The much-anticipated EU GDPR enforcement from the Data Protection Commission in Ireland against WhatsApp has arrived. The DPC has issued a €225 million fine against the messaging platform for violations of GDPR transparency principles over its data-sharing plans with Facebook and Instagram. The DPC issued the following Press Release and Decision pursuant to Section 111 of the Data Protection Act, 2018 and Articles 60 and 65 of the GDPR.
The fine ends a lengthy case that began in 2018 and required an Article 65 dispute resolution procedure via the European Data Protection Board. The EDPB has also published a Press Release and Binding Decision on the basis of Art. 65 GDPR on the draft decision by the Irish DPC.
In a statement from noyb, Max Schrems welcomed the first decision by the DPC. However, "the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial € 50 million fine and was forced by the other European data protection authorities to move towards € 225 million, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional."
The IAPP has published a full account of the penalty and the road that led to it.
WhatsApp intends to appeal.