The Irish Data Protection Commission (DPC) has fined WhatsApp Ireland €5.5 million ($5.95m) after confirming that the messaging service violated the General Data Protection Regulation (GDPR).
The authority has ordered WhatsApp to bring its data processing operations into compliance within six months, or it faces a new fine.
On May 25, 2018, the DPC initiated an inquiry into a potential violation of the regulation by WhatsApp following a complaint from a German data subject.
On that same day, WhatsApp updated its Terms of Service and prompted all EU-based users to accept the changes by clicking to keep accessing the app’s main interface.
Ignored user consent
The complaint submitted to DPC contended that WhatsApp forced users to accept the changes by making it a condition to continue using the software. Hence, users had to consent to the processing of their personal data just to open the app.
This violates Article 7 recital 32 of the GDPR, which requires that user consent must be given freely, and on a specific, informed, and unambiguous basis, without pressure, influence, or elements that introduce imbalance in the data subject’s decision.
Following a comprehensive investigation, the DPC concluded the following:
WhatsApp Ireland did not clearly outline the legal basis or the explicit reasons for the requested user data processing, which violates Articles 12 and 13 of the GDPR.
WhatsApp Ireland has not violated Article 7 due to forced consent because the service did not rely on user consent for delivering its service or using it as a lawful basis for processing personal user data.
The first point will not incur additional penalties because the DPC has already served hefty fines to WhatsApp for the same reasons.
“The DPC, having already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time, did not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry,” reads the rationale of the decision.
As for the second point, DPC’s rejection of the German data subject’s allegations doesn’t end the case, as the German Supervisory Authority will now also review the complaint.
The fine of €5.5 million on WhatsApp Ireland is imposed due to a violation of Article 6 of the GDPR on “lawfulness of processing,” which requires transparency, lawfulness, and fairness in data protection processes.
Additionally, the DPC will launch a new investigation covering all of WhatsApp’s processing operations in its service to determine if there are violations of Article 9 of the GDPR on “processing of special categories of personal data.”
The data protection agency wants to determine whether WhatsApp collects and processes sensitive data for behavioral advertising and marketing purposes and whether this data is also shared with any third parties.
WhatsApp informed BleepingComputer it is planning to appeal the decision, as it believes its service is operating in a legally compliant manner. Below is the full comment received from a WhatsApp spokesperson regarding DPC’s decision:
WhatsApp has led the industry in private messaging by providing end-to-end encryption and layers of privacy that protect people. We strongly believe that the way the service operates is both technically and legally compliant.
We rely upon the contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and we intend to appeal.