WhatsApp fined €5.5m by Irish data watchdog

Messaging app WhatsApp has been fined €5.5m by the Irish Data Protection Commission for breaches of the General Data Protection Regulation (GDPR).

The company has also been directed to bring its data processing operations into compliance within a period of six months.

WhatsApp said it disagreed with the decision and that it intends to appeal.

"We strongly believe that the way the service operates is both technically and legally compliant," a WhatsApp spokesperson said.

"We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service," they added.

It follows a complaint from a WhatsApp user relating to a request to click "agree and continue" to accept updated terms of service on the app.

The complainant argued that WhatsApp was "forcing" them to consent to the processing of their personal data for service improvement and security.

The DPC found there was a lack of transparency but decided not to impose a fine because WhatsApp had already received a substantial fine of €225m for similar breaches.

The DPC's fellow European data watchdogs agreed with this position.

However, there was disagreement with the DPC's view on the issue of contract legal basis.

The European Data Protection Board (EDPB) found that WhatsApp was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.

The EDPB issued a binding resolution to the DPC resulting in the €5.5m fine being imposed today.

The EDPB also directed the DPC to conduct a fresh investigation into WhatsApp's processing operations

The DPC says that this may amount to an "overreach" by the EDPB as it does not have the powers to compel data watchdogs to launch investigations.

The DPC says it will bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB's direction.

In two related cases, the DPC imposed fines totalling €390m against Facebook and Instagram earlier this month.

The DPC has now imposed fines of more than €1.3bn on Meta, the parent company of Facebook, Instagram and WhatsApp.

In November 2022, Meta was fined €265m by the DPC following a data breach which saw the personal details of hundreds of millions of Facebook users published online.

In September 2022, Meta lodged an appeal in the High Court against a record fine of €405m imposed on Instagram by the DPC.

It was the largest fine ever handed down by the Irish data watchdog and was issued for breaches relating to the processing of children's data.

In September 2021, the DPC fined Meta-owned WhatsApp €225m for infringements of data protection rules.