Irish data watchdog clashes with regulators over proposed WhatsApp fine
Helen Dixon’s European counterparts argue proposed fine of up to €50m is too small
Data Protection Commissioner Helen Dixon will soon enter talks with counterparts over WhatsApp’s breaches of GDPR. Photograph: Dado Ruvic/Reuters
The Data Protection Commissioner has clashed with several of her European counterparts after they objected to her proposal to impose a fine of up to €50 million on WhatsApp for violating privacy laws.
The row between Helen Dixon and regulators in other countries is the second dispute over a major privacy case since she took on pan-EU powers to investigate data breaches by big technology firms based in Ireland, whose websites and apps are used by hundreds of millions in Europe.
A similar dispute arose last year before Ms Dixon fined Twitter €450,000, which was the first cross-border fine under Europe’s General Data Protection Regulation (GDPR) regime.
Ms Dixon will soon enter talks with counterparts over WhatsApp’s breaches of GDPR, which came into force in 2018 and was billed as a game changer in the drive to control private data use by businesses.
WhatsApp is a messaging service owned by Facebook, which has its European headquarters in Dublin. Some European regulators argue that Ms Dixon’s proposed fine of between €30 million and €50 million on WhatsApp would be too small.
Companies Office filings show that WhatsApp’s Irish unit set aside €77.5 million in 2019 to meet the potential cost of fines arising from Ms Dixon’s investigations, saying fines could be between €35 million and €105 million.
The objectors to Ms Dixon’s draft decision on WhatsApp include the German regulator, who criticised her privacy investigations in a letter circulated to members of a European Parliament committee in March.
The commissioner’s spokesman declined to comment on the WhatsApp fine or the objections, but acknowledged that a dispute remains unresolved.
“We shared our draft decision with all the other EU data protection authorities in accordance with the provisions of article 60 of the GDPR. We received a number of objections,” he said.
“We spent some time trying to resolve those objections but haven’t been able to resolve all of the objections. We have informed the European Data Protection Board that we will be triggering article 65 of the GDPR, which is the dispute resolution mechanism.”
The European board, which oversees how the GDPR is applied, comprises national data regulators in member states.
The case is the second of several closely-watched cross-border investigations by the Irish data watchdog, who has been criticised by privacy campaigners for long delays in big privacy cases.
At an Oireachtas committee last week, Ms Dixon rejected claims that her office was refusing to regulate big tech or was incapable of doing so. She accused critics of “superficial skimming of the surface” and “exaggeration”.