Irish data protection authority fines WhatsApp €225 million for GDPR breaches
On 2 September 2021, the Irish Data Protection Commission (DPC) announced that it had adopted an infringement decision and levied its largest ever fine of €225 million against WhatsApp for breaching European data protection rules (EU GDPR). The DPC found that WhatsApp (which is owned by Facebook) failed to meet the transparency obligations in the EU GDPR in respect of both users and non-users of the messaging app.
The decision marks the culmination of an investigation which started in December 2018 and concluded that WhatsApp had infringed a number of the “transparency obligations” under the EU GDPR. This particular investigation focused only on WhatsApp’s compliance with the transparency obligations and not other obligations under the EU GDPR, which are the subject of other complaints and ongoing separate investigations. The transparency obligations require a data controller to provide certain information to a data subject (user) when the data controller processes that user’s personal data and to give access to that personal data (as well as various other information) on request by the data subject. In addition to infringements of Articles 5(1)(a), 13 and 14, the DPC found that WhatsApp had infringed Article 12 which requires the controller (in this case, WhatsApp) – where processing personal data - “to inform the user in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”.
WhatsApp’s activities constitute cross-border processing under the EU GDPR, in that its processing of personal data “substantially affects or is likely to substantially affect data subjects in more than one Member State”. As WhatsApp designated WhatsApp Ireland Limited as its data controller for EU GDPR purposes, the DPC led the investigation as “lead supervisory authority” on behalf of the data protection authorities in other EU member-states. The journey to the adoption of the decision on 20 August 2021 appears to have been a little turbulent, with the supervisory authorities in the majority of other EU member states challenging the DPC’s initial draft decision not only on the basis that the fine initially proposed was too low given the nature, gravity and duration of the infringement but also that other aspects of WhatsApp’s conduct constituted further infringements of the EU GDPR and the remedies proposed by the DPC to remedy the breach were inadequate.
The DPC found that it wasn’t just users’ rights which were infringed but also non-users, as users allowed WhatsApp to access and upload the contact information of non-WhatsApp users in their phones. The DPC found that even though this information was cryptographically anonymised in a way that could not then be reverse engineered to recreate the non-user’s phone number, it still constituted personal data. Notwithstanding its conclusion that the non-user data being processed by WhatsApp was “very limited”, the DPC held that WhatsApp could and should have communicated the information required under the EU GDPR and because it had not, WhatsApp had infringed the data rights of non-users. Significantly, the DPC held that WhatsApp processed the non-user data as a data controller and not merely as a processor. Under Article 24 of the GDPR, this makes WhatsApp responsible for ensuring that there are “appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with [the EU GDPR]”. The DPC gave short shrift to WhatsApp’s assertions that it was “self-evident” to a user that enabling WhatsApp’s contact feature would mean that all of the information stored in their contacts would be transmitted to WhatsApp (and other members of the Facebook group of companies).the suggestion that non-users could “simply” ask a user to delete their contact information to avoid their personal data being processed by WhatsApp was also rejected.