WhatsApp plans to appeal a €225m fine imposed on Thursday by the Data Protection Commission of Ireland (DPC) for claims the messaging service failed to correctly notify customers how it was sharing their data.
Following an investigation of WhatsApp Ireland that the DPC began on 10 December 2018, it ruled that WhatsApp did not discharge its General Data Protection Regulation (GDPR) transparency obligations and will fine it €225m – one of the largest penalties ever imposed under European GDPR rules.
It was determined that WhatsApp failed in its provision of information and the transparency of that information to both users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and its parent company Facebook.
In addition to the fine, the DPC has also imposed a reprimand along with an order for WhatsApp to take a range of specified remedial actions to bring its processing into compliance with EU standards.
The DPC initially imposed a smaller fine, but this was objected to by regulators in other EU member states. On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision that was then notified to the DPC.
WhatsApp denies breaching European Union laws on transparency
In a press statement, WhatsApp said the fine was “disproportionate” and said it will appeal the ruling.
The company said: “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
The Irish DPC is the lead supervisor of GDPR rules in the EU as a result of a large number of firms, including WhatsApp and Facebook among others, having their European headquarters based in Dublin.