The authoritative news source for communications regulation

Irish Privacy Watchdog Fines WhatsApp $6 Million for GDPR Breaches

WhatsApp Ireland owes $6 million (5.5 million euros) for data processing violations, the Irish Data Protection Commission said Thursday. The investigation arose from a 2018 German complaint. Before the EU general data protection regulation (GDPR) took effect May 25, 2018,…

Start A Trial
the company updated its terms of service to tell users that if they wanted to have continued access to the service under the GDPR, they would have to click "agree and continue" to accept the revised terms. WhatsApp contended that once the terms of service were accepted, a company-user contract existed and the processing of user data in connection with the delivery of WhatsApp services was necessary for performance of the contract, making its processing operations legal under the GDPR's "contract" legal basis. The complainant argued that WhatsApp Ireland was trying to rely on consent as the legal basis for processing, and that by forcing users to consent to having their data processed for service improvement and security, the company breached the GDPR. The DPC said WhatsApp breached its obligation for transparency by not making its legal basis clear to users, leaving them uncertain about what processing operations were being carried out on their personal data, for what purposes and under what GDPR legal basis. That lack of transparency violated the regulation, but the DPC, having imposed a fine of 225 million euros on the company earlier, didn't suggest another penalty. The regulator also found, however, that in principle, the GDPR didn't preclude WhatsApp from relying on the contract legal basis. Several other data protection authorities objected to the conclusions, so the DPC referred the disputed points to the European Data Protection Board. It backed Ireland's findings of a breach of transparency obligations but rejected its view that WhatsApp could rely on the contract legal basis for processing people's personal data. The board's decision is binding, and WhatsApp now has six months to comply with the GDPR. The EDPB also ordered the DPC to look into all of WhatsApp Ireland's processing operations, but the DPC said the board doesn't have jurisdiction to order an "open-ended and speculative investigation." If the order amounts to EDPB overreach, the DPC said, it could appropriately ask the European Court of Justice to annul it. A similar dispute between the EDPB and DPC arose earlier this month involving Meta Ireland (see 2301040014). WhatsApp said it will appeal the decision. The company believes "the way the service operates is both technically and legally compliant," a spokesperson emailed.