WhatsApp receives record fine over GDPR failings

The Irish Data Protection Commission (DPC) - Irelands supervisory authority for the GDPR, has issued what is both its largest ever fine and the second-highest permissible under GDPR rules to the messaging service WhatsApp. The fine follows an investigation of the firms policies and transparency when notifying customers of how their data is processed, which began in 2018.

Facebook, who own WhatsApp, has their EU headquarters in Ireland, and so are subject to regulations laid out by the DPC and must comply with the GDPR. In this case, the tech firm has been handed a fine of €225m (£193m) - Under GDPR rules, offending organisations may be subject to fines of up to 4% of their global turnover.

As required under GDPR, the DPC submitted its decision and proposed fine to other national data authorities, however eight countries data regulators objected to the originally suggested €30-50m (£26-43m) and the issue was referred to the European Data Protection Board (EDPB), which oversees the GDPR. The EDPB then ruled that the originally suggested fine be raised to the new amount in July this year.

“This decision contained a clear instruction that required the [Irish data protection commission] to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225m on WhatsApp, In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.”

Irish Data Protection Commission

Facebook has already been fined by Russian authorities for failing to store WhatsApp users' data on local servers, and WhatsApp itself has recently received a fine of 1,950,000 Turkish lira by Turkey's data protection authority for violating privacy rules.

To date, the only company to be fined more for such a breach of GDPR is the American multinational Amazon, who were issued a fine of €746m (£636m) in July by Luxembourg’s data regulator, the Commission Nationale pour la Protection des Données (CNPD).