Irish Commissioner Fines WhatsApp €225 Million For GDPR Violations
On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced a fine of €225 million ($266 million) against WhatsApp Ireland Ltd (“WhatsApp”) for failure to meet the transparency requirements of Articles 12-14 of the EU General Data Protection Regulation (“GDPR”). This fine represents a more than four-fold increase in the €30-50 million fine that was proposed in a draft decision issued by the DPC in December 2020. Due to the cross-border nature of WhatsApp’s data processing activities, the DPC’s draft decision was reviewed by other relevant supervisory authorities, as required by the cooperation and consistency mechanism under Chapter VII of the GDPR. Eight other EU regulators objected to the DPC’s draft decision. Their objections were referred to the European Data Protection Board (“EDPB”), in accordance with the dispute resolution procedure under Article 65(1)(a) of the GDPR, after the DPC failed to reach a consensus with the objecting regulators.
The DPC began its investigation into WhatsApp in December 2018 after receiving numerous complaints from individuals regarding WhatsApp’s data processing activities, and a mutual assistance request from the German Federal Data Protection Authority with respect to WhatsApp’s compliance with EU data protection law. The investigation focused on whether WhatsApp had complied with its transparency obligations under the GDPR, particularly regarding the sharing and processing of personal data by and with other Facebook companies (Facebook acquired WhatsApp in 2014). The DPC identified breaches of Articles 12-14 of the GDPR with respect to both users and non-users of its services, determining that WhatsApp had failed to provide appropriately clear, transparent or sufficient information concerning its processing activities. As one example, the DPC found that WhatsApp had failed to identify with sufficient granularity the legal basis for each processing activity, as required under Article 13(1)(c) of the GDPR. With respect to transfers of personal data to non-EEA jurisdictions, the DPC determined that WhatsApp’s statement that transfers “may” rely on adequacy determinations was insufficient to comply with Article 13(1)(f) of the GDPR. Instead, the DPC found that WhatsApp should have definitively identified whether or not an adequacy decision existed to support the transfer of specific categories of data.
The EDPB adopted a dispute resolution decision on the matter in July 2021, which recommended a reassessment of the fine on the company. The EDPB published its July decision following the DPC’s announcement on September 2, 2021, and the DPC referred to the EDPB’s decision as the rationale for its significantly increased fine, stating: “This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision.”
In particular, the EDPB disagreed with the DPC’s initial finding that WhatsApp had complied with the requirement to set forth its legitimate interests when relying on this legal basis for processing (as required under Article 13(1)(d) of the GDPR). The EDPB stated that the specific interest must be identified for each relevant processing activity, which is the only way to ensure that data subjects can exercise their rights under the GDPR. The EDPB also found that the cumulative effect of WhatsApp’s failures to ensure transparency had resulted in a breach of the transparency principle under Article 5(1)(a) of the GDPR, due to the “gravity and the overarching nature and impact of the infringements.” This was an additional violation of the GDPR identified by the EDPB after the issue was raised by several regulators’ objections.
With respect to the fine initially proposed by the DPC, the EDPB determined that the consolidated turnover of Facebook Inc., WhatsApp’s parent company, should have been taken into account in calculating the fine because the DPC had presented Facebook and WhatsApp as a single undertaking in its draft decision. Further, under CJEU case law, when a parent company and its subsidiary form the single undertaking that is held liable for a violation of law committed by the subsidiary, the total turnover of its component companies determines the financial capacity of the single undertaking in question. The EDPB also found that turnover was relevant to the calculation of the fine itself, not only ensuring that the fine did not exceed the caps under Article 83(4)-(6) of the GDPR (as proposed by the DPC). The EDPB determined that all fines must be effective, proportionate and dissuasive, which impliedly requires a consideration of turnover. In addition, the EDPB clarified that where multiple violations have been committed within the context of the same or linked processing activities, all such violations should be considered in the calculation of the relevant fine for the purposes of Article 83(3) of the GDPR, even though the total fine should not exceed the amount specified for the gravest violation.
Finally, the EDPB held that WhatsApp must bring its processing activities into compliance within three months, as opposed to the original six-month time period proposed by the DPC, given the primary importance of compliance with the GDPR’s transparency principle. WhatsApp also must update its privacy notices for both users and non-users to include the information required under Articles 13 and 14 of the GDPR, including to clarify how users can lodge a complaint with a supervisory authority with respect to WhatsApp’s processing activities.
WhatsApp has stated that it will appeal the decision.