Data protection commissioner Helen Dixon has imposed a record €225 million fine on WhatsApp for “severe” breaches of privacy laws – but only after European regulators directed her to radically increase the penalty.
The sanction on the messaging service, owned by Facebook, is Ms Dixon’s largest in a major privacy case since she took on pan-European powers in 2018 to enforce the EU’s new privacy regime.
“It is appropriate to classify the infringements . . . as being severe in gravity,” Ms Dixon said.
The general data protection regulation (GDPR) has been cast as a game changer in the drive to control how big tech companies use consumers’ personal data.
Criticising WhatsApp for a “very significant information deficit” among four violations of the GDPR, Ms Dixon said the company provided only 41 per cent of the prescribed information to users of its service and none to non-users. “All four infringements are in my view very serious in nature,” she said in a 266-page ruling.
“They go to the heart of the general principle of transparency and the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this.”
The impact was “particularly severe” on non-users of WhatsApp, who were denied the right to exercise control over their personal data.
The fine will go to the Exchequer ultimately, although it is subject to a looming court challenge from WhatsApp. The investigation started in 2018.
The breaches effected an “extremely high” number of people, but published ruling was redacted to obscure the estimated number.
Ms Dixon had proposed a €30 million to €50 million fine. WhatsApp’s Irish unit, which set aside €77.5 million in 2019 to meet the potential cost of investigations, said in company filings the penalty could be in a €35 million-€105 million range.
But eight data regulators in EU countries rejected her proposed fine, leading to a dispute resolution process at the European Data Protection Board (EDPB), which oversees the GDPR. Last month the board directed Ms Dixon to increase the penalty.
“This decision contained a clear instruction that required the [Irish data protection commission] to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp,” her office said.
WhatsApp has disputed the fine, arguing it is out of step with previous GDPR penalties. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,” the company said.
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”
Ms Dixon also imposed a reprimand on the company and an order to bring its processing into compliance by taking a range of specified remedial actions.
The GDPR was the biggest overhaul of privacy laws since the 1990s, handing Ms Dixon sweeping powers to oversee scores of multinational tech groups such as Facebook that base their European headquarters in Ireland.
The regime was designed to increase public scrutiny of companies that collate private data from billions of users, an increasing priority for political leaders given the proliferation of online devices and services in everyday life.
But Ms Dixon has faced public criticism for a lack of rulings in big tech cases since the GDPR took force in May 2018. The largest previous fine she imposed was a €450,000 sanction late last year on Twitter, the first cross-border penalty under the new regime.
German federal data regulator Ulrich Kelber claimed in February that her office was overwhelmed by the task, likening Ireland’s approach to regulating Facebook to Germany’s go-slow stance on diesel emissions fraud in its car industry. Such complaints were rejected outright by Ms Dixon.
She faced objections to her earlier draft ruling on WhatsApp not only from Germany’s national regulator and the regional Baden-Wurttemberg data authority but also from national regulators in Hungary, the Netherlands, Poland, France, Italy and Portugal.
The German, French and Portuguese regulators disputed Ms Dixon’s citation of GDPR rule that says a total fine in cases where there are several violations “shall not exceed the amount specified for the gravest infringement”.
The German data regulator said the original envisaged fine would lead other groups “to conclude that even total disrespect [for] data protection laws would not lead to significant administrative fines”.
“The objections collectively identified various concerns that the approach proposed would ‘limit the limit the maximum possible amount of the total fine in a disproportionate way’, hamper the ‘imposition of dissuasive fines’ or ‘largely amputate’ the high level of sanctions provided for by the GDPR,” Ms Dixon’s document said.