London - Paris

The Irish DPC Slaps WhatsApp With a € 225 Million Fine

The Irish DPC Slaps WhatsApp With a € 225 Million Fine

WhatsApp issued second-largest GDPR fine of €225 M : “The DPC gets about 10,000 complaints per year since 2018 – and this is the first major fine”.

“It’s been a long time coming but Facebook is finally feeling some heat from Europe’s much trumpeted data protection regime”.

The Irish DPC original intention was a far milder fine pushed up by the EDPB Binding decision 1/2021 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding WhatsApp Ireland under Article 65(1)(a) GDPR.

Thanks to Stef ELLIOTT, Digital engineer from Six Serving Men, for his summary. He notes:

The WhatsApp ruling from the DPC focuses heavily upon GDPR Transparency and Guidance from the European Data Protection Board – Catchy title of wp260rev.01 – 
The ruling includes “Had WhatsApp followed these directions (which, I note, were supplemented and further explained by way of examples in the corresponding sections of the Transparency Guidelines), it would have avoided the confusion that has resulted from the manner in which it formulated its Legal Basis Notice.”
See 3 Page summary of the ruling & guide to Transparency bellow.

Privacy-Notice-Sanction-PS-00462-2019 Download

WhatsApp fine: a summary

By now, all of you already know that the Data Protection Commission Ireland imposed a €225.000.000 fine on WhatsApp.

The GDPR consultant, Frederico Marengo who published another useful summary of the DPC’S FINDINGS, posted : “What I guess you may not know, unless you’ve read the text in full, are the factual basis and the reasons upon which the fine was imposed.

With this summary, I tried to shed light on these issues.

It was a really tough job preparing this summary. Even though it builds on the summary already provided by the DPC in pp. 259-260, finding and summarising the most important aspects kept me busy for a while.

Two important takeaways from this decision:

The first one concerns the #GDPR and is obvious:
– information given to data subjects must be concise, easily accessible, easy to understand, and clear and plain language, including where possible visualisation. Otherwise controllers or processors may violate arts. 12-14 and 5 GDPR

The second concerns #transparency duties from the DPAs:
– DPAs should also provide easily accessible information to the public. A 266-page long document, with nearly 140.000 words, is far from easily accessible to the public: it’s unreadable.”

The ruling is nothing less than 266 pages. Here are the various comments already published. more to come.

To read in parallel with the Luxembourg DPA fine of Amazon.

Should we expect more big fines to come? How these fines are going to be challenged in court and how much resources will they drain is another question.

The not for profit NOYB has filed several 442 pending complaints : noyb filed complaints against the cookie paywalls of seven major German and Austrian news websites: SPIEGEL.deZeit.deheise.deFAZ.netderStandard.atkrone.atand An increasing amount of websites asks their users to either agree to data being passed on to hundreds of tracking companies (which generates a few cents of revenue for the website) or take out a subscription (for up to € 80 per year). Can consent be considered “freely given” if the alternative is to pay 10, 20 or 100 times the market price of your data to keep it to yourself?

After sending a written warning to over 500 companies two months ago, we filed 422 complaints on nerve-wrecking cookie banners today. While 42% of all violations were remedied, 82% of all companies have not fully stopped violating the GDPR”.

The CNIL announced they received 22 complaints from @NOYBeu and will examine them as part of their actions on cookies, which have already given rise to around sixty formal notices.

Here is NOYB press statement following the WhatsApp decision :

Mr Schrems and noyb, as a non-profit organisation, both have a number of pending cases before the DPC (including on WhatsApp) and have been monitoring the situation at the Irish DPC closely since 2011. In a first statement, Max Schrems puts the record fine into perspective:

“We welcome the first decision by the Irish regulator. However, the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial € 50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.”

Meanwhile, the Spanish DPA announced it imposed a fine of  100,000 € on a processor for not returning all the personal data to the controller after the end of the provision of services relating to processing (Article 28(3)(g) of the GDPR).

Here’s the decision: