In Ireland, France and the European Union as a whole, the issue of data protection is important and it is regulated by the General Data Protection Regulation (GDPR). The Data Protection Commission, Ireland’s equivalent of the National Commission for Information Technology and Civil Liberties or CNIL, has singled out the WhatsApp app and handed it a record penalty. The Facebook subsidiary will have to pay 225 million euros.
The Irish data protection commission considers on WhatsApp did not comply with the RGPD
It was in December 2018 that the investigation into Whatsapp was opened, only a few months after the RGPD came into force in the EU in May 2018. It was more than two and a half years later that a decision was made by the Data Protection Commission (DPC). A verdict that took a long time to arrive as the various data protection authorities could not agree on the penalty to be imposed.
In December 2020, the DPC had provided a draft decision as suggested in Article 60 on cooperation between the lead supervisory authority and other relevant supervisory authorities. Eight authorities had vetoed the initial sanction of €50 million which was considered far too low. In the end, it was the European Data Protection Board (EDPB) that asked the CPD to reconsider.
The DPC thus retained four violations of the GDPR:
- Article 5: Principles on the processing of personal data
- Article 12: Transparency of information and communications and arrangements for exercising the rights of the data subject
- Article 13: Information to be provided where personal data are collected from the data subject
- Article 14: Information to be provided where the personal data have not been obtained from the data subject
€225 million fine in Ireland, €197,000 in Turkey.
In upholding these four grounds, the DCP believes that WhatsApp does not process its users’ personal data in a transparent, fair and lawful manner and has not explicitly provided the ways in which information and data is collected, stored and transferred, while pointing to the information sharing between Whatsapp and Facebook.
225 million euros is the fine that the company will have to pay. This is the second highest fine in Europe after the one pronounced by Luxembourg against Amazon for an amount of 746 million euros. In addition, the famous chat application must rewrite or modify its privacy policy so that it is much more explicit towards its users.
Even though the penalty has been pronounced, WhatsApp has decided to appeal the decision, considering that the amount of the fine is far too substantial. Note that the day after the announcement of this fine, it is Turkey with its data protection authority (KVKK) that sentenced the subsidiary to pay a fine of 1.95 million Turkish pounds, or 197,000 euros, a lesser amount contrary to that announced by the DCP.
Translated from Irlande : WhatsApp condamné à payer 225 millions d’euros pour avoir enfreint plusieurs points du RGPD