The Irish Data Protection Commission (DPC) on Thursday announced a fine of 5.5 million euros (U.S. $5.9 million) against WhatsApp for requiring users to agree to new terms and conditions or lose access to the service in violation of the General Data Protection Regulation (GDPR).
The Irish DPC has issued three penalties against Meta firms this year for comparable GDPR violations. The regulator announced fines of €210 million ($223 million at the time) against Facebook and €180 million ($191 million at the time) against Instagram on January 4.
All three fines will be challenged by Meta.
Prior to the GDPR's entry into force in May 2018, WhatsApp informed users that they would need to either agree to new terms and conditions about how the platform would use their personal data or leave. Acceptance, according to WhatsApp, would create a "contract" and provide a legal foundation for the processing of personal data aimed at enhancing the platform's security and service levels.
While WhatsApp may have violated the GDPR's principle of transparency by failing to properly warn users about the changes, the regulator did not immediately perceive forced consent as a violation of the rules, according to the Irish DPC.
The European Data Protection Board (EDPB) disagreed once more, asserting that relying on a contract's legal basis constitutes a violation of Article 6(1) on authorized processing.
WhatsApp was mandated to comply with the regulations regarding data processing within six months as part of the enforcement action. A WhatsApp spokesperson expressed WhatsApp's disagreement with the ruling and stated that the company "strongly believes that the way the service operates is both technically and legally compliant."
There will undoubtedly be further inquiries as to why it took the Irish DPC—the EU's primary supervisory body for many Big Tech firms—4 1/2 years to make a decision, why it was unable to reach an agreement with other EU data regulators, and why the EDPB had to modify the Irish DPC's original decision.
The Irish DPC claimed that in making its decision to pay WhatsApp only €5.5 million, it took into account the €225 million (at the time, $267 million) fine imposed on the firm in September 2021 for essentially the same violations committed over the same time period.
Max Schrems, a privacy activist, criticized the Irish DPC in a blog post for imposing what he believed to be a relatively light penalty and for focusing the investigation only on Meta's use of data to enable service and security improvements rather than examining WhatsApp's use of personal information to direct behavioral advertising (as in the Facebook and Instagram decisions).
The Irish DPC was instructed by the EDPB to look into whether WhatsApp processes data and shares it with outside parties in order to generate advertising revenue. The EDPB was challenged by the Irish DPC, who said that it lacked the power to issue such a directive or "direct an authority to engage in open-ended and speculative investigation." To stop potential EDPB overreach, it is thinking about taking its case to the Europe's supreme court, the Court of Justice of the European Union.
By fLEXI tEAM