DPC fines WhatsApp €225 million for transparency failings

Earlier this month, the Data Protection Commission (DPC) announced that it was imposing a landmark fine of €225 million on the Facebook-owned messaging app, WhatsApp. This fine is the highest issued to date in Ireland and the second highest issued under the General Data Protection Regulation (GDPR). 

The DPC found that WhatsApp had breached Articles 5, 12, 13 and 14 of the GDPR concerning transparency in processing and provision of information to data subjects – both users and non-users of its service. The DPC’s decision emphasises the seriousness of infringements whereby (i) insufficient information was provided on data sharing by WhatsApp with its parent company, Facebook Inc; and (ii) where non-users of the service (whose personal data was processed by WhatsApp where users shared their contact lists) were not presented with a privacy notice at all. 

In addition to the fine, the DPC exercised two further corrective powers in issuing both a reprimand to WhatsApp and an order that WhatsApp bring its processing operations (i.e. amend its privacy notice to data subjects) into compliance with the GDPR within three months. 

Background to the Decision: One-Stop Shop and Consistency Mechanisms

The fine is more than quadruple the fine of €30-50 million originally proposed by the DPC in the draft decision (as lead supervisory authority under the GDPR’s ‘one-stop shop’ mechanism) circulated to other concerned supervisory authorities (CSAs) in December 2020. The significant increase reflects interventions made by eight of the CSAs and referral of the resulting dispute for binding decision to the European Data Protection Board (EDPB) under the GDPR’s consistency mechanism.

Key findings from the EDPB’s binding decision and DPC’s final decision

The EDPB issued its binding decision in July and the resulting final decision of the DPC followed in late August. Both decisions provide valuable guidance on information provision/transparency obligations under the GDPR towards data subjects and the manner in which administrative fines are calculated: 

Transparency: Granularity in provision of “essential information” 

• The EDPB stated that the purpose of transparency and information provision obligations is to enable data subjects to exercise their rights under the GDPR. The DPC stressed that information required to be provided to data subjects under the GDPR must not be delivered in a manner which is an “over-supply of very high level, generalised information at the expense of a more concise and meaningful delivery of the essential information.”

• The EDPB found that “full information on each and every processing operation respectively” is the “only approach” that will enable data subjects to exercise their data subject rights.

• Specific information about which legitimate interests relate to each processing operation, including categories of personal data involved, must be provided, as well as which entity pursues each legitimate interest (i.e. the controller and/or a third party). When referencing the legitimate interests of third parties, the controller must describe which third party pursues which legitimate interest.

• The purposes of processing operations must be distinguishable from the legitimate interests relied upon to process personal data. Conflation of such information can result in infringement of the GDPR. 
  
  

Calculation of fines 

• The EDPB clarified that all infringements arising from the same or linked processing are to be taken into account and not necessarily on a concurrent basis. For example, the DPC’s final decision found an infringement of the principle of transparency under Article 5 of the GDPR – that was not originally identified in the draft decision – accounted alone for €90 million of the overall fine.

• Infringements of the transparency obligations relevant in this decision incur maximum fines of the higher of either €20 million or up to 4 per cent of an organisation’s annual global turnover. In its binding decision, the EDPB directed the DPC to reassess the fine imposed by taking into account the consolidated turnover of WhatsApp’s parent company in the turnover calculation.

Further consequences of non-compliance 

In addition to the financial risks of enforcement actions, there is also the prospect of reputational damage and negative publicity for any company which does not have a compliant privacy notice in place. Organisations that fail to comply with enforcement actions from the DPC may find details of their non-compliance published in the next annual report of the DPC. 

Where an organisation does not have the required data protection infrastructure in place, dealing with regulatory investigations and inquiries can also be both costly and time consuming (the WhatsApp investigation was ongoing for a period of three years) and can also negatively impact upon future valuations of the business in corporate transactions. 

Our Data Protection Team is available to assist you with preparing GDPR compliant privacy and cookies policies and transparency notices, dealing with regulatory investigations and defending enforcement actions. For further information, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey or any member of the ByrneWallace LLP Data Protection/GDPR Team.