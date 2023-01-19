WhatsApp has been fined €5.5m by the Irish Data Protection Commissioner (DPC) for breaches in data protection law.

The fines have been levied for breaches similar to the ones that saw WhatsApp sister companies Facebook and Instagram attract fines of €390m earlier this month.

The fine relates to the messaging service trying to unlawfully force users to accept changes to its terms of service.

However, the DPC said that the fine was being kept to a relatively low level because it had already fined WhatsApp €225m “for breaches of this and other transparency obligations over the same period of time” and so would “not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry”. The Irish regulator said that “all 47 [European regulators] agreed with this element of the DPC’s draft decision”.

WhatsApp has also been given six months to bring its data processing structures into compliance with GDPR.

Meta has been fined a total of over €1.3bn in the last 16 months.

While the Irish regulator found against WhatsApp on a lack of transparency, it did not disagree that the tech giant could rely on a “contract” with users. When this draft decision was circulated with other EU privacy regulators, several of them objected to the Irish DPC’s “contract” position.

The matter was referred to the European Data Protection Board (EDPB), which agreed that “contract” could not be relied on as means of personal data procession legitimacy in this case.

WhatsApp is to appeal the decision.

"WhatsApp has led the industry on private messaging by providing end-to-end encryption and layers of privacy that protect people,” a spokesperson said in a statement.

"We strongly believe that the way the service operates is both technically and legally compliant. We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and we intend to appeal.”

The Irish regulatory office has also pushed back on efforts by the European Data Protection Board (EDPB) to force it to conduct a new inquiry into WhatsApp.

“The EDPB has purported to direct the DPC to conduct a fresh investigation that would span all of WhatsApp Ireland’s processing operations in its service in order to determine if it processes special categories of personal data, processes data for the purposes of behavioural advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies for the purposes of service improvements, and in order to determine if it complies with the relevant obligations under the GDPR,” the regulator said.

“The DPC’s decision naturally does not include reference to fresh investigations of all WhatsApp data processing operations that were directed by the EDPB in its binding determination. The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR. To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction.”