The Irish privacy watchdog DPC fined WhatsApp 225 million euros because it would not be clear enough to users what data is collected and what is done with it. Parent company Facebook disagrees and is challenging the decision.
The DPC conducted the research in the context of the GDPR, the European privacy law that has been in force since 2018. It is the second highest fine to date from the GDPR, after Amazon was previously fined 746 million euros. Originally, an amount of 50 million euros was envisaged, but this became much higher after supervisors from other countries also became involved in the investigation.
It is striking that some of the privacy violations found relate to people who do not use WhatsApp at all. Their telephone numbers are still known to WhatsApp, because the app requests access to the address book. Although that data is stored encrypted, these numbers could still be traced back to individuals. Furthermore, it would be far too unclear what exactly WhatsApp does with users’ personal data and to what extent this is shared with Facebook.
Last word not said yet
Facebook initially seemed willing to cooperate, by setting aside just under 80 million euros for the fine that was still pending at the time. But now the parent company behind WhatsApp calls the new amount disproportionate. In addition, Facebook states that WhatsApp’s privacy policy is now more transparent about data collection and exchange. Because the company will appeal against the ruling, it is expected that it will take years before a definitive decision is reached.
