The Irish Data Protection Commission (DPC) went to great lengths to impose General Data Protection Regulation (GDPR) fines on large tech companies based in their jurisdiction for being perceived as being meek.
A $ 267 million fine on WhatsApp is the first significant amount the Irish regulator has assessed, but it comes amid allegations that a number of other privacy complaints were ignored in the decision-making process.
WhatsApp GDPR fine does not conclusively answer questions about the Irish DPC’s engagement
WhatsApp was fined 225 million euros after an investigation lasting almost three years. The investigation was driven by data protection activist Max Schrems, who also succeeded in declaring data transfers between the European Union and the USA invalid in a separate procedure against WhatsApp mother Facebook, which was settled last year. Schrems filed complaints about WhatsApps’ alleged “forced consent” policies in late 2018, claiming that it (and several other social media giants) essentially pressured users to accept their privacy policies, under threats of them to refuse other services.
Although the Irish DPC has imposed its largest GDPR fine to date and the second largest in EU history, questions and criticisms remain about its willingness to regulate the golden geese nesting in its country (mainly due to favorable tax conditions). Aside from the sheer length of the investigation, for which the Irish DPC has been criticized in other cases, the fact that the Agency determined the scope of its own investigation (and left out a number of related complaints) angered some observers.
The Irish regulator has chosen to focus entirely on WhatsApp’s transparency obligations under the GDPR, overlooking more fundamental complaints about whether the news giant has a valid legal basis to process all of the information it collects. Ultimately, the fine was imposed for WhatsApp failing to disclose to users the full extent of the use made of the personal data collected, but not having a problem with the means of collection.
The regulator not only checked whether users were properly informed about the extent of sharing between WhatsApp and Facebook, but also how the data from non-users is collected and used. An example of this is the phone numbers that users add to their contact list, which can be supplemented with other personal information.
The GDPR fine wasn’t the only action taken by the regulator. The Irish DPC has also given WhatsApp 90 days to make a number of changes to improve the transparency of its communications for both platform users and non-users who may be affected.
WhatsApp responded to the GDPR fines with a statement claiming it was “completely disproportionate,” denying various details and promising to appeal the decision. The appeal process could potentially take years to settle (especially given the standard pace of the Irish Data Protection Agency) and WhatsApp will not be responsible for payments until the process is complete.
Criticism of previous GDPR fines by the Irish Data Protection Authority
Schrems, the author of the complaints that led to this decision, said the heavy GDPR fines are “welcome” but the system remains “inoperable”. Different EU data protection authorities took different regulatory approaches during the early years of the GDPR, and Ireland has been in the spotlight for a long time as it is responsible for the EU branches of many of Silicon Valley’s biggest names. The Irish Data Protection Authority has split with other regulators on a number of occasions, both in terms of the length of the investigations and the fact that the proposed GDPR fines tend to be the bottom of the group. This was the case in this particular case as Ireland had originally only proposed a € 50 million fine for WhatsApp. This led to a dispute among the other EU data authorities and was ultimately only settled by a decision of the European Data Protection Board (EDPB). This reflected the situation with the Irish Data Protection Agency’s only previous GDPR fine, a € 450,000 fine on Twitter that other regulators wanted to reach in the millions.
The only higher GDPR fine was the $ 425 million Amazon was issued by the Luxembourg data protection authority. Although these amounts are a relative starvation wage for large tech companies, well below the GDPR maximums of 2% or 4% of total annual sales, John Magee (director of data protection, privacy and security practice at DLA Piper in Ireland) evaluates the roughly Fivefold increase in the amount of the fine as a positive development: “A noticeable aspect of this procedure was the increase in the amount of the fine from 30 to 50 million euros proposed by the DPC for the first time. The fine underscores the importance of complying with the GDPR rules on transparency in connection with users, non-users and the exchange of data between group units. “
And Cillian Kieran, CEO and Founder of Ethyca, notes that the foreclosure measures in this case could be a better precedent than the size of the fine: “As with Luxembourg’s recently announced fine on Amazon, that fine has another, perhaps more important, component : an arrangement to bring data systems into compliance. A nine-digit fine is a drop in the ocean for WhatsApp and its parent company Facebook. The compliance regulation could prove to be more useful for long-term structural improvements. “