Irish watchdog fines WhatsApp $267M after EU privacy probe

Ireland WhatsApp

Ireland’s privacy watchdog has fined WhatsApp a record 225 million euros ($267 million) after an investigation found it breached stringent European Union data protection rules on transparency about sharing people’s data with other Facebook companies.

The Data Protection Commission said Thursday that it was also ordering WhatsApp to take “remedial actions” to change the way it communicates with users so that it complies with EU regulations. WhatsApp, which has 2 billion users worldwide, said the fine was out of proportion and it would appeal the decision.

The watchdog’s announcement wraps up an investigation into the Facebook-owned messaging service that opened in December 2018, after the EU rules, known as General Data Protection Regulation, or GDPR, took effect. It’s the second penalty – and the biggest – issued by the Irish watchdog under GDPR. Last year it fined Twitter 450,000 euros for a security breach.

“WhatsApp is committed to providing a secure and private service,” the company said in a press statement. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

The commission said the case examined whether Facebook followed GDPR requirements to be transparent for both users and those who didn’t use its service, including how people’s data is processed between WhatsApp and other Facebook companies. In other words, it focused on how much detail was provided in its privacy policy, which has since been updated.

WhatsApp has faced criticism that its privacy policies are too long and complicated, but the ruling could mean that they get even longer and more detailed.

Under GDPR, the Irish watchdog acts as the lead regulator in cross-border data privacy cases for WhatsApp and many other big tech companies that have their European headquarters in Dublin.

The Irish penalty is also the second biggest issued in the EU under GDPR, behind Luxembourg’s 746 million euro fine to Amazon in July for data protection violations.

A draft of the Irish decision, which reportedly called for a 50 million euro fine, was shared with regulators in other EU member states so that their feedback could be taken into consideration. However, in a sign of the complexity involved in cross-border privacy cases and the backroom wrangling need to resolve them, eight national privacy watchdogs objected, so the case was sent to the EU’s independent oversight body for GDPR, which beefed up the penalty to 225 million euros.

The Irish Data Protection Commission still has open about two dozen other investigations into big tech companies like Google, Twitter and Facebook, including a second case involving WhatsApp.