The Irish Data Protection Commission (DPC) has imposed a fine of 225 million euros on WhatsApp for disregarding and violating data protection conditions from the GDPR. Since WhatsApp belongs to the Facebook Group, which is headquartered in Ireland, the authorities there are responsible for data protection violations by WhatsApp.
This is the result of a survey that started three years ago, when the GDPR came into force. Accordingly, the conditions that are being criticized are those as of 2018.
The Irish authority had originally set a fine of 50 million euros, but after investigations by other European authorities this had to be increased.
The fine is accompanied by a warning to WhatsApp to adapt its data collection to the requirements of the GDPR. In particular, the provision of information and the transfer of personal data between WhatsApp and other Facebook companies and their insufficient transparency is reprimanded. For example, WhatsApp has not provided users with enough information about how data from WhatsApp is processed within the Facebook group.
In the past, the Irish data protection authority was rather known for conducting inadequate investigations or remaining completely inactive and was therefore much criticized. There have even been various disputes at the European level with the management of the authority.
This fine against WhatsApp was also supposed to be lower according to the DPC's original view, and even the fine now imposed is only about 0.08 % of the Facebook group's turnover, while the GDPR provides for fines and penalties of up to 4 % of turnover. The criticism of the Irish data protection authority by data protectionists thus remains.
Nevertheless, this fine is the second highest ever imposed under the GDPR, after the one imposed on Amazon in Luxembourg in July this year (€746 million).