Ireland’s data regulator on Thursday fined WhatsApp €225 million for violating Europe’s privacy rules — a more than four-fold increase in the penalty compared to what the watchdog had initially proposed.
The multi-million euro fine is the second-highest to be levied under the European Union’s General Data Protection Regulation, which came into force in 2018 and allows regulators to slap companies with penalties of up to 4 percent of their annual revenue if they mishandle people’s data. Luxembourg’s data protection authorities imposed a record-setting €746 million fine on Amazon in July.
Coming in quick succession, the privacy penalties against the tech giants signal an uptick in enforcement of the 27-country bloc’s rulebook that has been criticized for failing to rein in Big Tech’s worst data abuses. So far, Silicon Valley’s biggest names have mostly sidestepped the new rules — and even benefited disproportionately from them — while China just passed its own global data protection standards that may give the EU a run for its money in how other countries view privacy standards.
The Facebook-owned messaging app was hit with the fine — the highest ever fine for the company within the EU — for failing to live up to transparency requirements, including how it explains its use of people’s personal information, under Europe’s privacy rules. The enforcement action will also require WhatsApp to change its handling of people’s data to bring it in line with the GDPR.
„We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,“ a WhatsApp spokesperson said. „We will appeal this decision.”
The sum marks a significant increase on the Irish regulator’s proposed €30-50 million fine announced in in January. The fine comes after Ireland triggered a formal dispute resolution mechanism required to resolve disagreements with other EU privacy regulators over the size of the eventual penalty. The amount is also considerably higher than the €77.5 million Facebook earmarked for a likely privacy fine against its messaging service WhatsApp last November.
In a press release, the Irish regulator said that Europe’s network of privacy regulators the EDPB on July 28 ordered it to reassess and increase its proposed fine after objections to the original penalty from eight other EU regulators.
It is not the first time Ireland has had to resort to formal means to quell disagreements between Europe’s data protection regulators over its enforcement against U.S. companies.
Dublin handles the majority of such investigations because many of the American tech giants are headquartered locally, mostly to take advantage of the country’s low corporate tax regime. Previously, the Irish regulator used the same dispute resolution mechanism to levy a €450,000 privacy fine against Twitter last year.
This will not be the last time that Dublin tussles with Facebook over potential privacy violations.
Currently, the agency has 15 investigations, including the one involving the €225 million upcoming fine, into how the social networking giants handles people’s personal information. That includes a probe into whether WhatsApp can legally share its users‘ data with Facebook’s other digital services, among other privacy-related concerns. Other Big Tech companies also under scrutiny by the Irish are Apple, Google, Microsoft, Twitter and Verizon, respectively, according to the regulator’s most-recent annual report.
WhatsApp also found itself in a separate privacy standoff earlier this year after it updated its policies to explain to its roughly two billion users worldwide about how it shared their data with other parts of the Facebook world. That led to an extensive backlash, including people switching to rival messaging apps like Signal, though the majority of individuals have remained on WhatsApp.