It’s taken a long time, but Facebook is now feeling the pressure from Europe’s much-heralded data protection regime: Ireland’s Data Protection Commission (DPC) recently announced a €225 million ($267 million) fine for WhatsApp.
The Irish Data Protection Commission (DPC), WhatsApp’s lead data supervisor in the European Union, has been investigating the Facebook-owned messaging app since December 2018, several months after the first complaints were filed about how it processes user data under Europe’s General Data Protection Regulation (GDPR), which went into effect in May 2018.
Despite receiving a number of specific complaints about WhatsApp, the DPC inquiry that resulted in today’s decision was an “own volition” probe, meaning the regulator chose the limits of the investigation itself, focusing on an audit of WhatsApp’s “transparency” obligations.
One of the GDPR’s core principles is that companies processing people’s data must be transparent, open, and honest with them about how their data will be used. The DPC’s ruling today (which is 266 pages long) says that WhatsApp has failed to meet the GDPR’s requirements.
Its investigation looked into whether WhatsApp meets its transparency obligations to both users and non-users of its service (WhatsApp may, for example, upload the phone numbers of non-users if a user agrees to it ingesting their phone book, which contains other people’s personal data); as well as the transparency WhatsApp provides regarding its data sharing with its parent company, Facebook (a highly controversial issue at the time the privacy U-turn was announced back in 2016, although it predated GDPR being applied).
In total, the DPC found that WhatsApp violated the GDPR’s transparency provisions in sections 5(1)(a), 12, 13, and 14. It has ordered WhatsApp to take a variety of initiatives to improve the level of transparency it offers users and non-users, in addition to imposing a significant financial penalty, and has given the tech giant a three-month deadline to implement all of the reforms.
WhatsApp responded to the DPC’s judgment with a statement disputing the findings and calling the punishment “very unfair” — as well as announcing that it will appeal, writing:
“WhatsApp is dedicated to offering a safe and secure service. We’ve worked hard to make sure the information we provide is clear and comprehensive, and we’ll keep doing so. We disagree with today’s ruling on the transparency we offered in 2018, and the sanctions are completely unfair. This ruling will be appealed.”
It’s important to note that the DPC investigation, which was ultimately concluded today, was limited to merely looking into WhatsApp’s transparency duties. The regulator was explicitly not looking into broader complaints about WhatsApp’s legal basis for processing people’s data in the first place, which have been lodged against Facebook’s data-mining behemoth for well over three years. As a result, the DPC will continue to be chastised for its GDPR enforcement pace and manner.
Indeed, until today, Ireland’s regulator had only issued one verdict in a big cross-border case involving “Big Tech” – against Twitter in December, when it slapped the social network with a $550k punishment for a past security breach.
WhatsApp’s first GDPR penalty, on the other hand, is far higher, reflecting what EU regulators (plural) clearly regard to be a far more serious GDPR violation.
The regulation’s key principle is transparency. While a security breach may imply careless behavior, systematic opacity toward people whose data your ad tech empire relies on to make a profit appears to be more deliberate; indeed, it may be the entire business strategy.
Is the General Data Protection Regulation (GDPR) effective?
The WhatsApp verdict will reignite debate about whether the GDPR is effective where it matters most: against the world’s most powerful corporations, which are, of course, Internet corporations.
WhatsApp’s first GDPR penalty, on the other hand, is far higher, reflecting what EU regulators (plural) clearly regard to be a far more serious GDPR violation.
The regulation’s key principle is transparency. While a security breach may imply careless behavior, systematic opacity toward people whose data your ad tech empire relies on to make a profit appears to be more deliberate; indeed, it may be the entire business strategy.
Originally, Ireland recommended a significantly more lenient penalty of up to €50 million for WhatsApp. Other EU regulators, on the other hand, protested the draught decision on a number of fronts, forcing the European Data Protection Board (EDPB) to step in and produce a binding ruling (released this summer) to resolve the many issues.
The DPC was forced to enhance the size of the penalties imposed on WhatsApp as a result of that (albeit difficult) collaboration. In a similar vein to the DPC’s draught Twitter ruling, the DPC has proposed an even smaller penalty in the first instance.
While there is a clear time cost to resolving disputes between the EU’s smorgasbord of data protection agencies — the DPC submitted its draught WhatsApp decision to the other DPAs for review in December, so it’s taken well over half a year to hash out all the disputes about WhatsApp’s lossy hashing and so on — the fact that the DPC is making “corrections” to its decisions and conclusions can languid.
The ruling will undoubtedly be appealed by WhatsApp. As a result, years will pass before any fine is paid in the Irish court system. We often felt that the DPC was more interested in headlines than doing the groundwork for our cases. It will be fascinating to see how the DPC, which was compelled to make this judgment by its European counterparts, defends it.
Also read: Venezuelans can recharge their mobile phones with crypto