Ireland’s Data Protection Commission (DPC) fined Facebook-owned WhatsApp €225 million (approximately $267 million) for violating GDPR privacy laws. It’s the largest fine that Ireland’s DPC has ever issued. The fine follows an investigation that began on 10 December 2018.
The DPC’s investigation examined if WhatsApp was transparent in how it handled the data of WhatsApp users and non-users. Part of the investigation looked at how data was processed between WhatsApp and other companies owned by Facebook.
The investigation was lengthy, looking into how WhatsApp collects, stores, and shares user data. It also looked into if WhatsApp’s policies regarding data are clearly communicated. The final decision breaking down the results (PDF) of the investigation is over 260 pages.
On top of fining WhatsApp, the DPC reprimanded the company:
In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.
Facebook disagrees with the decision of the DPC. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” said a WhatsApp spokesperson. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate” (via PCMag).
The DPC initially sought a €50 million fine, but separate European data regulators pushed Ireland’s regulators to raise the fine.