The Irish Data Protection Commission has issued its highly anticipated final decision in relation to its three-year investigation into WhatsApp’s compliance with the transparency obligations imposed by the GDPR. It has been widely reported today that Facebook has commenced judicial review proceedings against the DPC in respect of the matter.

Background

The Data Protection Commission (DPC) began an investigation into WhatsApp’s compliance with its transparency obligations under the GDPR in 2018. WhatsApp was acquired by Facebook in 2014. The DPC’s investigation focused primarily on whether WhatsApp had provided enough information about its data processing activities and whether its privacy policies were sufficiently clear to both users and non-users of the app. In particular, the investigation looked at the transparency surrounding WhatsApp’s data sharing with Facebook.

The DPC’s draft decision in 2020, which included an administrative fine in the range of €30-50 million, was circulated to the other data protection supervisory authorities in the EU, which was in accordance with the co-decision-making process under Article 60 of the GDPR. Eight of the supervisory authorities raised objections to the draft decision – particularly the level of the fine proposed by the DPC. Because a consensus was not reached between the relevant supervisory authorities and the DPC, the dispute resolution process under Article 65 of the GDPR was triggered.

The EDPB Decision

In a binding decision in July of this year, the European Data Protection Board (EDPB) instructed the DPC to increase the fine. The EDPB considered that the DPC’s proposed fine would not reflect the seriousness or severity of the infringements and nor would it have a dissuasive effect on WhatsApp. The EDPB’s instruction to increase the amount of the administrative fine was influenced by additional infringements that were identified by other supervisory authorities.

The DPC Decision

The DPC’s investigation concluded that WhatsApp had failed to comply with its transparency obligations under the GDPR in respect of both users and non-users of the app, including its transparency obligations in the context of the sharing of personal data between WhatsApp and Facebook. The DPC found that WhatsApp had breached Articles 12, 13 and 14 of the GDPR. According to the DPC, its decision took into account the “extremely high” number of data subjects affected and the “very serious” infringements of the GDPR.

In its decision, the DPC, acting as the lead supervisory authority for WhatsApp in the EU, imposed an administrative fine of €225 million. This is the highest fine ever imposed by the DPC and the second-highest fine ever imposed by a data protection supervisory authority in the EU (the Luxembourg authority imposed a €746 million fine against Amazon earlier this year). The DPC has also issued a reprimand to WhatsApp and, significantly, an order for the company to bring its data processing activities into compliance with the GDPR by taking a number of specified remedial actions.

Appeal?

WhatsApp can appeal the amount of the administrative fine to the (Irish) High Court within 28 days of the date of the DPC’s decision. It has been reported that WhatsApp plans to appeal.

Lessons

The DPC’s decision serves as an important reminder to organisations to ensure that their data processing activities comply with the fundamental principle of transparency under the GDPR, especially in the context of personal data sharing between group companies. It also highlights the importance of considering non-users of apps such as WhatsApp: if the contact details of non-users can be accessed and processed, then those non-users also have information rights in relation to the data processing pursuant to Article 14 of the GDPR.

The DPC’s decision can be accessed here.