WhatsApp fined 5.5 million euros for violating the GDPR

There Irish Data Protection Commission – Data Protection Commission (DPC) – fined WhatsApp for 5.5 million euros. The new fine imposed on a company of the Meta group comes for the violation of the GDPR, the General Data Protection Regulation. WhatsApp was also ordered to return its data processing to compliance territory within six months.

The fine, as the DPC itself explainsis the conclusion of an investigation born after a complaint from a German subject (noyb) of 25 May 2018, date of entry into force of the GDPR. In advance of that event, WhatsApp updated its terms of service, informing users intending to continue to have access to the service after the introduction of the GDPR that they should click on “Accept and continue” to accept the new terms, otherwise the inability to use the service.

WhatsApp believed that Your acceptance of the updated terms created a contract between WhatsApp and you, and that the data processing for product improvement and service safety purposes was “included” in that consent. The complainant argued to the contrary and that the company was actually trying to rely on consent to provide a legal basis for processing user data.

In practice, by subjecting the accessibility of its services to users’ acceptance of the updated Terms of Service, WhatsApp was effectively “forcing” users to consent to the processing of their personal data for the improvement and safety of the service. The complainant argued that this violated the GDPR.

After the investigation, the DPC he noticed a lack of transparency on the processing of personal data, but considering that it had already imposed a very substantial fine of €225 million on WhatsApp for breach of this and other transparency obligations, it had not proposed the imposition of any further fines or corrective measures. However, after a difference of views on some points with their peers in the European area, the case landed on the table of the European Data Protection Board (EDPB).

On 5 December 2022, the EDPB rejected a series of objections raised by European bodies and accepted the position of the DPC, subject only to the inclusion of a further violation. On January 12, the DPC adopted the binding decision of the EDPB and concluded that WhatsApp has no right to enforce the legal basis of the contract for the delivery of service improvements and security. In light of the further infringement, the DPC imposed an administrative fine of 5.5 million euros.

Whatsapp, already intending to appeal, said through a spokesperson: “We strongly believe that the way the service operates is technically and legally compliant.”