The Facebook-owned messaging service was set for a lower fine from Ireland’s data protection commissioner until EU counterparts complained that the sum was too low.
The Irish Data Protection Commissioner has imposed a €225m fine on Facebook-owned Whatsapp, Europe’s second largest penalty so far under GDPR privacy laws.
However, it did so only after being ordered to raise the amount by an EU data oversight board.
Whatsapp’s fine is for inadequately explaining to users how it processed personal data.
Helen Dixon’s office had intended to impose a lower fine, believed to be under €100m. But other EU regulators complained that the proposed amount, which was revealed to them under EU consultation rules, was too low. The regulators appealed to the European Data Protection Board (EDPB), which then instructed Ireland’s regulator to raise the fine.
WhatsApp says that the fine, second only to Luxembourg’s €746m penalty imposed on Amazon this year, is unfair and that it will appeal.
The decision comes amid tension between the Irish Data Protection Commission (DPC) and a number of other EU regulators, who claim that Ireland’s data watchdog is too soft on big tech firms.
During the WhatsApp decision-making process, a total of eight European regulators protested about the level of the fine proposed by the Irish DPC.
“The DPC received objections from eight CSAs [Concerned Supervisory Authorities],” a spokesperson said. “The DPC was unable to reach consensus with the CSAs on the subject matter of the objections and triggered the dispute resolution process [Article 65 of GDPR] on June 3rd. On July 28th, the European Data Protection Board adopted a binding decision and this decision was notified to the DPC. This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB's decision and following this reassessment the DPC has imposed a fine of €225m on WhatsApp.”
As well as the fine, the DPC has ordered WhatsApp to “bring its processing into compliance” by taking a range of specified remedial actions.
The size of the upscaling in the fine may indicate just how much of a gap exists between the Irish data regulator and EU agencies when it comes to infractions by big tech firms.
WhatsApp says that it has already amended its privacy notification and that the decision is unduly harsh compared to other GDPR rulings.
“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” a spokesperson for the company said.
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”
WhatsApp’s sense of grievance may come from looking at much lower fines imposed on other tech giants for similar privacy faults. In 2019, Google got a €50m fine for not informing users about data procession, not dissimilar to the Irish WhatsApp case.
Its appeal may also try to argue that part of the remedy — to add hundreds of words in the terms and conditions — won’t do much to actually inform users about their rights.
But any appeal will also have to overcome US tech companies’ unpopularity in the EU. Giants such as Amazon, Google, Apple and Facebook have attracted criticism for a variety of reasons, from tax avoidance to privacy to domination of cultural issues.
The WhatsApp fine is the first large financial penalty that the Irish DPC has imposed. Last year, it levied a €450,000 fine on Twitter for delaying notification of a data breach. The size of the fine was criticised by some European regulators as being too low.