Ireland watchdog fines WhatsApp record sum for flouting EU privacy rules

アイルランド’s data privacy watchdog has slapped WhatsApp with a record €225m (£193m) fine for violating EU data protection rules.

The Dublin-based Data Protection Commission (DPC) announced the decision on Thursday after a three-year investigation into the messaging app, which is owned by Facebook. It ordered WhatsApp to remedy its behaviour to protect privacy.

WhatsApp called the fine “entirely disproportionate” and said it would appeal.

It is the biggest fine imposed by the DPC, which has pan-European powers, and the second biggest levied against a tech company under EU laws.

The watchdog said WhatsApp had committed “severe” and “serious” infringements of the general data protection regulation (GDPR), a landmark rule on transparency that became enforceable in 2018.

“This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies,” it said in a statement.

の中に 266-page ruling the commissioner, Helen Dixon, said the company provided only 41% of prescribed information to users of its service.

Four “very serious” infringements violated the core of GDPR, said Dixon. “They go to the heart of the general principle of transparency and the fundamental right of the individual to protection of his/her personal data which stems from the free will and autonomy of the individual to share his/her personal data in a voluntary situation such as this.”

The violations affected an “extremely high” number of people, said the watchdog.

WhatsApp, which was bought by Facebook in 2014, contested the ruling. “WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

The messaging app is used by a quarter of the world’s population. Since Facebook’s takeover digital rights advocates have accused Mark Zuckerberg of breaking a promise to respect the data privacy of WhatsApp users.

The DPC is the lead data privacy regulator in the EU for Facebook and other big tech firms that have their European headquarters in アイルランド. Last year it had 14 major inquiries into Facebook, WhatsApp and Instagram, which is also owned by Facebook.

Some other European watchdogs have alleged that the Irish agency is under-resourced, slow and weak when it comes to punishing privacy breaches, accusations Dixon has rejected.

The record fine does not necessarily indicate sharper teeth in Dublin. When Dixon finished her investigation into WhatsApp last year she proposed a much more modest fine reportedly ranging from €30 to €50m.

Eight data regulators in other EU countries rejected that. The issue was referred to the European Data Protection Board (EDPB), which oversees the GDPR. It made a binding ruling in July, which the Irish watchdog must now enforce.

“This decision contained a clear instruction that required the [Irish data protection commission] to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225m on WhatsApp,” Dixon’s office said.

“In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.”