The Irish Data Protection Commission (DPC) has announced a €225 million fine against WhatsApp Ireland Ltd for breaches of the GDPR. It is the second highest fine ever issued under the GDPR. The fine followed breaches by WhatsApp of its GDPR transparency obligations to users and non-users in relation to how their data was processed and shared with parent company Facebook under Articles 5(1)(a), 12, 13 and 14 of the GDPR.

The decision distinguishes between users and non-users of WhatsApp’s service as transparency obligations are owed to both, demonstrating that data controllers owe a clear duty to non-users to explain how their personal data is being processed. In this case, WhatsApp accessed users’ phone books to collect phone numbers of non-users. The DPC found this information constituted personal data and that there was a lack of transparency in relation to how WhatsApp shared its user data with the Facebook group of companies.

The fine is significant for two reasons. First, there was disagreement among national supervisory authorities as to the size of the fine. Eight supervisory authorities submitted objections, including Germany, France and Italy. Helen Dixon, Irish Commissioner for Data Protection, had originally proposed a fine in the range of €30-50 million. As the supervisory authorities failed to reach agreement,  the matter was referred to the European Data Protection Board (EDPB) under Article 65 of the GDPR. In July, the EDPB ordered the DPC to reassess and increase the fine, which it has now done.

Second, Ireland as a jurisdiction has seen relatively few fines issued. Given its popularity with big tech firms as a base for their European headquarters, there has been discomfort in some quarters about a perceived lack of enforcement by the DPC. In March, Ulrich Kelber, Germany’s federal commissioner for data protection, wrote to the European Parliament to complain about this lack of action and privacy campaigner Max Schrems said of the case: “the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine.”

Following the EPDB’s binding decision, WhatsApp has three months to comply with the remedial measures – reduced from six months in the DPC’s original decision.

Following the DPC’s final decision in this case, companies should ensure that:

  • Their privacy policies are clear, concise and comprehensive in accordance with the Article 29 Transparency Guidelines
  • Non-users, as well as users, are informed as to how their personal data is processed
  • Where personal data is shared among a group of companies on a controller-to-controller basis, the company’s privacy policy is transparent about this
  • Where legitimate interests are relied upon as a basis for processing, the legitimate interests the company pursues in relation to each processing operation is specified

These issues pose significant risk to all marketing teams and the fine clearly highlights how leaders need to prioritise privacy by design. HewardMills has a depth of experience helping marketing teams identify best practice and reduce business risk. Please contact us to discuss how we can support your marketing teams immediately.