On Thursday, September 2, 2021, the Irish Data Protection Commission (“DPC”) published its decision in the long-awaited inquiry it initiated into the data processing of WhatsApp Ireland Limited (“WhatsApp”) in December 2018.  It finds against WhatsApp, imposing a fine of €225 million.

Background

The Irish DPC undertook an own-volition inquiry into whether WhatsApp has met its GDPR transparency obligations to users and non-users of its services, including information provided to data subjects about data processing between WhatsApp and other Facebook companies.

The inquiry, being cross-border in nature, was regulated under the ‘One-Stop-Shop’ procedures of the GDPR, which require cooperation between the lead supervisory authority (in this case, the Irish DPC) and other concerned supervisory authorities.

The Complaints

The inquiry, in summary, assessed the extent to which WhatsApp complied with its transparency obligations under the GDPR.  It spanned 5 months and looked at a number of potential infringements in three specific areas, namely on the transparency of information on its processing in relation to:

  1. WhatsApp users;
  2. non-users of WhatsApp; and
  3. the sharing of any personal data between WhatsApp and any companies of its parent, Facebook.

Draft Decision

In its draft decision, the DPC found that the information provided by WhatsApp was inadequate to the extent that it is not possible to identify:

  1. the specific processing operations taking place;
  2. the purpose of those processing operations; nor
  3. the legal basis being relied upon to ground those processing operations.

With regard to non-users, the DPC considered that there had been a failure to provide them with the required information.

The DPC also found infringements in relation to the sharing of user data between WhatsApp and Facebook companies.

Sharing the Draft Decision

Having completed its inquiry and finding infringements in each of the three areas of investigation, the DPC shared its draft decision a with its fellow EU supervisory authorities on the EDPB on Christmas Eve, December 24th 2020, as it was required to do under the GDPR.

Following objections from 8 other fellow supervisory authorities and comments from a number of others — as well as subsequent interactions between the DPC, the other supervisory authorities and the EDPB — the DPC has now issued its final revised decision.  The DPC imposed a €225 million fine and a 3-month deadline for WhatsApp to address the infringements.  The decision was published over 8 months after the DPC initially shared its proposed decision with its fellow regulators.

The final fine of €225 million breaks down as follows:

  • €90 million for infringing the requirement that personal data is processed lawfully, fairly and in a transparent manner;
  • €30 million for failing to provide required information in a concise, transparent, intelligible and easily accessible form using clear and plain language;
  • €30 million for failing to provide the required information for personal data collected from to a data subject; and
  • €75 million for infringing the requirement to provide data subjects with information where personal data have not been obtained from the data subject.

In addition, WhatsApp has been ordered to bring its data processing operations into compliance within 3 months, a deadline which was shortened upon direction of the EDPB from the originally proposed 6-month timeframe.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Marie Daly Marie Daly

Marie Daly brings a broad range of commercial and regulatory expertise across a variety of business sectors. She is recognised as being a practical, straightforward, and commercially focussed lawyer; with a proven capacity to influence at all levels within business and to contribute…

Marie Daly brings a broad range of commercial and regulatory expertise across a variety of business sectors. She is recognised as being a practical, straightforward, and commercially focussed lawyer; with a proven capacity to influence at all levels within business and to contribute to policy and legislative development.

With a background as a litigator, employment lawyer, and lobbyist, Marie served as the general counsel of Ibec, the largest Irish lobby and business representative group, for over 16 years before joining the firm. She was responsible for ensuring competition compliance for 38 trade associations and also developed a data protection compliance regime in recent years.

Marie has significant corporate governance experience in the private and public sector having also served as a Board member of two Irish regulators.

Marie is a member of the Irish Company Law Review Group appointed by the Minister of Business Enterprise and Innovation, and was deeply involved in the drafting of the comprehensive new Companies Act 2014.