The Data Protection Commission (DPC) has fined WhatsApp Ireland Ltd €5.5m for breaches of GDRP and ordered the messaging app to bring its data processing operations into compliance within six months.
It is the latest fine handed down to a subsidiary of Meta Platforms by the data watchdog after Facebook and Instagram were hit with fines totalling €390m this month. WhatsApp was previously fined €225m by the DPC in 2021 for privacy breaches.
Like the Facebook and Instagram fines, the €5.5m WhatsApp sanction was issued by the regulator after consulting with counterpart organisations in the EU and referring the case to the European Data Protection Board (EDPB).
The initial complaint was filed on behalf of German users when GDPR came into effect in May 2018, arguing that WhatApp had relied on users agreeing to its terms of service to provide a legal basis for its processing of their data.
The complainant said that by making WhatsApp services conditional on accepting the terms of service, the company was forcing them to consent to the processing of their data for service improvement and security, arguing that this was in breach of GDPR.
Following its investigation, the DPC prepared a draft decision for other national European data authorities, in which it said WhatsApp had contravened GDPR but recommended no fine in light of the €225m sanction.
The DPC and six national data authorities disagreed over whether GDPR precluded WhatsApp from relying on the contract legal basis it asserted, with the six authorities arguing that the firm should not be allowed to rely on its terms for consent.
The case was taken to the EDPB, which ruled that WhatsApp was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.
EDPB has also ordered DPC to conduct a fresh investigation into WhatsApp Ireland's processing operations to determine if its processes data for behavioural advertising for marketing purposes or to send to third parties and affiliates.
However, the DPC has said that the EDPB cannot direct it to engage in an "open-ended and speculative investigation," describing the order as an "overreach" and "problematic in jurisdictional terms." The DPC will argue for the order to be annulled in the Court of Justice of the European Union.
Max Schrems, the lawyer who submitted the initial complaint on behalf of the German user, said: "This case is about a simple legal question. Meta claims that the 'bypass' [of GDPR] happened with the blessing of the DPC.
"For years, the DPC has dragged out the procedure and insisted that Meta may bypass the GDPR, but was now overruled by the other EU authorities. It is overall the fourth time in a row the Irish DPC was overruled."
The DPC has now imposed fines on Meta of more than €1.3bn, including the €225m and €390m fines mentioned, and fines of €265m and €405m handed out in September and November 2022, respectively.
(Pic: AP Photo/Patrick Sison, File)