Ireland’s Data Protection Commission (DPC) has concluded its investigation into Facebook’s WhatsApp, with the tech giants accused of breaching the European Union’s General Data Protection Regulation (GDPR).

This is in relation to two GDPR investigations launched by the DPC into WhatsApp following GDPR’s implementation last May. There are also seven ongoing investigations into its parent company Facebook Inc., and another into the Facebook-owned photo-sharing platform Instagram.

This is part of a wider investigation into data-processing activities by US tech giants. An investigation into social media platform Twitter has also been concluded, while investigations into Apple and LinkedIn are ongoing.

A DPC spokesperson confirmed that the investigation stage is complete, and will now move into the decision-making stage. 

Chief data regulation Helen Dixon will now be tasked with making a draft decision. This will be sent to other EU regulators before a final decision is made by the end of the year. Under GDPR, the DPC is able to fine companies that violate data privacy laws up to 4% of their global annual turnover.

The DPC is in charge of monitoring that Facebook is complying with GDPR as the tech giant’s European headquarters is located in Dublin. Apple, Google and Twitter have also based their Europe operations in Ireland due to its low tax rates for technology companies.

Facebook could top British Airways’ record GDPR fine

The investigation in question is into WhatsApp Inc., rather than Facebook. WhatsApp’s revenue isn’t reported. However, it is estimated to be around $5bn annually by Forbes. If regulators were to issue a maximum 4% fine, that would equate to approximately $200m.

However, if the DPC determines that Facebook is the entity in control of the data that has been breached, then the GDPR fine could be determined in relation to Facebook’s annual revenue.

According to Mondaq, EU competition law states that regulators can attribute liability to a subsidiary’s parent company if it can demonstrate that it exercised “decisive influence” over the subsidiary, an approach that is likely to be followed by GDPR.

“The Commission will view the data controller as the legal entity responsible,” Peter Galdies, managing director of data governance consultancy DQM GRC, told Verdict

“It’s hard to envisage which way the Commission will go without knowing the intrinsic details of the case. However, I suspect they will look to the parent organisation if it is seen to have benefited from, or ‘controlled’, the data in its relationship with the subsidiary.”

If that is the case, the fine could be substantially larger. Facebook posted revenue of $55.8bn in 2018, meaning a maximum fine could end up being as much as $2.2bn.

3 Things That Will Change the World Today

Dixon will have to consider a number of factors before making a decision. GDPR fines are determined based on the nature, gravity and duration of the infringement, the data compromised, the damage caused, the degree of responsibility, and previous infringements, among other factors. These factors are listed in full in Article 83 of GDPR.

“It would appear that Facebook has some ‘form’ here with previous investigations, as well as an enormous number of users, so I would expect any penalty issued is likely to be significant – and very likely to be record breaking,” Galdies said.

The record is currently held by British Airways. The airline was hit with a £183m fine by the UK’s Information Commissioner’s Office (ICO) in July for a 2018 data breach that saw payment information belonging to 500,000 of its customers stolen.

Facebook GDPR fine: A wise move?

If Facebook is found to be at fault, a worthy fine would show the European Union’s serious intent to crack down on poor data handling by US tech giants.

“These kind of businesses are entrusted to process huge volumes of personal data on individuals of all ages, and ‘with great power comes great responsibility’ — they need to treat this asset with real respect,” Galdies explained.

If organisations like Facebook are let off lightly, then the public could lose the trust that we have in the system. Likewise, it would set a precedent for large companies and “open the door to a future of poor privacy management”.

DPC fine has potential to do “more harm than good”

If found to be in breach of GDPR, it seems certain that Facebook would be hit with a record-breaking fine. However, regulators must not see this as an opportunity to make an example out of Facebook. If it does, then “has the potential to do more harm than good”, ESET cybersecurity specialist Jake Moore warned.

“It is necessary to penalise companies for leaving their customers’ data unprotected and a penalty should help with future protection. However, it must always match the breach,” Moore stressed.

The time it takes for an organisation to report a breach to the appropriate authorities is considered during the decision-making process, as is the way in which regulators found out about it. Organisations that are open and honest about these incidents are likely to be viewed more favourably than those that aren’t.

However, if the incentive to report a breach is outweighed by excessive fines, businesses could be deterred from reporting data breaches.

“Society needs to know about data breaches as soon as possible so people can be in control of their information and act quickly in changing their passwords or setting up fraud alerts,” Moore said. “If companies are hesitant to report attacks in fear of fines into the billions of pounds, this could, in turn, harm consumers.”

Despite this,Galdies doesn’t believe that the risk of ‘putting off’ businesses from coming forward should deter regulators from handing out strict punishments — “In fact quite the opposite”.

Instead, intentional failure to declare a data breach should come with additional punishment “until it’s clear that the penalty for non-compliance is suitably severe”.

“Organisations which are found to have knowingly withheld a breach notification should have ‘the book thrown at them’, as many won’t spend the time and resources required on meeting these obligations,” Galdies said.


Read more: BA data breach class-action lawsuit “reinforces the power of GDPR”