The Data Protection Commission (DPC) has fined WhatsApp Ireland an additional €5.5 million over breaches of Europe’s data protection framework and substantively revised its original ruling under instruction from Europe’s overarching privacy regulator.
On Thursday, the DPC – Meta and its platforms’ main supervisory authority in Europe – announced it has adopted a binding dispute resolution of the European Data Protection Board (EDPB). The board found that contrary to the DPC’s original 2021 ruling, WhatsApp is not entitled to rely on the legal basis it currently uses to justify data collection within the European Union.
Having initially fined the social media messaging platform €225 million for various related breaches of GDPR, the DPC also on Thursday announced a new €5.5 million fine for an additional breach.
Meta, which owns WhatsApp, on average made $320 million (€296 million) per day in 2021.
It is the third and final in a series of decisions related to Meta platforms that the DPC has been required to revise under instruction from the EDPB.
In all three cases, the DPC has said it will appeal certain elements of the board’s decisions to the Courts of Justice of the European Union.
A spokeswoman for Meta said: “WhatsApp has led the industry on private messaging by providing end-to-end encryption and layers of privacy that protect people. We strongly believe that the way the service operates is both technically and legally compliant. We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and we intend to appeal.”
Thursday’s announcement comes just more than a month after the EDPB informed the Irish regulator that it had adopted three binding dispute resolution decisions concerning Meta Platforms Ireland. Those decisions related to a number of draft findings that the Irish regulator had issued to Meta’s Facebook, Instagram and WhatsApp platforms in 2021 and 2022 on foot of complaints made by Austrian privacy campaigner Max Schrems. He argued that Meta used “forced consent” to process personal data, specifically in relation to its terms of services.
But in all three cases, the DPC upheld the legal justification the social media giant uses to collect user data. Meta’s argument was that it collects user data in order to perform a contract with its users to provide them with advertising that is tailored to their tastes and interests.
A number of other European data regulators disagreed with the DPC and the matter was referred to the EDPB for resolution. The European body delivered its findings to the regulator before Christmas.
The revision also meant that the DPC was required to fine fine Facebook and Instagram €210 million and €180 million respectively, up from between €23 million and €36 million.
Meta is also now required to bring its data collection processes into alignment with GDPR within six months.
The DPC confirmed on Thursday that it will take the EDPB to the Courts of Justice of the European Union, seeking an annulment of one of its directions in relation to all three Meta rulings.
As in the case of the Facebook and Instagram rulings, the DPC said the board had “purported to direct” it to “to conduct a fresh investigation that would span all of WhatsApp Ireland’s processing operations”.
It said this direction is “problematic in a jurisdictional terms” because it is not open to the board “to instruct and direct an authority to engage in open-ended and speculative investigation”. As such, the Irish supervisory will appeal this element of the ruling, given that it “may involve an overreach on the part of the EDPB”.