Irish DPC fines WhatsApp EUR5.5 Million for violating GDPR

After confirming that WhatsApp Ireland had violated the General Data Protection Regulation, the Irish Data Protection Commission (DPC), has fined WhatsApp Ireland EUR5.5 Million ($5.95m).

WhatsApp was ordered by the authority to comply with data processing regulations within six months or face a new penalty.

After receiving a complaint by a German data subject, the DPC opened an investigation into WhatsApp’s potential violations of the Regulation.

WhatsApp also updated its Terms of Service on the same day and asked EU-based users who were using the app to agree to the new terms by clicking the Continue Access button.

User consent ignored

DPC was notified that WhatsApp made it mandatory for users to agree to the new changes in order to use the app. Users had to agree to be contacted for their personal information to allow them to use the app.

This is against GDPR. It requires consent to be freely given and clearly understood by the user.

After a thorough investigation, DPC reached the following conclusion:

1. WhatsApp Ireland didn’t clearly state the legal basis for or explicit reasons behind the request to process user data, which is in violation of Articles 12 and 13.
2. WhatsApp Ireland is not in violation of Article 7 by using forced consent. This is because WhatsApp Ireland did not use user consent to deliver its services or as a legal basis for processing user data.

Because the DPC already issued hefty WhatsApp fines for similar reasons, the first penalty will not be added to.

The DPC has already placed a substantial fine of EUR225million on WhatsApp Ireland, for breaching this and other transparency obligations during the same time period. However, it did not propose any additional fines or corrective actions, as they had done in a prior inquiry.” Read the reasoning of the .

The second point is that DPC rejected the allegations of German data subjects. However, the matter does not end as the German Supervisory Authority now will also examine the complaint.

WhatsApp Ireland was fined EUR5.5million for violating GDPR. This refers to “lawfulness in processing” which calls for transparency, fairness, and lawfulness when data protection is being done.

The DPC will also launch an investigation into all WhatsApp processing operations to see if any violations are found of GDPR regarding “processing special categories personal data.”

Data protection authorities want to know if WhatsApp uses sensitive data in marketing and behavioral advertising, and if this data is shared with third parties.

WhatsApp told BleepingComputer that it plans to appeal DPC’s decision as it feels its service operates in compliance with law. Here is the complete comment from a WhatsApp spokesperson about DPC’s decision.

WhatsApp is a leader in private messaging. It provides encryption at all stages and privacy layers that help protect users. The service’s operation is technically and legally sound, we believe.

Because we are committed to offering innovative products and keeping people safe, we rely on the contractual necessity of service improvement and security. We are not satisfied with this decision, and intend to appeal.