4 min read

DPC Fines WhatsApp €225 Million for “Severe” Breaches of EU GDPR

Read more

By Rowena McCormack & Charlotte Burke


Published 07 September 2021


It was announced on the 2nd September that Ireland’s data protection regulator, the Data Protection Commission (“DPC”), has imposed a record €225 million fine on Facebook-owned messaging service app, WhatsApp, for a number of “severe” infringements of the EU GDPR.

The DPC has been designated as “lead supervisory authority” for Facebook and WhatsApp under the EU GDPR’s “one stop shop” principle on the basis that it is headquartered in Ireland and as such, was tasked with investigating the tech giant’s messaging app and its data processing practises.

The DPC’s decision came after a three year investigation which focussed on whether WhatsApp was discharging its EU GDPR transparency obligations with regard to the provision of information to service users. This reflects a growing focus by supervisory authorities on fairness and transparency.

As the matter related to data subjects in a number of EU states, the DPC submitted its preliminary decision on the matter to other concerned EU supervisory authorities in December 2020. The authorities were unable to reach a consensus, with a number rejecting the DPC’s proposed fine of €30 million to €50 million, and as a result, the DPC triggered the European Data Protection Board’s (“EDPB”) dispute resolution process in June 2021.

The EDPB issued its binding decision on 28 July, requiring the DPC to reassess and increase its proposed fine on a number of grounds, resulting in the DPC increasing its proposed fine to €225 million. Interestingly, the EDPB’s decision required the DPC to include WhatsApp’s parent company Facebook’s turnover in the calculation of the fine, in line with European competition law principles that views corporate groups as single undertakings with a combined global turnover (under the EU GDPR, companies can be fined up to 4% of their annual global turnover, or €20 million, whichever is higher). In addition to the fine, WhatsApp is also required to amend its data processing practices within three months.

In response to the news, WhatsApp said the fine was “entirely disproportionate” and that it would be appealing the DPC’s decision. Section 142 of the Data Protection Act 2018 (as amended) provides that an organisation may, within 28 days of notification of a decision to fine it, appeal that decision to the Circuit or High Court. Alternatively, where an organisation chooses not to appeal, the DPC is required, pursuant to section 143 to apply to the Circuit Court to affirm its decision.

If the fine is confirmed, as discussed below, it will be the highest fine to date under the EU GDPR and is several multiples of any fine previously issued by the DPC. The announcement followed months of protracted criticism of the DPC from several quarters that it was a “light touch regulator” and was slow to act against errant organisations. Indeed, in July of this year, the German supervisory authority made a referral to the EDPB, requesting that it issue an urgent binding decision requiring the adoption of measures to protect the rights of WhatsApp users in the EU in circumstances where it claimed the DPC had not taken appropriate action. In what could be seen as vindication for the DPC, the EDPB refused to issue a binding decision, outlining that many of the issues raised by the German regulator were already the subject of an ongoing inquiry by the DPC and that there was “no evidence” that the DPC had failed to co-operate with the German regulator, as alleged. However, it did call on the DPC to act “swiftly” to investigate WhatsApp.

It remains to be seen whether this fine will set a precedent for the DPC in terms of its magnitude, although with over 80 live statutory inquiries including those affecting multinationals Tinder and Google, it is certainly likely that this fine is the first of many large fines against Irish based tech giants. Those global organisations who now find themselves under the supervision of the DPC following Brexit related restructures should follow developments carefully.