The messaging service, owned by Facebook, was fined €225 million for breaking data protection rules in Ireland.
The Ireland’s Data Protection Commission (DPC) handed down the fine, as WhatsApp Ireland neglected to convey critical data protection and transparency info to users. This is the biggest fine the DPC has ever issued, and it is the second-largest penalty ever handed out to an organization in EU data protection regulations.
The ruling states that WhatsApp failed to provide information on the collection of data, which resulted in the following issues: “in a concise, transparent, intelligible and easily accessible form, using clear and plain language”; the failure to provide information about where user data is stored and the people they can contact; the failure to notify users of where their data is obtained and who obtains it; and the failure to notify users when their personal data is obtained and processed from third parties.
Back in July, the European Data Protection Board instructed the DPC to double its initial proposed fine and then review the matter. This action came after a meeting where it was decided that a board investigation and fine increase were warranted. Using that information, they arrived at a figure of €225 million.
WhatsApp says the fine is “entirely disproportionate” and it is going to appeal. A spokesperson for the company said in a statement that the issues in question related to policies in place in 2018, adding that “WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so”.