WhatsApp, the popular messaging app owned by Meta (formerly Facebook), was recently fined €225 million by the Irish Data Protection Commission (DPC) for violations of the European Union’s General Data Protection Regulation (GDPR). The fine stems from an investigation into how WhatsApp shares user data with other Meta companies like Facebook.
What is the GDPR?
The GDPR is a regulation that went into effect in 2018 to strengthen data protection and privacy rights for individuals within the European Union. It requires companies to be more transparent about how they collect, use, and share personal data. Under the GDPR, companies must have a lawful basis for processing personal data and get affirmative consent from users before collecting or sharing their data. The regulation gives EU citizens more control over their personal data and imposes strict fines for violations.
What did WhatsApp do to violate the GDPR?
In 2021, WhatsApp updated its terms of service and privacy policy to allow it to share more user data with Facebook and other Meta companies. This included sharing data like a user’s phone number, transaction data, IP address, and information about how they interact with others on WhatsApp. The update sparked backlash among users concerned about broader data sharing with Facebook.
In investigating the updated policy, the Irish DPC determined that WhatsApp had not provided enough transparency to users about how their data would be shared across Meta companies. WhatsApp also did not have a lawful basis under the GDPR to process user data in this way or obtain valid user consent. By moving forward with the policy change anyway, WhatsApp violated core GDPR principles of transparency, data minimization, purpose limitation, and lawful data processing.
What user data was impacted?
The Irish DPC estimated that data belonging to approximately 287 million WhatsApp users in the European Region could potentially be impacted by the privacy policy update. This includes both users in the EU as well as outside the EU. User data that could be shared includes:
- Phone numbers
- Usernames
- Profile names and photos
- Status messages
- IP addresses
- Transactions and payments data
- Activity and interactions on WhatsApp
While the policy change impacted all WhatsApp users, the Irish DPC only has jurisdiction over EU citizens. However, the broad scope demonstrates the vast amount of data sharing that WhatsApp intended across Meta’s platforms.
Why was the fine issued by Ireland?
WhatsApp’s parent company Meta is headquartered in Ireland for its European operations. Under the GDPR, companies must have an EU-based representative that oversees data protection. For many tech companies like Meta, this representative is based in Ireland.
As Meta’s EU representative, the Irish DPC serves as the “lead supervisory authority” overseeing GDPR compliance. So when GDPR violations occur, the Irish DPC is responsible for conducting investigations and issuing fines. While other EU regulators provided input on the WhatsApp decision, the Irish DPC had ultimate authority to enforce the GDPR in this case.
How much was the fine?
The Irish DPC issued a fine of €225 million against WhatsApp for the privacy policy violations. This is one of the largest fines ever issued under the GDPR. For reference, other major GDPR fines include:
| Company | Fine |
|---|---|
| Amazon | €746 million |
| Meta (previous Cambridge Analytica scandal) | €405 million |
| Google (for advertising tracking) | €150 million |
The €225 million fine represents approximately 1.1% of Meta’s $27.7 billion revenue in 2021. So while it is a sizable fine, critics argue it is still just a fraction of Meta’s earnings.
How did WhatsApp respond?
A WhatsApp spokesperson said the company disagrees with the decision but will accept the fine. They stated:
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue doing so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
WhatsApp also claimed the fine was based on an outdated technicality, as the policy update was halted following user backlash and never fully implemented. However, the Irish DPC maintained that the lack of transparency around data sharing still constituted a violation.
Will WhatsApp change its data handling practices?
In response to the investigation, WhatsApp has put its updated policy changes on hold. It also made changes to how it handles EU user data to better comply with GDPR requirements. This includes:
- Not processing EU user data for business intelligence or advertising purposes
- Minimizing the sharing of EU user data with other Meta companies unless necessary
- Appointing a Data Protection Officer and formalizing its GDPR compliance program
However, WhatsApp has maintained that some data sharing with Facebook is required for business purposes like fighting spam and abuse. It plans to better communicate these practices to users going forward.
Does this set a precedent for tech company data practices?
The WhatsApp fine sets an important precedent in enforcing transparency and consent requirements under the GDPR. It demonstrates that simply notifying users of policy changes is not enough – affirmative consent is required. This suggests tech companies may need to reevaluate how they obtain user consent, even if consent is bundled into long terms of service agreements.
The Irish DPC and other EU regulators indicated they will continue monitoring how tech companies share data across their platforms. The GDPR gives regulators more teeth to hold companies accountable, even global giants like Meta. Other companies may now feel increased pressure to evaluate their own data sharing practices for GDPR compliance.
Conclusion
The €225 million fine against WhatsApp highlights the increased scrutiny tech companies face under Europe’s strict data protection laws. While WhatsApp maintains its policy update never went into effect, regulators asserted that the lack of valid user consent still constituted an illegal violation of privacy. Going forward, the decision will push WhatsApp and other companies to be more transparent in how they handle user data and obtain meaningful consent from consumers. As EU regulators continue flexing their powers under the GDPR, tech companies will need to take privacy and compliance increasingly seriously.