WhatsApp has issued legal proceedings aimed at setting aside the €225 million fine it was recently handed by the Data Protection Commission (DPC).
Commissioner Helen Dixon earlier this month imposed a record €225 million fine on the company for "severe" breaches of privacy laws. This was the largest penalty ever handed down by her office and the second-highest under the European Union's general data protection regulation (GDPR) rules.
As well as imposing the fine, the DPC ordered WhatsApp to bring its data processing operation into compliance with GDPR requirements.
Facebook, which owns WhatsApp, had said it intended to appeal the ruling, claiming the penalties were disproportionate. A case was initiated in the High Court on Wednesday. WhatsApp claims the DPC's decision is unconstitutional and incompatible with the European Convention on Human Rights (ECHR).
Represented by Declan McGrath SC, WhatsApp claims that the decision, which it made under sections of the 2018 Data Protection Act, is flawed and should be set aside in its entirety.
The imposition of a fine of the magnitude of €225 million, WhatsApp claims, constitutes the imposition of a criminal sanction.
The size of the fine constitutes an interference with WhatsApp’s constitutional property rights, it claims. WhatsApp further alleges that its rights to fair procedures have been breached.
The 2018 Act does not provide for a full rehearing or a right of appeal in respect of all the DPC’s findings against it. The limited appeal process contained in the 2018 Act only allows the company to challenge the administrative fine, it is claimed.
WhatsApp claims that sections of the 2018 Act also breach Article 6 of the ECHR, which states that everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal established by law.
WhatsApp claims that the DPC, which made the decision to open the investigation into WhatsApp, does not constitute an independent and impartial tribunal.
Counsel said that separately to this action, his client has also lodged a statutory appeal before the Irish courts against the DPC’s decision.
WhatsApp also intends to challenge the European Data Protection Board instruction to the Court of Justice for the European Union.
In its judicial review proceedings against the DPC, Ireland and the Attorney General, WhatsApp seeks an order quashing the decision of August 20th last to fine the company. It also seeks declarations from the court, including those certain provisions of the 2018 Data Protection Act, are invalid and unconstitutional, and are incompatible with the State’s obligations under the European Convention on Human Rights.
The judicial review proceedings were mentioned before Ms Justice Leonie Reynolds at Thursday’s vacation sitting of the High Court.The judge directed that the application for leave to bring the challenge be made in the presence of the respondents.
The respondents may wish to make submissions on whether leave should be granted in this case, the Judge said.
The matter was adjourned to a date in October when the new legal term commences.
As The Irish Times reported earlier this week, WhatsApp had expected a heavier fine than it received. The company’s Irish subsidiary increased provisions for liabilities to €246.2 million last year, up from €77.5 million in 2019, as it awaited a decision by the commission.
WhatsApp’s Irish unit estimated it would receive fines of between €245 million and €250 million, according to company accounts recently lodged in Dublin.
Ms Dixon had initially proposed a €30 million-€50 million fine on the company, which was challenged by other regulators. WhatsApp, meanwhile, originally estimated that the penalty it would receive would be in the €35 million-€105 million range.
WhatsApp established an Irish subsidiary in 2017. Its key role is acting as the data controller for European users of the WhatsApp service, and for the provision of services to other group entities.
Facebook acquired WhatsApp in a $19-billion deal in 2014, when the messaging platform had just 14 employees and 420 million monthly users. It now has more than two billion active users.
Separately, the DPC earlier this week confirmed it has launched two separate investigations into the video-driven social media platform TikTok. It said it is examining TikTok’s compliance with Europe’s GDPR requirements in its processing of children’s personal data.
The commission is also looking at the issue of transfers of data to China, where TikTok's parent ByteDance is based, to see if they comply with the obligations set down by EU data protection law.