaken by a business, whether this is as a limited company or a sole trader.


What happened?

The investigation of WhatsApp by the Irish data protection authority began in December 2018 (after the introduction of the GDPR in May of that year) because WhatsApp has its European headquarters based in Eire. Having found WhatsApp to have misled users and provided inadequate information in their privacy policy, the Irish Data Protection Commission proposed fines of between 30-50 million euros and circulated their finding to the other European national authorities for approval. Eight national authorities objected and in July 2021, the European Data Protection Board recommended that the Irish Data Protection Commission avail itself of its powers under the GDPR to fine up to 2% of global annual turnover and increase the fine. The result is the recent fine of 225 million euros, which WhatsApp hails as disproportionate (having repeatedly adjusted and updated its privacy policy during the investigations) and intends to appeal through the Irish court system.

An appeal will take time to hear and no fines will be paid by WhatsApp until the outcome of the case.

European privacy campaigners are critical that the Irish Data Protection Authority receives tens of thousands of complaints under the GDPR each year, but that this is the first significant fine. They label the Irish authority as “highly dysfunctional”.

To add to WhatsApp’s woes, July 2021 saw further complaints from European consumer groups who objected to WhatsApp’s new privacy policy terms introduced earlier this year.


The significance of this fine for UK business

Despite the recent announcement by the UK to develop data protection in the UK away from the GDPR, this ruling is still important to UK businesses trading within the EU, who will need to comply with the GDPR in their dealings with EU based individuals. Furthermore, the UK has not yet introduced a new regime and for the time being, the UK GDPR is still in place.

Related Blogs

View All