The European Data Protection Board (EDPB) hit Facebook-owned WhatsApp with a fine of 225 million euros (around $266 million) after an inquiry into its transparency policies showed that WhatsApp failed to meet the General Data Protection Regulation‘s (GDPR) transparency requirements.
The issues involve how user data is collected and used and how information is shared with other Facebook units.
WhatsApp said that it disagrees with the decision and called the fine disproportionate.
WhatsApp’s User Communications Were Inadequate
Ireland’s Data Privacy Commissioner (DPC) is the lead data privacy regulator for Facebook in the European Union. The Commission issued the fine on behalf of a board representing all of its EU counterparts.
The fine came as part of a decision that found that WhatsApp does not adequately inform Europeans how they gather and use their personal data. This also includes the information it shares with other Facebook units.
As part of the decision, WhatsApp has three months to bring its user communications in compliance with the GDPR. This includes reorganizing and clarifying parts of its privacy policies.
WhatsApp is also required to create prominent notices for non-users stating their phone numbers could be uploaded to the app by their contacts.
Second Largest Enforced Fine Under the GDPR
The Irish DPC’s investigation into the matter first started in 2018. Other European regulators have criticized the DPC for the long delays in rendering its decisions and for not imposing heavy fines on tech giants.
The DPC proposed a fine of up to 50 million euros to cover a number of infringements. However, data regulators from eight other countries triggered a dispute resolution mechanism.
Following this, the EDPB directed the DPC to “reassess and increase the proposed fine based on a number of factors.”
Consequently, the DPC levied a fine of 225 million Euros on WhatsApp. The fine is the second largest ever under the GDPR and represents approximately 0.8% of Facebook’s 2020 profits.
Under the GDPR, WhatsApp can appeal the decision in Irish courts or go to the EU’s Court of Justice. This is because the decision was based on a vote of a board representing all EU data privacy regulators.
A spokesperson for WhatsApp said that the company disagrees with the decision and called the fine “disproportionate.”
They added that WhatsApp would appeal the decision, stating that the unit had worked hard to ensure transparency and comprehensiveness in its information-sharing.