WhatsApp app icon on a smartphone showing GDPR violations

WhatsApp Receives €5.5 Million Fine for GDPR Violations

After being hit with a €225 million fine from the Irish Data Protection Commission in late 2021, WhatsApp is now looking at a follow-on fine of €5.5 million for other General Data Protection Regulation (GDPR) violations.

The more recent case involves lack of transparency in its disclosures to users about how their data was processed, but the relatively small fine amount was determined in part because of the earlier and larger penalty that also imposed terms that would overlap with what WhatsApp would be ordered to do to remedy this newer violation.

Irish DPC: Insufficient transparency, consent in WhatsApp data collection

The GDPR violations pertain to Article 12 and 13(1)(c) requirements that platform users be clearly informed of the legal basis under which their personal information is being collected.

The Irish DPC has given WhatsApp six months to remedy the issue, but the company was already working under similar requirements due to its 2021 fine (which also involved Facebook and Instagram) for forcing users to agree to a new privacy policy to continue using the service.

At €225 million, that fine was considerably larger, and this more recent fine was not as heavy as it might have been due to the terms of that decision still being fairly recent. It could be increased, however, if WhatsApp does not come into compliance within the given time limit.

That was the Irish DPC’s line of reasoning, but the European Data Protection Board (EDPB) does not necessarily agree. The DPC has signed on to WhatsApp’s argument that it is entitled to a contract-based approach to meeting GDPR consent requirements, something that a number of other EU national data protection regulators have objected to. A December 2022 referendum on the issue ended in a referral to the EDPB for review, and it has since issued a decision that WhatsApp should not be allowed to use a contract basis for its data collection.

The binding decision is still pending formal adoption, but when it is in effect it will require investigations into WhatsApp’s data processing GDPR violations to be re-opened; the Irish DPC appears to be drawing a line at this possibility, saying that the EDPB does not have the authority to order generalized investigations of this nature and that it may take the case to the Court of Justice of the EU if the issue is pressed.

Meta at €1.3 Billion in fines since late 2021, with more investigations into GDPR violations pending

Setting aside the potential legal clash between the Irish DPC and the EDPB, this issue is not quite finished for WhatsApp as the German data protection regulator has announced that it will open its own case into potential GDPR violations involving Article 7 (requiring consent as a condition of opening the app).

WhatsApp would initially appear to be one of the less contentious Meta branches in terms of GDPR violations, given its lack of direct display advertising. Meta has toyed with the idea of introducing ads in WhatsApp’s status page since 2018, with plans canceled in 2020 but the rumor mill starting up again in 2022. WhatsApp does tie into the Facebook and Instagram ad ecosystems, however; buyers can purchase ads that display on those platforms and open a WhatsApp conversation when clicked. The proposed EDPB investigations that the Irish DPC is vigorously resisting would dig deeper into the chat app’s connection to the massive personalized ad tracking system employed by Meta’s other platforms.

It is known that Meta processes WhatsApp user metadata, such as who people talk to and for how long. The app’s connection with Facebook has been a point of contention dating back to when the social media giant acquired it in 2014, long prior to any GDPR violations. At first, Facebook pledged to not link up data sharing with WhatsApp to assuage the fears of the existing userbase. There was an eventual revision of that policy in 2016, however, requiring old accounts that were “grandfathered in” to the old terms to manually opt out of Facebook sharing within 30 days. There was another course change in July 2020, when Meta said that all WhatsApp users could once again opt out of data sharing with Facebook, but this lasted no longer than January 2021 when Facebook announced WhatsApp users would once again have to either share data with the sprawling ad ecosystem or stop using their accounts.

Meta’s fine total of over one billion euros in GDPR violations includes an assortment of offenses, not always related to personalized ad tracking. For example, a €265 million fine was levied for the company’s security failings in handling the April 2021 leak of over half a million records of Facebook user personal information. And some of its largest individual penalties have been specific to its failures to protect the personal information of children on the platform.