Curiosity has been building for some time regarding looming Big Tech enforcement actions from Ireland's Data Protection Commission. The buildup has mostly focused on when the next penalty would drop and how big the attached EU General Data Protection Regulation fine would be.
The anticipation was met with a strong statement from the DPC Sept. 2 when it announced a 225 million euro fine against WhatsApp for violating GDPR transparency principles. The fine stems from an investigation that began in December 2018 and was finalized after the regulator followed orders in a binding decision adopted by the European Data Protection Board in July as part of an Article 65 procedure. In addition to the fine, the DPC also issued "an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions."
The action against WhatsApp is the largest fine handed down by the DPC and the second-largest GDPR fine to date following the
The DPC said its probe examined whether the Facebook-owned messaging platform "discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service." More specifically, the claims of insufficient transparency were focused on "information provided to data subjects about the processing of information between WhatsApp and other Facebook companies."
The invocation of the Article 65 recommendation by the EDPB to increase the initially proposed fine, which the DPC earmarked 77.5 million euros in anticipation of the fine. The final sum of the fine is also greater than the told The Wall Street Journal the company plans to appeal the decision in the Irish court system, noting disagreement with the DPC's findings and calling the penalties "entirely disproportionate." The spokesperson added the company "is transparent and comprehensive" regarding the information it provides to its customers.
Photo by Rachit Tank on Unsplash
European Data Protection, Second Edition
European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.
The IAPP Privacy Enforcement Casebook 2020
The IAPP “Privacy Enforcement Casebook 2020” is now available. This latest reference contains noteworthy privacy cases from around the world and offers insights into regulators’ priorities and expectations.
