Irish DPC issues a EUR 225 million fine against WhatsApp

Cross-border investigation and one-stop-shop

The Irish DPC’s investigation, which began in 2018 and focused on WhatsApp’s compliance with its GDPR transparency obligations, initially resulted in the proposed imposition of a smaller penalty (ranging between EUR 30 and 50 million). However, pursuant to the GDPR’s cooperation and consistency mechanism (the so-called one-stop-shop mechanism) and following objections from eight EU supervisory authorities concerned, the EDPB directed the Irish DPC to amend its preliminary decision. The EDPB ordered the Irish DPC to reassess the amount of the fine levied against WhatsApp and shorten the period given to WhatsApp to remedy non-compliance. (Please see our blog for the background of the case, previous procedure and the details on the EDPB binding decision).

Position of the EDPB in dispute resolution procedure

The EDPB commented on the final decision of the Irish DPC and related procedure in a press release issued on 2 September 2021. The press release addresses in detail the conclusions of the EDPB on the material aspects of the investigation into WhatsApp, the shortcomings of the draft decision by the Irish DPC and binding recommendations to amend that decision. Among others, the EDPB clarified that, while not every infringement of Art. 12-14 GDPR necessarily entails an infringement of the principle of lawfulness, fairness and transparency under Art. 5(1)(a) GDPR, the transparency principle was violated in this particular case. In this respect, the EDPB referred to the gravity of the infringements, their overarching nature and high impact on the rights of individuals.

Calculating the amount of the fine

Importantly, the EDPB binding decision (which is now also published in full) made it clear that – in order for a fine to be effective, proportionate and dissuasive – the consolidated turnover of a parent company (in this case Facebook, Inc.) could be included in the global turnover of an undertaking used to calculate a fine.

Furthermore, the EDPB provided useful guidance on interpretation of Art. 83(3) GDPR, which states that, when a controller or processor infringes several provisions of the GDPR for the same or linked processing operations, the amount of an administrative fine shall not exceed the amount specified for the gravest infringement. The EDPB explained that all the infringements should be taken into consideration when calculating the amount of the fine in this case. The supervisory authorities must also take into account the proportionality of the fine and respect the maximum fine amount set out by the GDPR. 

Final enforcement actions by Irish DPC

In summary, the resulting EUR 225 million fine of the Irish DPC (also the largest ever it imposed to date) is broken down as follows:  

• EUR 90 million for breaching the GDPR principle of transparency (Art.5(1)(a));
• EUR 30 million for breaching the GDPR obligations to inform data subjects under Art.12;
• EUR 30 million for breaching transparency obligations regarding personal data obtained directly from the relevant individuals (Art.13); and
• EUR 75 million for breaching transparency obligations regarding personal data that have not been obtained from data subjects (Art.14). 

In addition, WhatsApp has been given three months to bring their processing operations into compliance (half the time granted in the original Irish DPC decision), which will include providing transparency information to relevant users as detailed in the decision of the Irish DPC and summarised in its Appendix C. This short period results partly from the fact that the EDPB found the breaches of Articles 12, 13 and 14 to be severe and considered that compliance with these obligations should be ensured in the shortest time possible.

The Irish DPC has also issued a formal reprimand to WhatsApp formally to identify and recognise the fact of the infringement.

WhatsApp has stated that it will appeal the decision.

The press release by the Irish DPC is available here and the decision in full here (see also a corrigendum to the decision here). The press release of the EDPB is available here and the binding dispute resolution decision here.

This article was written in collaboration with the aosphere Rulefinder Data Privacy team.* Rulefinder Data Privacy is an online legal subscription service which analyses and tracks data privacy obligations globally. Learn more here.

DISCLAIMER: aosphere ceased to be affiliated with Allen & Overy on 8 February 2024 and is no longer part of the Allen & Overy group. aosphere is a separate business that is not regulated by the Solicitors Regulation Authority. A&O does not receive any referral fees from aosphere.