Days after suffering a malware attack, WhatsApp now faced a massive penalty from Ireland’s Data Privacy Commissioner (DPC) with a €225 million ($266 million) fine for violating the GDPR guidelines. The DPC’s investigation on WhatsApp Ireland Ltd., which commenced on December 10, 2018, concluded that the Facebook-owned messaging service provider has failed to maintain the transparency of data belonging to both users and non-users of WhatsApp services. It revealed that WhatsApp had not informed its users about the processing of information between WhatsApp and other Facebook companies.
DPC announces decision in WhatsApp inquiryhttps://t.co/bo3LZZjunX pic.twitter.com/YgwuB8tetR
— Data Protection Commission Ireland (@DPCIreland) September 2, 2021
In July 2021, the European Data Protection Board (EDPB) instructed the DPC to reassess and increase its proposed fine. Following this, the DPC has imposed a fine of €225 million under transparency infringements. As per GDPR guidelines, organizations processing users’ information should be transparent and notify their users and keep them informed.
In addition to the penalty, the DPC also ordered WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.
What WhatsApp Says…
Responding to the DPC’s decision, WhatsApp stated that it will appeal. “We disagree with the decision today regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate.”
What Experts Say…
The latest penalty on WhatsApp has triggered many debates and viewpoints in the cybersecurity community. Commenting on the fine, Max Schrems, a European privacy expert and Chair of non-profit noyb.eu, said, “WhatsApp will surely appeal the decision. In the Irish court system, this means that years will pass before any fine is paid. In our cases, we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork. It will be exciting to see if the DPC will fully defend this decision, as its European counterparts were forced to make it. I can imagine that the DPC will not put many resources on the case or ‘settle’ with WhatsApp in Ireland. We will monitor this case closely to ensure that the DPC is following through with this decision.”