WhatsApp hit with record €225m fine by Irish regulator

Social network WhatsApp has been hit with a record €225m fine by the Data Protection Commission (DPC) after a GDPR investigation into how it shares information with other Facebook companies.

The fine is by far the largest to date handed down by the Irish regulator, and is the second-biggest delivered — behind Amazon’s fine of €746m delivered by the Luxembourg regulator last month — across Europe by any supervisory authority since the implementation of the General Data Protection Regulation (GDPR) in 2018.

The fine itself stems from a decision handed down by the European Data Protection Board (EDPB) after the DPC itself was unable to reach consensus on the matter with eight other concerned supervisory authorities.

The DPC said that as part of the EDPB’s decision, which was delivered to the DPC in late July, the Irish regulator was required to increase the size of its originally proposed fine.

It said that in addition to the fine, it had also formally reprimanded WhatsApp, which is a subsidiary of Facebook, and ordered the company to bring its processing into GDPR-compliance by “taking a range of specified remedial actions”.

A WhatsApp spokesperson said that the company “disagrees” with the decision and would appeal it, and said it is “committed to providing a secure and private service”.

We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so

They added that the fine imposed is “entirely disproportionate”.

The DPC had first commenced its own-volition investigation into WhatsApp in December 2018 after a number of complaints were made by the app’s users across Europe regarding the perceived lack of transparency as to how WhatsApp Ireland shared data with other Facebook companies, and also in terms of its use of data pertaining to non-users of WhatsApp.

The Irish regulator has come in for sustained criticism from some European regulators and privacy campaigners as to the alleged slow nature of its deliberations, and for being supposedly unwilling to levy large fines on the tech multinationals based in Ireland, for which the DPC is the lead regulator.

Prior to the WhatsApp decision, the largest fine handed out by the DPC was €450,000 to social network Twitter in December of 2020, for breaches of GDPR which saw its mobile app making protected tweets public due to a glitch.

Under GDPR the regulator has the power to fine companies either €20m or 4% of their annual turnover, whichever is greater.