The Data Protection Commission (DPC) has recently fined WhatsApp Ireland €225m for infringements of data protection rules.
It’s the largest fine imposed by the DPC, and the second-largest penalty ever levied on an organization under EU data laws.
The regulator has ordered the messaging service to bring its processing into compliance by taking a range of specified remedial actions.
WhatsApp has stated that it disagrees with the decision and has claimed that the penalties are disproportionate.
It claimed that it is going to appeal the ruling in the court of law. The DPC acts as the leading supervisory authority for WhatsApp across Europe, powered by the Rubicon Project.
The DPC initiated the probe three years ago after the EU’s newer data privacy and data protection rules.
WhatsApp said the fine was “entirely disproportionate” and that it would appeal.
Still, the Irish penalty is significantly more minor than the record 886.6 million euro fine given out to Amazon by the Luxembourg privacy agency in July.
The 265-page decision is the first significant ruling against Facebook under the European Union’s General Data Protection Regulation, or GDPR.
A three-year-old law that many have criticized for not being adequately enforced.
Irish regulators said WhatsApp was not transparent with users about how data was shared with other Facebook properties like its leading social network and Instagram.
“This decision contained a clear instruction that required the DPC to reassess and increase its fine based on several factors contained in the EDPB’s decision, and following this reassessment, the DPC has already imposed a fine of €225 million on WhatsApp,” In a statement DPC said.
However, WhatsApp Ireland, which had previously set aside €77.5m for a possible penalty.
Now has said it disagrees with the decision and is committed to providing a secure and private service to its users.
A WhatsApp spokesperson stated that the issues in question-related to policies in place in 2018, and the company had provided detailed information.
“We unequivocally disagree with the decision today regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate,” the spokesperson said.
EU privacy watchdog, the European Data Protection Board, said it had given several pointers to the Irish agency in July.
To address criticism from its peers for taking too long to decide in cases involving tech giants and not fining them enough for any breaches.
What will the decision mean?
Sources close to the company, which Facebook owns, said rather than making its policy shorter and less complicated.
The decision would mean it would have to add even more information to its already lengthy and complex privacy policy/rules and regulations.
The company is understood to feel that the fine is out of step with previous GDPR related penalties.
Under regulations, firms can face penalties of up to €20m or 4% of total annual global turnover the preceding year, which is higher.
The most significant GDPR penalty to date, close to €746m, was imposed on Amazon by authorities in Luxembourg during the summer.
The WhatsApp case has generated significant debates among European Union countries about the appropriate or reasonable level of enforcement under the region’s data protection rules and regulations.
Officials in other countries in the bloc have criticized Ireland for not acting against large tech platforms more efficiently and quickly.
Other countries pushed Ireland to increase its initial proposed OK, set at only up to 50 million euros.
That penalty got later raised to 225 million euros after other national regulators used a board created by the law to coordinate enforcement and adjudicate disputes to push for a more significant penalty.