Your unrestricted access to Commercial Risk, Commercial Risk Europe and Global Risk Manager will end soon.

Irish authorities raise WhatsApp GDPR fine to €225m after European regulator steps in

Messaging service WhatsApp has been fined €225m for GDPR breaches by Ireland’s Data Protection Commission (DPC), which is significantly higher than the proposed penalty after objections from other European regulators that it was too low.

The European Data Protection Board (EDPB) instructed the DPC to “reassess and increase” its proposed fine, which was reported to be capped at €50m.

The EDPB argued that the turnover of parent firm Facebook should be included to calculate the maximum levy of up to 4% of global annual turnover under GDPR rules, to ensure the fine is “effective, proportionate and dissuasive”.

The WhatsApp fine becomes the second-largest GDPR fine to date and follows hot on the heels of the record €746m levy against Amazon last month, which is subject to an appeal.

Both seem to strengthen the force of Europe’s data protection rules introduced in 2018 and smash the previous record of €50m against Google in 2019/20.

The EDPB has also now set a precedent in the WhatsApp case by clarifying that all multiple GDPR infringements for the same or linked processes, under Article 83, should be taken into account when calculating fines.

The DPC was designated as lead supervisor for Europe’s GDPR investigation into WhatsApp Ireland at the end of 2018, after concerns users were not made aware their information could be shared with owner Facebook and its other companies.

Towards the end of 2020, the DPC submitted its draft decision to Europe’s supervisory authorities involved in the case for approval. However, eight objected and the EDPB stepped in after the DPC “was unable to reach consensus” with the other regulators.

The EDPB said its review found “additional shortcomings” with WhatsApp’s transparency and instructed the DPC to add an infringement of Article 13 and Article 5 “in light of the gravity and the overarching nature and impact” of the breaches.

The DPC has also reduced the order to comply period, during which WhatsApp is expected to correct GDPR infringements, from six months to three months. This in line with a request from the EDPB.

Facebook is reported to have set aside €300m for regulatory fines in Europe for 2021 and almost €78m for WhatsApp.

Back to top button