EU Data Protection Authorities (DPAs) continue to step up enforcement of its omnibus privacy regulation, the General Data Protection Regulation (GDPR). In July, Luxembourg’s DPA levied a record 746 million-euro ($887M) penalty against Amazon and now Ireland’s Data Protection Commission (DPC) has followed suit with a 225 million-euro ($267M) fine against Facebook-owned WhatsApp for violating the rules of the GDPR.
Why was WhatsApp Fined?
The fine comes after a 2-year investigation into whether WhatsApp has "discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp's service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies."
During this investigation, the DPC determined that WhatsApp does not give European citizens enough information about how their data is collected and used, and how WhatsApp shares that data with other entities such as Facebook.
The DPC initially submitted a draft decision to all Concerned Supervisory Authorities (CSAs) in December 2020, in which the DPC proposed a lower fine. However, the proposal received objections from several other EU nation’s CSAs, who did not think the proposed fine was harsh enough. Under Article 65 of the GDPR, a dispute resolution process was triggered, which gave the European Data Protection Board (EDPB) the power to make a binding decision on the issue.
The decision given to the “contained a clear instruction” that r the DPC reassess and increase its proposed fine. Following this reassessment, the DPC imposed the fine of €225 million on WhatsApp.
The DPC also ordered WhatsApp to take “a range of specified remedial actions” to correct its compliance issues.
For their part, WhatsApp has vowed to appeal the decision, which spokespeople called “entirely disproportionate.”
What Data Does WhatsApp Share with Facebook?
WhatsApp shares phone numbers, transaction data, business interactions, mobile device information, IP addresses, and other information with Facebook. It does not share personal conversations, location data, or call logs.
Are More Enforcement Actions Imminent?
The GDPR allows for serious fines: from 20 million Euros up to 4% of annual global turnover. These fines are meant to be a deterrent strong enough to convince big tech companies that it is worth changing their behavior to comply with the GDPR. But major enforcement actions have been few and far between since the law went into effect in May 2018.
This may be because it has taken time for the EU courts to codify exactly how the letter of the law should be followed, or because the EU does not prosecute GDPR fines. That is up to the courts of the member state in which a given company is headquartered. For nations keen on attracting (or keeping) the jobs and tax revenue that a multinational tech corporation brings, that can create a conflict of interest.
Whatever the cause, the effect is clear: when enforcement is lax, so is compliance. In fact, a recent survey of EU businesses’ cookie consent forms found that 81% were missing “reject all” buttons, a crucial facet of the law’s consent guidance.
But enforcement actions are trending up—way up. Fines increased 40% in 2020 over the previous 20 months and are on track to quadruple 2020’s total in 2021 if the fines against Amazon and WhatsApp survive the appeals process.
And there are more enforcement actions inbound. In July alone, France’s DPA, the CNIL, issued 40 formal notices of noncompliance for cookie consent banners.
Stay Out of Regulators Crosshairs with Ensighten
Ensighten offers organizations a solution to help maintain full website compliance with the GDPR, CCPA, LGPD, and many more laws and frameworks.
With Ensighten Consent Management Plus (CMP+), you can set up customizable consent banners for and give your customers a clear-cut choice on how their data is used, or whether it is collected at all.
You can also use Ensighten to perform a full audit of your website—up to 5000 pages—so you can understand which cookies and tracking technologies are in use and identify potential security or compliance issues.
Request a demo today to see how Ensighten can help your organization stay compliant with evolving regulations worldwide.
Jeff Edwards
Jeff Edwards is a tech writer and analyst with six years of experience covering compliance, information security, and IT. Jeff previously worked as a reporter covering Boston City Hall.
