Ireland’s data protection authority has fined WhatsApp Ireland €5.5 million for breaches of the GDPR relating to its service and told it comply with data processing laws within six months.
Why Ireland? The Irish Data Protection Commissioner (DPC) is the head regulator for several of the US tech giants, and this is because they have sited their operations in the European Union member state – with its Silicon Valley friendly 12.5 percent corporate tax rate.
Yesterday’s ruling followed a 2018 complaint made by a German citizen about WhatsApp after it asked users to click “agree and continue” to indicate their acceptance of the updated Terms of Service in advance of 25 May 2018, when the GDPR came into operation.
The complainant claimed WhatsApp was seeking to rely on consent to provide a lawful basis for its processing of users’ data and that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, the company was “forcing” the users to consent to such processing, in breach of the GDPR.
The fine meted out to the Meta-owned company resulted from a drawn-out process between Ireland’s data protection authorities (DPC) and various EU data protection bodies. Finally, the European Data Protection Board ruled, mostly with the DPC original decision.
Taking the EDPB view into account, the DPC ruled that WhatsApp is not entitled to rely on the contract legal basis for the delivery of service improvement and security for the WhatsApp service and that its processing of this data to-date, in purported reliance on the contract legal basis, amounts to a contravention of the GDPR.
The fine may be chicken feed to WhatsApp’s owner, Meta, which also own that prime social media real estate Facebook. Nonetheless, it shows European data protection authorities’ continuing ferocity in pursuing data protection action. Earlier this month, the DPC fined Meta a combined €390 million ($414 million) sum for GDPR violations and directed the social media group to “bring its data processing operations into compliance within a period of 3 months.”
It said the social media platform’s terms of service could do little to help it comply with transparency requirements under European law. In court documents, the DPC said such statement “demonstrate an oversupply of very high level, generalized information at the expense of a more concise and meaningful delivery of the essential information necessary for the data subject to understand the processing being undertaken and to exercise his/her rights in a meaningful way.” ®
Tensions between Ireland and Euro watchdog
Some of the wording of the announcement yesterday points to a growing gap between the DPC and the EDPB. The Irish authorities also noted that, separately, the EDPB was trying to “direct the DPC to conduct a fresh investigation that would span all of ‘WhatsApp IE’s processing operations'” – basically, to look into whether any of them contravene several different GDPR articles.
The Irish watchdog barked that it “is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation” and said it would “bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction.”
The EDPB has previously reportedly “helped” the DPC with tips on fending off criticism from “peers for taking too long to decide in cases involving tech giants and for not fining them enough for any breaches,” which went down like a cup of cold sick.