On Thursday, Ireland’s Data Protection Commission (DPC) announced the conclusion of a data processing inquiry into WhatsApp Ireland Limited, resulting in an administrative fine of €5.5 million for breaches of the General Data Protection Regulation (GDPR), described as the strongest privacy and security law in the world. The penalty against WhatsApp Ireland follows much bigger assessments levied against its parent company Meta Platforms over Instagram and Facebook ad delivery services that transgressed the GDPR.
The prior, combined €390 million fine, levied just two weeks ago by the DPC against Meta, similarly concerns WhatsApp’s approach to obtaining consent from users for the processing of their personal data. Both inquiries date to May 2018, and specifically, the day the GDPR was enacted.
In relation to WhatsApp, a German user complained that changes to the messaging platform’s terms of service, updated prior to the law’s inception, were not allowed under the GDPR. The user argued that, by conditioning the use of its services on users accepting the updated terms, WhatsApp was in fact “forcing” users to consent to the processing of their personal data for service improvement and security.
The DPC and another regulatory body, a collection of entities called the Concerned Supervisory Authorities, disagreed on the legality of WhatsApp’s changes.
The matter was forwarded to the European Data Protection Board (EDPB), which reached a resolution in December 2022. The final decision, adopted by the DPC earlier this month, reflects the EDPB’s binding determination that WhatsApp’s terms of service were out of step with the GDPR.
The EDPB also directed the DPC to conduct a fresh investigation spanning all of WhatsApp’s data processing operations to determine compliance under relevant GDPR provisions.