WhatsApp has been hit with a €5.5m ($5.9m) fine for GDPR violations by Ireland’s Data Protection Commission (DPC).
In addition to the fine, WhatsApp Ireland has been directed to bring its data processing operations into compliance within six months.
The case showcased significant disagreements between European data protection authorities about the extent of WhatsApp’s liability.
The penalty relates to an update to WhatsApp’s Terms of Service on May 25, 2018, the date on which the EU’s GDPR came into force. This informed existing and new users that if they wanted to continue having access to the WhatsApp service following the introduction of the new regulations, they had to click ‘agree and continue’ to indicate their acceptance of the updated Terms of Service.
WhatsApp Ireland considered that the acceptance of the new Terms of Service constituted a contract, and that processing of users’ data with the delivery of its service was necessary for the performance of that contract. This included the provisions of service improvement and security features, operations deemed lawful by Article 6(1)(b) of the GDPR.
However, privacy campaigner Max Schrems argued that WhatsApp forced users to consent to the processing of their data by making the accessibility of its services conditional on accepting the updated Terms of Service.
Following an investigation, Ireland’s DPC concluded that WhatsApp was in breach of its GDPR transparency obligations, as users had “insufficient clarity as to what processing operations were being carried out on their personal data.”
It did not propose a penalty for this impositions having already imposed a “very substantial” fine of €225m ($266m) on the company for breaches of this and other transparency obligations over the same period of time.
The DPC disagreed with the “forced consent” aspect of the complaints, finding that WhatsApp Ireland was not required to rely on user consent as providing a lawful basis for its processing of their personal data.
The authority then concluded that the GDPR did not preclude WhatsApp’s reliance on the assertion the acceptance of the new Terms of Service constituted a contract. This is because it considered that WhatsApp’s premised on, the provision of a service that includes service improvement and security.
However, six of the 47 Concerned Supervisory Authorities (CSAs) that Ireland’s DPC submitted its draft decision to in accordance with the GDPR, disagreed with this aspect of the judgement.
As consensus could not be reached, the DPC referred the matters in dispute to the European Data Protection Board (EDPB), which disagreed with the DPC on the contract as a legal basis issue. This led to the administrative €5.5m fine being issued to WhatsApp.
In its statement, the DPC revealed its objections to a separate direction by the EDPB to conduct a fresh audit of WhatsApp Ireland’s data processing practices, including for special categories of personal data.
The DPC argued that this direction is outside of the EDPB’s powers, “and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.”
It suggested it may bring an action before the Court of Justice of the European Union to “seek the setting aside of the EDPB’s direction.”
The ruling is the latest in a series of heavy fines issued by Ireland’s DPC against WhatsApp’s parent company Meta. These include a €405m ($402.2m) penalty for Instagram’s handling of children’s data in September 2022, and a €265m ($275m) fine in November 2022 relating to failing to protect the personal details of 533 million Facebook users that were leaked in April 2021.
In January 2023, Meta announced it will be appealing a €390m ($413m) fine issued relating to the social media giant’s choice of legal basis on which it relied to process users’ personal information.