On 2 September 2021, the Irish Data Protection Commission (DPC) imposed a fine of EUR 225 million on the WhatsApp Ireland Ltd. The decision is based on the claim that WhatsApp failed to comply with its transparency obligations under the General Data Protection Regulation (GDPR).
Background and reasoning of the fine
Since the introduction of the GDPR in 2018, WhatsApp’s privacy practices have led to a number of users and non-users to file complaints with the DPC, involving claims that WhatsApp is not complying with the transparency obligations under the GDPR. In particular, WhatsApp has been accused of not having sufficiently informed its users when passing on their data between WhatsApp and other Facebook companies.
Following the investigation of these complaints, on 2 September 2021, the DPC issued a fine of EUR 225 million against WhatsApp Ireland Ltd (see also the press release of the DPC). Initially, the DPC wanted to impose a significantly lower fine of EUR 30 to 50 million. However, a number of national data protection authorities intervened, claiming that the fine was too low considering the number and severity of the violations. When the various national data protection authorities were unable to come to an agreement, on 28 July 2021, the European Data Protection Board (EDPB) issued a binding decision that recognised many of the complaints of the intervening data protection authorities and required the DPC to amend and increase its proposed fine. Additionally, the EDPB reprimanded WhatsApp and ordered it to change its data processing.
WhatsApp considers the EUR 225 million fine “entirely disproportionate” and has already announced its intention to appeal the decision. Indeed, the fine by the DPC is one of the highest GDPR fines so far, which shows once again that GDPR incompliance can have serious financial and reputational repercussions for companies. However, the GDPR enables data protection authorities to issue fines up to EUR 20 million, or up to 4 % of a company’s annual global turnover, whichever is higher. The fine against WhatsApp only equals 0.8 percent of WhatsApp’s annual turnover.
Transparency obligations under the GDPR
The DPC’s decision should, in particular, encourage companies to review and ensure their compliance with transparency obligations under the GDPR. Such obligations result from the data subjects’ right to be informed under the GDPR. Hereby, Art. 13 GDPR provides for transparency obligations regarding personal data collected directly from the data subjects and Art. 14 GDPR regarding personal data collected from third parties or public sources.
Art. 13 and 14 GDPR require you, for instance, to provide data subjects with the following information when processing their personal data:
- Name and contact details of the controller and, if applicable, a representative and/or a data protection officer;
- Legal basis and purposes of the processing; if the processing is based on legitimate interests, a separate list of all legitimate interests;
- Recipients or categories of recipients of personal data;
- Information on data transfers to third countries or international organisations outside the EU;
- Retention period of personal data;
- Information on the rights of data subjects under Art. 15-21 GDPR.
Moreover, Article 12 (1) GDPR requires you to provide this information to data subjects in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. Read our detailed guide to your transparency obligations under the GDPR.
Further legal implications of the decision
The EDPB’s decision on WhatsApp also provides some useful guidance for companies. In particular, it contains clarifications on transparency obligations if data is processed on the basis of legitimate interests (see Art. 13 (1) (d) GDPR) and if personal data is transferred to third countries (see Art. 13 (1) (f) GDPR).
According to the EDPB, if you process personal data on the basis of legitimate interests, your company has to identify the specific legitimate interest for each relevant processing activity. This means that your privacy notice has to contain sufficiently detailed information on what personal data you collect, each processing purpose and the legitimate interest you pursue in relation to each of these processes. This ensures that the data subjects can exercise their rights provided by the GDPR. A failure to do so can lead to a violation of the transparency principle and, therefore, to high fines for your company.
Moreover, if your company transfers data to countries outside the EU, you must inform data subjects not only that you intend to transfer data to third countries or international organisations outside the EU, but also whether or not there is an adequacy decision by the EU Commission for the respective countries.
Ultimately, the EDPB decision has provided some insights into the determination of GDPR fines. First, the EDPB clarified that, even if multiple violations have been committed in the context of the same or related data processing activities, all these violations are relevant for the determination of the fine. However, the total fine should not be higher than the amount set for the most severe violation. In addition, it was once again emphasised that the term “undertaking”, in line with European case law, also includes all affiliated companies (in this case: WhatsApp and Facebook) and thus their total annual turnover can form the basis for a fine.