Helen Dixon’s ruling against WhatsApp makes for grim reading. With more than two billion users worldwide, the messaging service is everywhere. Now the Irish data regulator has found serious violations of European privacy laws in the company’s dealings with users. Moreover, the ruling also concludes the rights of an “unquantifiable” number of people who do not use the service were also infringed.
These are grave findings for WhatsApp and owner Facebook, as the regulatory backlash against tech giants, who dominate the world, gathers pace.
The €225 million fine against the company comes more than three years after the EU General Data Protection Regulation took force with the aim of finally putting manners on big tech, as it encroaches into almost all aspects of 21st-century life.
It is the second cross-border sanction to be issued by Dixon since she took on powers in 2018 to oversee the pan-European operations of global multinationals, such as Facebook, that base their EU headquarters in Ireland. Several more investigations are under way, with Facebook in the frame and its subsidiary Instagram, as well as Apple, Google, LinkedIn and Verizon.
Yet this is a slow-grind process. After all, the WhatsApp investigation started in December 2018.
The €225 million fine may have the appearance of powerful watchdog flexing its muscle. But context is critical. It was only after the intervention of several European regulators that Dixon was directed to increase the penalty from the original €30 million-€50 million. That the final sum is more than four times the maximum she first set, points to heated argument with her counterparts, some of whom have questioned whether her office is up to the job.
She has always rejected claims that her office was refusing to regulate big tech or was incapable of doing so, telling an Oireachtas committee in April that critics were indulging in “exaggeration” and “superficial skimming of the surface”.
Still, the WhatsApp row cuts to the heart of the regime put in place under GDPR. With cross-border investigations inevitable in a transnational online world, the system of allowing one European regulator carry out inquiries for all the others was designed to boost efficiency and reduce the risk of a case in one country becoming caught in the crosshairs of another.
But the burden of this “one-stop-shop” system has fallen disproportionately on Dixon’s office because of the proliferation of big tech investment in Ireland. The upshot is that she acts for all European regulators whenever she issues a ruling.
Hence the push from her German counterpart and others to increase a fine that they considered to be too low. The Germans said the proposed fine did not reflect the seriousness of the infringement, in light of the number of people affected and highlighted the need for the penalty to have a “general preventive” effect.
Moreover, they said the original proposed fine would lead other data controllers to conclude that “even total disrespect” for data laws would not lead to significant fines.
Behind the scenes, however, the row turned on provision that the total fine in cases where there are several GDPR violations “shall not exceed the amount specified for the gravest infringement”. That was how Dixon saw it, even though the fact that WhatsApp infringed the law on four counts could lead to the assessment that it was facing sanction only for one.
Given prior criticism she has faced, it does not look good for the Irish regulator that she was overruled on this front by the European Data Protection Board, which oversees how GDPR is implemented.
But now the question is ultimately destined for the courts. “We will appeal this decision,” WhatsApp said. Given the company’s deep pockets and the precedent-setting dimension of any GDPR case in what are still early days for the regime, the question could go all the way to the Supreme Court and then the European courts.
As it stands, the €225 million fine on WhatsApp is the largest yet under GDPR. But here, again, context is all. Although the sum is material, Facebook’s main Irish unit had more than €34 billion in revenues in 2019 and a €482 million pretax profit.
The company insists it is committed to providing a secure and private service and works “to ensure the information we provide is transparent and comprehensive”.
Still, such assertions must be measured against the findings of a long investigation. Dixon took issue particularly with the implications for the breaches for nonusers of WhatsApp, who might have imagined that their data had nothing to do with the service. Not so.
“The impact is particularly severe in the case of a nonuser who might be considering joining the service in that he/she is further deprived of the ability to make a fully informed choice,” the ruling said.
“This is because no information whatsoever has been provided to inform the nonuser of the way in which the processing of his/her mobile number, further to the activation of the contact feature by the user whose address book includes the mobile phone number of that nonuser will uniquely and individually impact upon him/her, if he/she decides to join the service.”
Nonusers have no way of knowing – if their phone number has been processed – that their details will appear in the contact list of any users once they join the service.
Now they will know. But whether such findings will make any difference to the onward march of WhatsApp and Facebook is another matter.