The Irish Data Protection Commission (DPC) has taken some heat for perceived softness in issuing General Data Protection Regulation (GDPR) fines to big tech companies headquartered within its jurisdiction.
A $267 million fine issued to WhatsApp is the first substantial amount that the Irish regulator has assessed, but it comes amidst accusations that an array of other privacy complaints were ignored in reaching the decision.
WhatsApp GDPR fine fails to conclusively answer questions about Irish DPC’s commitment
WhatsApp was fined €225 million after an investigation that went on for nearly three years. The investigation was spurred by privacy activist Max Schrems, who also managed to invalidate data transfers between the European Union and United States with a separate case against WhatsApp parent Facebook that was resolved last year. Schrems filed complaints in late 2018 about WhatsApps’s alleged “forced consent” policies, claiming that it (and several other social media giants) essentially pressured users into accepting its privacy terms under threat of denying them service otherwise.
Though the Irish DPC issued its largest GDPR fine to date, and the second-largest in EU history, questions and criticism about its willingness to regulate the golden geese that have nested in its country (largely due to favorable tax terms) remain. Aside from the sheer length of the investigation, something that the Irish DPC has been criticized for in other cases, the fact that the agency defined the scope of its own investigation (and left out a number of related complaints) is rankling some observers.
The Irish regulator opted to focus entirely on WhatsApp’s transparency obligations under the GDPR, overlooking more fundamental complaints about whether the messaging giant has a valid legal basis to process all of the information that it collects. The fine was ultimately issued for WhatsApp’s failure to disclose the full scope of use of collected personal information to users, but took no issue with the means of collection.
The regulator not only looked into whether users were properly informed about the scope of sharing between WhatsApp and Facebook, but also its practice of collecting and using the data of non-users. One example of this is the phone numbers that users enter into their contacts list, which can be supplemented by other personal information.
The GDPR fine was not the only action taken by the regulator. The Irish DPC has also given WhatsApp 90 days to make a number of changes to improve the transparency of its communications to both platform users and non-users that might be impacted.
WhatsApp responded to the GDPR fine with a statement claiming that it was “entirely disproportionate,” disputing various specifics and promising to appeal the decision. The appeals process could potentially take years to resolve (particularly given the standard pace of the Irish DPA), and WhatsApp will not be on the hook for any payments until the process concludes.
Criticisms over Irish DPA’s past GDPR fines
Schrems, the originator of the complaints that led to this decision, said that the large GDPR fine was “welcome” but that the system remained “dysfunctional.” The EU’s various data protection authorities have taken different approaches to regulation in the first years of the GDPR, and Ireland spends much time in the spotlight given that it is responsible for the EU branches of many of Silicon Valley’s biggest names. The Irish DPA has come to a head with other regulators in various cases, over both the time it takes to conduct investigations and the fact that its proposed GDPR fines tend to be the lowball number of the bunch. This was true in this particular case, as Ireland initially proposed only a €50 million fine for WhatsApp. This led to argument amongst the other EU data authorities and was ultimately only resolved by a European Data Protection Board (EDPB) decision. This reflected the situation with the Irish DPA’s only previous GDPR fine, a €450,000 penalty for Twitter that other regulators wanted to see go up into the millions of Euros.
The only GDPR fine larger than this was the $425 million issued to Amazon by the Luxembourg DPA. Though these amounts are a relative pittance for big tech firms, far short of the maximums of 2% or 4% of total annual turnover allowed for by the GDPR, John Magee (Head of DLA Piper’s Privacy, Data Protection & Security practice in Ireland) sees the roughly fivefold increase in the eventual fine amount as a positive development: “An eye-catching aspect of that process was the increase in the size of the fine from a range of €30m-€50m first proposed by the DPC. The fine highlights the importance of compliance with the GDPR’s rules on transparency in the context of users, non-users and data sharing between group entities.”
And Cillian Kieran, CEO and Founder of Ethyca, notes that the mandatory enforcement action may be a better precedent than the fine amount in this case: “As with Luxembourg’s recently announced fine against Amazon, this fine comes with another, perhaps more important, component: an order to bring data systems into compliance. A nine-figure fine is a drop in the bucket for WhatsApp and its parent, Facebook. For long-term, structural improvements, the compliance order could prove more meaningful.”