The Irish Data Protection Commission (DPC) has hit WhatsApp Ireland with a record fine of €225 million for infringement of data protection rules.
The fine is the second largest on any organization for infringing on the European data protection laws that came into effect in 2018, Rte.ie reports.
The fine follows a three-year investigation that was centered around determining whether the messaging platform had met its obligations under the General Data Protection Regulation (GDPR).
WhatsApp’s role in providing information and the transparency of the specific information to both users and non-users of the company’s service was the main basis of the probe.
The investigation was concluded in December last year and submitted to EU regulators for further direction as demanded by the GDPR.
Interestingly, only eight of the 40 EU authorities disagreed with the DPC’s conclusion on the matter alongside the regulator’s proposed fine of €50m.
Due to lack of a consensus, the DPC forwarded the cases to the European Data Protection Board (EDPB), where the agency was compelled to enforce the ruling at the end of July.
“This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp,” the DPC said in a statement.
WhatsApp is also required to bring its processing into compliance by taking a range of specific actions.
WhatsApp anticipated fine
In response, WhatsApp has disagreed with the ruling, although the company had set aside €77.5 million in anticipation of a possible fine.
“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,” said a WhatsApp spokesperson.
However, sources close to the company indicated that rather than making its policy shorter and less complicated, the ruling possibly means that it would have to add additional information to its privacy policy.
Since the enactment of the GDPR fine, Amazon (AMZN) has received the most significant penalty at €746 million by authorities in Luxembourg.
Elsewhere in 2019, Google was fined €50m by the French data protection authority over lack of transparency.
Besides WhatsApp fine, the DPC investigates other leading tech firms, including Facebook, Apple, Instagram, Google, and Twitter.