WhatsApp has been fined €225m following a long and drawn out investigation into whether it had provided the necessary data protection information to users under the EU General Data Protection Regulation (GDPR).
The fine, along with a slap on the wrist [PDF], has been imposed by the Data Protection Commission (DPC), the national independent authority in Ireland responsible for personal data protection in the EU.
It's reported to be the heftiest fine ever issued by the DPC and the second-largest handed out under EU data protection laws. It's also small change for WhatsApp's parent Facebook, which made a $30bn profit in its latest financial year. The fine is about one per cent of the social network's annual net income.
WhatsApp, however, has already said it intends to appeal the decision and believes the fine is "entirely disproportionate."
In a statement, a spokesperson for the company told The Reg: "WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.
We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision
"We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision."
In what has proved to be a highly technical ruling dating back to 2018, the DPC said the case examined whether WhatsApp has "discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp's service. This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies."
As well as the fine, the DPC has also ordered WhatsApp to take "a range of specified remedial actions" which some sources claim could make privacy policies even less user friendly.
If nothing else, WhatsApp is not alone. In July, Amazon said that an EU privacy watchdog had issued an $885m fine for failing to comply with data privacy rules.
While in 2020, the DPC fined Twitter €450,000 after ruling a bug in the firm's Android app that allowed users' private messages to be publicly viewed had infringed GDPR. ®