WhatsApp fined €5.5 million for GDPR breaches
The Data Protection Commission (DPC) has fined WhatsApp Ireland 鈧5.5 million for breaches of GDPR data-privacy rules relating to its service.
WhatsApp Ireland, which is owned by Meta, has also been told to bring its data-processing operations into compliance within six months.
WhatsApp said that it disagreed with the decision and that it intended to appeal.
The inquiry followed a complaint made in 2018 from a German user of the service.
Legal challenge
The DPC has again, however, rejected a call from the European Data Protection Board (EDPB) to carry out a fresh, wide-ranging investigation into how WhatsApp processes users鈥 personal data.
The European body made a similar call in a case earlier this month involving two other Meta-owned social-media platforms, Facebook and Instagram.
The Irish watchdog has now stated that it will mount legal challenges to both determinations by the EDPB.
The direction from the EDPB came after it stepped in to resolve a dispute between the DPC and other European regulators over aspects of the Irish regulator鈥檚 findings in the WhatsApp case.
鈥楥ontract鈥 legal basis
WhatsApp had changed its terms of service ahead of the introduction of GDPR in 2018.
Having previously relied on the consent of users to the processing of their personal information, WhatsApp sought to rely on the 鈥榗ontract鈥 legal basis for most of its processing operations.
The complainant had argued that, by asking users to accept updated terms of service 鈥 and making the services unavailable if users declined to accept 鈥 WhatsApp was 鈥渇orcing鈥 users to consent to the processing of their personal data for service improvement and security, in breach of GDPR.
WhatsApp had argued that processing users鈥 data was necessary for the performance of the contract entered into when users accepted the revised terms.
Dispute referred to EDPB
The DPC鈥檚 draft decision found that WhatsApp was in breach of its transparency obligations, as information on the legal basis relied on by the tech giant to process data was not clearly outlined to users.
The regulator also decided, however, that GDPR rules did not preclude WhatsApp鈥檚 reliance on the 鈥榗ontract鈥 legal basis.
Six of the 47 CSAs, however, took a different view on the issue of the legal basis for processing data, and the dispute was referred to the European Data Protection Board (EDPB).
The board, while upholding the DPC鈥檚 position on WhatsApp鈥檚 transparency obligations, found that the company was not entitled to rely on the 鈥榗ontract鈥 legal basis as providing a lawful basis for its processing of personal data for the purpose of service improvement and security.
The EDPB determination is reflected in the DPC鈥檚 final decisions and fines.
鈥楶roblematic鈥 call
The board also, however, asked the Irish watchdog to carry out a fresh probe in order to determine if WhatsApp processed data for the purposes of behavioural advertising, for marketing purposes, or for the provision of statistics to third parties, and the exchange of data with affiliated companies
鈥淚t is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation,鈥 the commission said, adding that the board鈥檚 call was 鈥減roblematic in jurisdictional terms鈥.
The DPC is to bring an action for annulment before the Court of Justice of the EU, in order to seek the setting aside of the EDPB鈥檚 directions.