Ireland fined Facebook’s WhatsApp a record 225 million euro ($266m) on Thursday for privacy breaches after the EU privacy watchdog pressured the country to take a tougher line with a bigger penalty.
WhatsApp said the fine was “entirely disproportionate” and that it would appeal. Still, the Irish fine is significantly less than the record $886.6m fine meted out to Amazon by the Luxembourg privacy agency in July.
Ireland’s Data Privacy Commissioner (DPC), which is the lead data privacy regulator for Facebook within the European Union, said the issues related to whether WhatsApp conformed in 2018 with EU data rules about transparency.
“This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies,” the Irish regulator said in a statement.
A WhatsApp spokesperson said in a statement that the issues in question related to policies in place in 2018.
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” the spokesperson said.
“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” the spokesperson’s statement said.
EU privacy watchdog the European Data Protection Board said it had given several pointers to the Irish agency in July in order to address criticism from its peers for taking too long to decide in cases involving tech giants and for not fining them enough for any breaches.
It said a WhatsApp fine should take into account Facebook’s turnover and that the company should be given three months instead of six months to comply.
Data regulators from eight other European countries triggered a dispute-resolution mechanism after Ireland shared its provisional decision in relation to the WhatsApp inquiry, which started in December 2018.
In July, a meeting of the European Data Protection Board issued a “clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained”, the Irish regulator said.
“Following this reassessment, the DPC has imposed a fine of 225 million euros on WhatsApp,” it said.
The Irish regulator also reprimanded and ordered WhatsApp to bring its processing into compliance by taking “a range of specified remedial actions”.
The Irish regulator had 14 major inquiries into Facebook and its subsidiaries WhatsApp and Instagram open as of the end of last year.
Austrian privacy campaigner Max Schrems, who has taken on Facebook in several privacy cases, said he would monitor the company’s appeal closely.
“It is to be expected that this case will now be before the Irish Courts for years and it will be interesting if the DPC is actively defending this decision before the Courts, as it was forced to make such a decision by its EU colleagues at the EDPB,” he said.