WhatsApp has been hit with a fine of €225 million (£193 million) by the data protection commissioner, following an investigation into practices at the Facebook-owned company.
The record fine came after the probe found WhatsApp had breached European Union laws on transparency, and the sharing of user information with other companies owned by Facebook.
In addition to the fine, the office of the data protection commissioner (DPC) in Dublin has issued a ‘reprimand’ to WhatsApp, and ordered it to bring its processing into compliance with EU standards.
The investigation began on December 10 2018 and examined if WhatsApp had complied with its obligations under the EU’s General Data Protection Regulation (GDPR).
It is the second, and largest fine issued by the DPC under the GDPR, after Twitter was hit with a 450,000 euro (£386,000) penalty in 2020 over a security breach.
The investigation into the messaging service examined if the company had met its transparency obligations around the provision of information to both users and non-users.
This included whether users had been provided with information about data sharing between WhatsApp and other Facebook companies.
In a press statement, WhatsApp said the fine was ‘disproportionate’ and said it will appeal the ruling.
They said: ‘WhatsApp is committed to providing a secure and private service.
‘We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.
‘We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.’
The Irish DPC is the lead supervisor of GDPR rules in the EU, because a large number of firms, including Facebook, WhatsApp and others, have their European headquarters based in Dublin.
John Magee, Head of DLA Piper’s Privacy, Data Protection & Security practice in Ireland, commented: ‘The decision was not the DPC’s alone and showed the EU’s complex consistency and dispute resolution processes at work.
‘An eye-catching aspect of that process was the increase in the size of the fine from a range of €30m-€50m first proposed by the DPC.
‘The fine highlights the importance of compliance with the GDPR’s rules on transparency in the context of users, non-users and data sharing between group entities.’