Facebook-owned messaging service WhatsApp has again been fined by the Italian antitrust and consumer protection authority (AGCM) for failing to comply with an earlier AGCM order finding WhatsApp’s terms of service in violation of the Italian Consumer Code.
WhatsApp, which was fined €3 million in May 2017 for terms of service that functionally required WhatsApp users to share their personal data with parent company Facebook, was hit with a second fine this week related to the same conduct.
This week’s €50,000 fine was leveled for failure to comply with the May 2017 order. Specifically, the AGCM alleged that the May 2017 order required WhatsApp to publish the content of the May 2017 order on its website and provide Italian WhatsApp users an in-app notification with a link to the order. The AGCM alleged that WhatsApp failed to comply with both of these provisions. In addition to the notification failures, the authority asserted that WhatsApp did not modify its terms of service as required by the May 2017 order. The current fine — the maximum available fine available to the authority for this type of violation — shows the agency’s willingness to continue its pursuit of compliance almost a year after the initial fine was issued. However, the relatively low monetary amount may serve as only a moderate deterrent to future conduct of the same nature.
Nonetheless, the recent experience of WhatsApp in Italy highlights the importance for technology companies (and any company collecting personal information) of complying with privacy laws in each jurisdiction in which they operate and living up to promises made to regulators. For example, in May 2017 Facebook was fined by the European Commission for forcing WhatsApp users to share personal information with Facebook, which was inconsistent with representations made to the Commission during its review of the Facebook-WhatsApp acquisition. WhatsApp was also ordered in 2016 and 2017 to stop sharing user data with Facebook in Germany, France, and the UK. Therefore, the latest Italian fine could be seen as just the latest round of a longstanding and apparently unsettled disagreement pending since 2014.
For other technology companies, Facebook and WhatsApp’s experience may serve as a cautionary tale. Not only does an investigation in one jurisdiction often lead to a spate of follow-on inquiries in other jurisdictions, but the multiplicity of investigations can lead to a thicket of compliance obligations. In this instance, WhatsApp’s alleged failure to take relatively low-burden compliance steps (such as issuing notice on its website) may have led to additional expense, both in terms of money and personnel time, in the form of an investigation.
For many companies, long-term tracking of and compliance with regulatory orders may be routine, but for others, the latest edition in the WhatsApp saga may serve to spur additional action. Particularly in jurisdictions where sanctions for non-compliance with orders are more severe than in Italy, the risks of ongoing sanctions may merit additional in-house attention to the details of earlier orders.