The messaging service WhatsApp has been given a gigantic fine of 225 million euros by the Irish Data Protection Commission. At first sight this might seem like a huge victory for the EU’s GDPR, but is it really that? And what can we learn from this case? We look at all this and more in this blog post.
Why you should care
But wait a minute – is a fine for a huge international company relevant for you as the IT-person in your company?
Yes!
I would claim that it is relevant, since it shows that you can be subject to huge fines if you don’t take the GDPR seriously. What happens in these large cases can also create precedents, when it comes to how violations of the GDPR by smaller companies are treated.
And on top of that – it’s a really interesting case!
If you are interested in other cases that have resulted in heavy fines, we have collected the largest GDPR breaches of 2021 and 2022 in an article.
A violation of the first principal of the GDPR
So, to sum it up, the accusation is simply that they have violated the principle regarding transparency, which is mentioned in article 5:
“[…]processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);”
This describes that data should be handled lawfully, fairly and in a transparent manner, and it is one of the 7 GDPR principles. This principle is pretty much the opposite of how the IDPC describes WhatsApp’s handling of user data in their report.
Their handling of personal data is described as “unnecessarily unclear” and “badly defined”. On top of that it is described as an “unnecessarily frustrating exercise” to read and examine WhatsApp’s privacy policy.
This lack of transparency also came into play, when users were to give consent. The users gave consent to have their data handled by “Facebook Companies” – but which companies does that even refer to?
The verdict – and how it got quadrupled!
The IDPC began investigating WhatsApp’s handling of data in December 2018, and in 2020 they made their first draft of the accusation, in accordance to the GDPR. The IDPC presented the draft to other European data protection commissions for the purpose of feedback. The European data protection commissions collectively agreed that the accusation made was way too soft on WhatsApp.
As a result, the European Data Protection Board (EDPB) instructed the IDPC to increase the suggested fine to 225 million euro and to give WhatsApp instructions on how to handle data, this had to be implemented within 3 months. Usually, a company is given 6 months to implement such initiatives, but due to the severity of their violation this timeframe was halved.
The Irish Data Protection Commission – The bottleneck of the GDPR
The IDPC did not agree with their European colleagues on how large the fine for WhatsApp should be – and it’s not the first time this has happened. A similar thing happened in a case involving Twitter, where the IDPC suggested a lower fine and their European colleagues had it increased.
Why does Ireland have to handle WhatsApp?
You might ask – why should all of these tech giants be handled by the Irish Data Protection Commission? The answer is simply that many American tech giants have their European headquarters in Ireland. When a GDPR rule is broken it must be handled by the country, wherein the company has their headquarters. Why are these tech giants then placed in Ireland? That’s a question for a different article.
So, the IDPC faces some of the world’s largest companies even though they of course have very limited resources. This has resulted in a lot of criticism since very few of the accused companies are ever investigated. Similarly, there is not a lot of trust, that the IDPC will actually be able to collect the fine from WhatsApp.
Max Schrems isn’t happy either
Max Schrems, who we know from the Schrems II-case say this about the IDPC’s handling of the WhatsApp-case:
“WhatsApp will surely appeal the decision. In the Irish court system this means that years will pass before any fine is actually paid. In our cases we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork.”
The Schrems also point out that even though 225 million euro might sound like a lot, it is not even close to 4% of Facebook Groups yearly revenue, which the GDPR makes it possible to demand as a fine for breaching it. It is closer to 0,08%.
WhatsApp will appeal
WhatsApp have been clear – they are going to appeal this case to the courts. They disagree with the accusations on how they handled data and also on how big the fine should be. According to them they work with transparency when it comes to their handling of data. You can read their full statement here:
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.”
So, we are just going to have to wait and see how this appeal goes and what the result of this case will be.
Do we have similar cases against other giants?
The only fine, that is comparable in size was handed to Amazon earlier in 2021, when asked to pay the enormous sum of 746 million euro, they also chose to appeal and the case is still in process, so we will have to be patient for the result. Only time will tell how these types of cases will end.
What can we learn from this case?
This case is about tech giants, so can we even learn anything from it? I would say so. Firstly, we can see that the GDPR is actually being enforced. We can also see that the structure of the GDPR makes the IDPC a bottleneck, when it comes to accusing the tech giants.
On a more practical level we can also see that it is very important to be transparent towards users, when trying to live up to the standards set by the GDPR. To do this, we need to make sure, that it is easy to find out how we as a company handle our users’ data by for example having a clear privacy policy.
These large cases can potentially create precedent and set the scene for how we are all going to handle the GDPR.
I hope you found this blogpost valuable – or at least interesting! If you have questions regarding IT-security, the GDPR or anything in between, you are more than welcome to reach out!
