As Europe tightens its grip on antitrust regulations, many tech companies are beginning to reckon with the costly awakening. Apple, Google, Amazon and Microsoft have all had a foretaste of what the future will look like in Europe where there is no room for privacy and competition violations.
Europe is making a statement as it prepares to rein in on the excesses of tech companies, forcing them to understand its antitrust language. WhatsApp is the latest example of the bloc’s new approach to antitrust cases. The messenger app has been fined €225m by Ireland’s data watchdog for breaching privacy regulations.
The Dublin-based Data Protection Commission (DPC) announced the decision on Thursday after a three-year investigation into the messaging app, ordering WhatsApp to remedy its policies to protect personal data.
It is the largest fine ever from the Irish DPC, and the second-highest under EU GDPR rules.
The watchdog said WhatsApp had committed “severe” and “serious” infringements of the general data protection regulation (GDPR), a landmark rule on transparency that became enforceable in 2018.
“This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies,” it said in a statement.
WhatsApp’s parent company Facebook, has its EU headquarters in Ireland, and the Irish regulator is the lead authority for the tech giant in Europe. WhatsApp said it disagrees with the decision, calling it “entirely disproportionate” and said it plans to appeal.
Per Guardian, in the 266-page ruling the commissioner, Dixon said the company provided only 41% of prescribed information to users of its service. Non-users – whose messages sent on other apps could be forwarded to the platform by WhatsApp users – got no information, denying them the right to control their personal data.
Four “very serious” infringements violated the core of GDPR, said Dixon. “They go to the heart of the general principle of transparency and the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this.”
The violations affected an “extremely high” number of people, said the watchdog.
In response to the ruling, WhatsApp said in a statement it “is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
The fine relates to an investigation which began in 2018, about whether WhatsApp had been transparent enough about how it handles information. The issues involved were highly technical, including whether WhatsApp supplied enough information to users about how their data was processed and if its privacy policies were clear enough.
GDPR rules allow for mammoth fines of up to 4% of the offending company’s global turnover. Earlier fine proposed by Dixon when she finished her investigation into WhatsApp last year was much lower, ranging from €30 to €50m.
The Irish DPC said it had submitted its decision to other national data authorities, as required under GDPR, “following a lengthy and comprehensive investigation”, and received objections from eight countries, including Germany, France, and Italy. Eight data regulators in other EU countries rejected that.
The issue was referred to the European Data Protection Board (EDPB), which oversees the GDPR. It made a binding ruling in July, asked the Irish DPC to tweak its finding, “reassess” its proposed fine of €30-50m and amend its decision “by setting out a higher fine amount”.
“This decision contained a clear instruction that required the [Irish data protection commission] to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225m on WhatsApp,” Dixon’s office said.
“In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.”
While many have been critical about the efficacy of the DPC’s probes, the reviewed fine has been widely acceptable.
This “shows how the DPC is still extremely dysfunctional”, privacy campaigner Max Schrems said, welcoming the decision.
“The DPC gets about 10,000 complaints per year since 2018 – and this is the first major fine,” he said.
And because of WhatsApp’s planned appeal, “in the Irish court system, this will mean that we will see years before any fine is actually paid”.
Amazon is the only company that has been fined more for breaking GDPR rules. In July, Luxembourg’s regulator fined the e-commerce giant €746m for what it said was non-compliance with data-processing laws.
WhatsApp, unlike many other social media apps, doesn’t sell ads, limiting its use of consumers’ data. Being fined €225m for misuse of data means there is no sacred cow in GDPR’s push to protect private data in Europe.