The Data Protection Commission (DPC), the data privacy regulator in the Republic of Ireland, has has imposed a fine of 225 million euros on WhatsApp. This closes a GDPR investigation by the regulator into WhatsApp Ireland Ltd, that began in December 2018.
As a lead regulator for the European Union, the DPC examined whether WhatsApp has discharged its GDPR transparency obligations for the provision of information and the transparency of that information to users and non-users of WhatsApp’s service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.
The DPC also imposed a reprimand and an order for WhatsApp to bring its processing into compliance by taking remedial actions. For the full decision visit the European Data Protection Board (EDPB) website.
Comments
The fine serves as a warning to other companies according to AJ Thompson, CCO at the IT firm Northdoor. “Too many businesses think that GDPR fines are only issued as a result of a data breach. However, this and the last high profile, record fine ($886m/€746m) issued to Amazon both relate to internal processes that do not adhere to the regulation.
“There is also a tendency in some companies to think once you have become compliant all the work is done. That is simply not the case. GDPR in particular is a constantly changing beast. For example, the Hamburg data protection watchdog recently claimed that Zoom was incompatible with GDPR – meaning that many companies that are currently compliant could very soon no longer be so.
“The task of keeping up-to-date with the constantly changing regulatory landscape seems like an impossible one. Many companies rely on individuals to ensure that they remain compliant, or stick their heads in the sand and presume that they are.
“Unlike other regulations it is very clear that data protection watchdogs across Europe are keeping a constant eye on companies and for possible regulation breaches. They are also not afraid to issue fines to those that are not adhering. This is something that is not going to go away. Companies need to find ways to better manage their data processes and not rely on individuals who are susceptible to human error.
“Some companies are industrialising their GDPR approach. By taking manual processes and automating them companies can be more confident that they remain in-line with the latest GDPR rules, ensure that data is safe and that internal procedures do not result in them being issued potentially hugely damaging fines.”
Ioannis Fragkoulopoulos, Customer Security Director, Obrela Security Industries, said: “WhatsApp’s privacy terms and conditions have come under scrutiny frequently in the past and the company has had to defend its terms and conditions many times, with users leaving the platform because of ambiguities and policy changes. This fine shows just how serious the Irish government is around transparency. When consumers sign up to platforms, they need to understand exactly how their data will be used and if it will be shared with third parties. This fine will reinforce the importance of this and act as a warning to other companies to be more transparent.”
