October 27, 2021

Volume XI, Number 300

Advertisement
Advertisement

October 26, 2021

Subscribe to Latest Legal News and Analysis

October 25, 2021

Subscribe to Latest Legal News and Analysis

GDPR: Irish Supervisory Authority Fines Whatsapp 225 Million

Further to investigations initiated by the Data Protection Commission (or DPC, the Irish supervisory authority) in 2018, Whatsapp Ireland Limited has received a EUR 225 million fine on 2 September 2021. The company infringed multiple GDPR provisions including in relation with the information provided to data subjects which breached the obligation to ensure transparency of processing (Articles 13 and 14 GDPR).

Following GDPR’s one-stop-shop mechanism and as WhatsApp operates cross-border flows of personal data, the DPC had initially been designated as lead supervisory authority (‘LSA’). Article 60 GDPR requires the LSA to submit a draft decision to its impacted counterparts across the European Union (the ‘Concerned Supervisory Authorities’). Such draft has been submitted in December 2020 and the Hungarian, Portuguese, Italian, French, Dutch, Polish, German (local and federal) Concerned Supervisory Authorities unanimously raised objections to the DPC in January 2021. The objections mostly addressed the lax approach by the DPC in the assessment of WhatsApp’s breach of GDPR as well as the amount of the initially contemplated fine in view of the dozens of millions of individuals affected by such breach across the European Union.

This resulted in a non-consensual situation, escalading to the dispute resolution process under Article 65 GDPR conducted by the European Data Protection Board (EDPB). The binding decision, adopted on 28 July 2021 and subsequently notified to the DPC, required the Irish supervisory authority to reassess and increase the fine, thus leading to the second-highest fine under GDPR since its entry into force in 2018.

Copyright 2021 K & L GatesNational Law Review, Volume XI, Number 251
Advertisement

About this Author

Claude-Étienne Armingaud, KL Gates, Paris, data protection lawyer, commercial contracts attorney
Partner

Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.

Mr. Armingaud regularly advises start-up companies in matters relating to...

33-0-1-58-44-15-16
Associate

Camille Scarparo is an associate at the firm's Paris office. She is a member of the Technology Transactions and Sourcing practice group.

+33.(0)1.58.44.15.11
Advertisement
Advertisement
Advertisement