Earlier today, the Irish Data Protection Commission (DPC) announced a 225 million euro fine against WhatsApp. As many know, WhatsApp is owned by Facebook and this fine was targeted at the transparency of WhatsApp’s processing activities. In some ways, this even mirrors Cambridge Analytica from 2016.
Why This Decision?
GDPR requires that organizations are transparent about how they process the personal data of data subjects. Multiple articles reference this, most notably article 5(1)(a) which states that information must be “processed lawfully, fairly and in a transparent manner in relation to the data subject”. Furthermore, Recital 39 clarifies that transparent means that “information and communication relating to the processing of those personal data be easily accessible and easy to understand…”.
In this case, the DPC made the case that WhatsApp was not providing clear communication on how information was shared with Facebook amongst other concerns. Also notable, WhatsApp may take contact information from a user’s phone. This includes the information of other people who most likely were not given the chance to consent to this collection. If you recall, this is similar to Cambridge Analytica, where individuals who consented to the use of their information, which led to their friends’ information also being collected.
Of course, a fine of 225 million Euros is nothing to sneeze at, however this isn’t the end of this case, or several thousand others. As many have pointed out, this decision will most likely be appealed, which means a few years more before any fines are paid or finalized. Additionally, there are tens of thousands of complaints for the DPC to address still. Max Schrems, who has brought cases against Facebook before, expressed this opinion on Twitter as well (https://twitter.com/maxschrems/status/1433371717125222400).
In all, we will have to wait and see what the outcome is, but get ready for years of appeals.