On 2nd September 2021 the Irish Data Protection Commission ("DPC") imposed its biggest fine to date on WhatsApp, the messaging app owned by Facebook.
In its reasoning (available here) the DPC considered both: the information provided by WhatsApp to its users, and perhaps more importantly the lack of information provided to non-users. Namely, it was held that the available 'Contact Feature' includes phone numbers of non-users that constitute personal data even after the lossy hashing process (a process that reduces the size of a file by removing certain data). This feature makes non-users unaware of the processing of their personal data, thus violating article 14 of the GDPR. In the decision the DPC also deemed the information provided to users on data sharing between WhatsApp and the rest of Facebook-owned companies inadequate.
Over the investigation process of nearly 3 years, the DPC initially proposed a fine of EUR 30-50 m. However, after the objections of numerous Supervisory Authorities (''SAs''), the dispute resolution mechanism under article 65(1) GDPR was triggered. With its binding decision, the European Data Protection Board ("EDPB") (available here) urged the DPC to reassess the fine , among others, due to Facebook's (parent company) global annual turnover. The DPC responded accordingly by raising the administrative fine to the record EUR 225 million.
The significance of this decision is not solely the record fine, nor the stricter transparency requirements on data sharing with parent companies. It is mostly the intention of the EDPB to impose stricter fines on tech giants. Though the EDPB's decision is binding only for this specific dispute, it sets the tone for future SA's decisions and allows them to impose significant fines for similar infringements to ensure consistency.
In response WhatsApp doubted the proportionality of the fine and stated it will appeal the ruling. It remains to be seen whether the appeal will successfully lower the fine for the messaging app.
For now, besides the administrative fine, WhatsApp has a 3-month deadline to ensure its processing becomes GDPR compliant and increase transparency for both users and non-users.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.