Data Protection Authority of Ireland-WhatsApp Ireland Ltd. (9/2/2021)

In the course of the investigation, the DPC found that WhatsApp had committed serious violations of Art. 12 GDPR, Art. 13 GDPR and Art. 14 GDPR with respect to the information provided to users.

Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other affected European supervisory authorities in December 2020. The DPC subsequently received objections from eight supervisory authorities. Due to lack of agreement, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR on June 3, 2021.

The European Data Protection Supervisor (EDPB), by its decision of July 28, 2021, then, required the DPC to reassess and increase its proposed fine based on a number of factors. The EDPS found a violation of the principle of transparency set forth in Article 5(1) a) of the GDPR in addition to the violations found by the DPC, and requested this to be reflected in the final amount of the fine.

Based on this, the DPC imposed the fine in the amount of EUR 225,000,000.

The fine is composed as follows:

EUR 90,000,000 for the violation of Art. 5 (1) a) GDPR;
EUR 30,000,000 for the violation of Art. 12 GDPR;
EUR 30,000,000 for the violation of Art. 13 GDPR; and
EUR 75,000,000 for the violation of Art. 14 GDPR.

With respect to Art. 12 GDPR and Art. 13 GDPR, the DPC found that WhatsApp had failed to provide information about the nature of the data collection ‘in a concise, transparent, intelligible and easily accessible form, using clear and plain language.’ This includes making the information easy for children to understand when it is addressed to them. For example, WhatsApp had distributed information about the relationship between WhatsApp and other Facebook companies and the sharing of data under that relationship through a variety of texts. Much of the information provided was of such general nature, moreover, that the DPC deemed it meaningless. Users often had to overcome multiple links to FAQs to get to the information they were looking for on WhatsApp’s website. In this regard, the DPC stated that it would be unreasonable to expect users to search the WhatsApp website after failing to find sufficient information in the privacy statement itself.

With regard to Art. 14 GDPR, one of the issues was the impact of a user’s consent allowing the messaging platform to have access to his or her contacts. As such, the company searched its users’ contact information on their phones for phone numbers and other data, not only from other WhatsApp users, but also from contacts who do not even have a WhatsApp account. The DPC finds that this data had been processed unlawfully, as these contacts (especially those who do not have a WhatsApp account) had not received any information about this processing and therefore could not possibly have given their consent.

Given the seriousness and the far-reaching nature and impact of the breaches, the DPA concluded that there had also been a violation of the transparency principle from Art. 5 (1) a) GDPR.