The operator of the communication application WhatsApp received a record fine of 225 million euros (5.7 billion CZK) in Ireland. They announced the local Data Protection Commission (DPC). She investigated how transparently the platform shares data with other applications that together fall under the American company Facebook. WhatsApp considers the notified fine to be disproportionate and wants to appeal against it.
The Irish Data Protection Commission is the main regulator of Facebook in the European Union, as the company’s European headquarters are located in Ireland. Other regulators in Europe have criticized the Irish Commission in the past for taking too long to reach a decision on technology giants and for not fining them sufficiently for possible breaches.
According to Reuters, the Irish commission originally planned a lower fine for WhatsApp, but the European Data Protection Supervisor (EDPB) forced it to increase its sanction. The EDPB told the Irish commission in July, among other things, that the fine should take into account Facebook’s revenue. Austrian data protection activist Max Schrems said the original fine was only € 50 million.
According to the Irish Commission, WhatsApp violates EU rules in the way it treats the data of users and others, as well as in the way it shares it with other applications owned by Facebook. Similarly, at the end of July, the American internet retailer Amazon was fined 746 million euros (CZK 18.9 billion) in the EU for transferring personal data in violation of the rules of their protection.
The Irish Commission said today that WhatsApp has also ordered corrective action to change the way the app communicates with users. These measures are intended to ensure compliance with EU regulations.
WhatsApp stated that it did not agree with today’s decision of the commission and described the fine as “completely disproportionate”. “We have worked to ensure the transparency of the information we provide. And we will continue to do so,” the company said in a statement.
Schrems said it would closely monitor WhatsApp’s appeal. “It can be expected that this case will be resolved in the Irish courts for years. It will be interesting whether the DPC will defend its decision before the courts, because it was pushed to this decision by its colleagues from EDPB,” he added.
The General Data Protection Regulation (GDPR) aims to help protect the rights of EU citizens and prevent the misuse of their data. It concerns public institutions, companies and corporations that handle personal data of customers or employees. The regulation entered into force in May 2018 and applies uniformly in all EU countries and in Iceland, Norway and Liechtenstein.
The GDPR also applies to companies that do business in that area but have their registered office elsewhere. Regulators can impose a fine of up to four percent of their annual worldwide revenue for violating GDPR rules.