Curiosity has been building for some time regarding looming Big Tech enforcement actions from Ireland's Data Protection Commission. The buildup has mostly focused on when the next penalty would drop and how big the attached EU General Data Protection Regulation fine would be.
The anticipation was met with a strong statement from the DPC Sept. 2 when it announced a 225 million euro fine against WhatsApp for violating GDPR transparency principles. The fine stems from an investigation that began in December 2018 and was finalized after the regulator followed orders in a binding decision adopted by the European Data Protection Board in July as part of an Article 65 procedure. In addition to the fine, the DPC also issued "an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions."
The action against WhatsApp is the largest fine handed down by the DPC and the second-largest GDPR fine to date following the proposed $888 million fine issued to Amazon by Luxembourg's National Commission for Data Protection in July.
The DPC said its probe examined whether the Facebook-owned messaging platform "discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service." More specifically, the claims of insufficient transparency were focused on "information provided to data subjects about the processing of information between WhatsApp and other Facebook companies."
The invocation of the Article 65 dispute resolution mechanism was a result of objections from eight concerned supervisory authorities to the draft decision filed to the EDPB in December 2020. The dispute resolution process concluded with a recommendation by the EDPB to increase the initially proposed fine, which the DPC forecasted to fall in the range of 30 to 50 million euros. According to financial disclosures published in November 2020, WhatsApp earmarked 77.5 million euros in anticipation of the fine. The final sum of the fine is also greater than the 450,000 euro fine the DPC issued to Twitter in December 2020 following the first-ever use of the EDPB's dispute resolution mechanism.
The contents of EDPB's binding decision were only just made public following the DPC's announcement of the fine. In addition to asking for an increased fine, the EDPB called for WhatsApp's period to comply with ordered remedial actions be reduced from six months to three. The DPC was also asked to clarify the transparency violations to include those under Article 5(1)(a) and previously cited breaches of Articles 12, 13 and 14.
In response to the fine, a WhatsApp spokesperson told The Wall Street Journal the company plans to appeal the decision in the Irish court system, noting disagreement with the DPC's findings and calling the penalties "entirely disproportionate." The spokesperson added the company "is transparent and comprehensive" regarding the information it provides to its customers.
Photo by Rachit Tank on Unsplash
European Data Protection, Second Edition
European Data Protection reviews concepts, criteria and obligations of the GDPR and related laws, examines the territorial and material scope of the GDPR, legitimate processing criteria, information provision obligations, data subjects’ rights, security of processing, accountability requirements, and supervision and enforcement. The book also provides practical concepts concerning the protection of personal data and cross-border data transfers.
The IAPP Privacy Enforcement Casebook 2020
The IAPP “Privacy Enforcement Casebook 2020” is now available. This latest reference contains noteworthy privacy cases from around the world and offers insights into regulators’ priorities and expectations.