On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018. It finds against WhatsApp, imposing a fine of €225 million.
The Irish DPC undertook an own-volition inquiry into whether WhatsApp has met its GDPR transparency obligations to users and non-users of its services, including information provided to data subjects about data processing between WhatsApp and other Facebook companies.
The inquiry, being cross-border in nature, was regulated under the ‘One-Stop-Shop’ procedures of the GDPR, which require cooperation between the lead supervisory authority (in this case, the Irish DPC) and other concerned supervisory authorities.
The inquiry, in summary, assessed the extent to which WhatsApp complied with its transparency obligations under the GDPR. It spanned 5 months and looked at a number of potential infringements in three specific areas, namely on the transparency of information on its processing in relation to:
- WhatsApp users;
- non-users of WhatsApp; and
- the sharing of any personal data between WhatsApp and any companies of its parent, Facebook.
In its draft decision, the DPC found that the information provided by WhatsApp was inadequate to the extent that it is not possible to identify:
- the specific processing operations taking place;
- the purpose of those processing operations; nor
- the legal basis being relied upon to ground those processing operations.
With regard to non-users, the DPC considered that there had been a failure to provide them with the required information.
The DPC also found infringements in relation to the sharing of user data between WhatsApp and Facebook companies.
Sharing the Draft Decision
Having completed its inquiry and finding infringements in each of the three areas of investigation, the DPC shared its draft decision a with its fellow EU supervisory authorities on the EDPB on Christmas Eve, December 24th 2020, as it was required to do under the GDPR.
Following objections from 8 other fellow supervisory authorities and comments from a number of others — as well as subsequent interactions between the DPC, the other supervisory authorities and the EDPB — the DPC has now issued its final revised decision. The DPC imposed a €225 million fine and a 3-month deadline for WhatsApp to address the infringements. The decision was published over 8 months after the DPC initially shared its proposed decision with its fellow regulators.
The final fine of €225 million breaks down as follows:
- €90 million for infringing the requirement that personal data is processed lawfully, fairly and in a transparent manner;
- €30 million for failing to provide required information in a concise, transparent, intelligible and easily accessible form using clear and plain language;
- €30 million for failing to provide the required information for personal data collected from to a data subject; and
- €75 million for infringing the requirement to provide data subjects with information where personal data have not been obtained from the data subject.
In addition, WhatsApp has been ordered to bring its data processing operations into compliance within 3 months, a deadline which was shortened upon direction of the EDPB from the originally proposed 6-month timeframe.