Irish data cops told to bump WhatsApp fine up to €225m

By Robert Scammell

The Irish data protection regulator has fined Facebook-owned WhatsApp a record €225m for violating European Union privacy rules – but only after its European counterparts pressured it to increase the amount.

WhatsApp said it will appeal the fine, which it described as “entirely disproportionate”.

While it is the largest fine issued by Ireland’s Data Protection Commission (DPC), it is notably smaller than the record €746m levied by the EU against Amazon in July.

The fine stems from an investigation launched in 2018 to establish whether WhatsApp was transparent with consumers about its data processing, including data shared between WhatsApp and other Facebook companies.

The DPC has also instructed WhatsApp to bring its data processing “into compliance by taking a range of specified remedial actions”.

WhatsApp said it had provided users with comprehensive information and has since updated its policies.

The intervention by other data regulators will do little to dispel criticism of the Irish DPC for its handling of General Data Protection Regulation (GDPR) complaints against Big Tech firms such as Facebook, Google, and Amazon. It has been accused of taking too long to complete investigations and being too lenient in its punitive action.

Austrian privacy campaigner Max Schrems, who has successfully taken on Facebook in multiple privacy cases, has previously said the Irish DPC has an “extremely poor understanding of the material law provisions of GDPR”.

The DPC has insisted it is simply being thorough.

Introduced in 2018, the GDPR gives regulators the ability to fine a company up to 4% of global annual turnover for serious data privacy violations.

Facebook’s revenue in 2020 was $86bn. As such, a maximum fine for Facebook would be $3.4bn, although GDPR fines are issued on a sliding scale depending on severity.

According to Schrems, the initial WhatsApp fine was €50m before the DPC received objections from eight other European data regulators. They could not reach a consensus and so the European Data Protection Board adopted a binding decision instructing the DPC to reassess its fine.

It also advised that the DPC give Facebook three months instead of six months to comply.

Many of the world’s largest tech companies have located their European headquarters in Ireland, where corporate tax rates are comparatively lower. Companies such as Google, Facebook, Twitter, LinkedIn, Amazon and Indeed are all located in Dublin’s Grand Canal Dock, giving it the nickname “Silicon Docks”.

This means that the Irish DPC is the lead supervisory authority for some of the world’s largest data processors, giving it a disproportionately high level of responsibility and casework.

That was partially addressed by a ruling from the European Court of Justice (ECJ) in July, which allows national data watchdogs to bring data infringements before a court regardless of where a company’s headquarters is located.

Ioannis Fragkoulopoulos, customer security director at Obrela Security Industries, said: “When consumers sign up to platforms, they need to understand exactly how their data will be used and if it will be shared with third parties. This fine will reinforce the importance of this and act as a warning to other companies to be more transparent.”