Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Thursday, March 28, 2024 | Back issues
Courthouse News Service Courthouse News Service

EU privacy breach lands WhatsApp with big fine

The increased fine against the Facebook-owned messaging service is over four times bigger than the one initially levied in Ireland.

(CN) — WhatsApp must pay a $266 million fine after trampling the European Union's data-privacy directives.

Handed down Thursday by Ireland's Data Protection Commission, the smack marks the latest in a string of fines and legal actions against big American tech giants in Europe. In recent years, the EU has stepped up efforts to rein in the power of tech giants and protect European citizens from having their online lives exploited without their consent.

WhatsApp, which has been a Facebook subsidiary since 2014, is accused here of not providing enough information to users of its online messaging service about what it does with the personal data it collects from them and how it also shares that data with other Facebook services.

Because WhatsApp's European headquarters are based in Dublin, it was up to Irish regulators to investigate complaints against WhatsApp. Tech giants like Ireland because of its low corporate taxes and lax regulatory regime. Critics accuse Ireland of acting like a tax haven within the EU and not doing enough to go after abusive behavior by tech companies.

The EU privacy rules called the General Data Protection Regulation went into effect in May 2018. Ireland's Data Protection Commission opened an investigation of WhatsApp in December of that year. When it eventually proposed a fine of up to 50 million euros (about $59 million), however, eight other data-protection authorities in the EU objected. Come July 2021, the European Data Protection Board ordered Ireland to instead levy a fine of 225 million euros (about $266 million). Its ruling says the magnitude of the fine is meant to deter others from violating the EU's privacy rules.

On Thursday, the Irish regulator did just that.

The European Data Protection Board said the massive fine was appropriate considering the huge number of WhatsApp users: some 326 million people in the EU alone, out of the 2 billion people who use WhatsApp around the globe.

Under EU data-protection laws, companies face fines of up to 4% of their global revenues. In this case, regulators based the hefty fine on the combined turnover of both Facebook and WhatsApp. In 2019, Facebook reported total revenues of $70.7 billion. Thursday's fine amounts to less than 1% of Facebook's profits.

Still, this is the biggest fine ever imposed by Irish regulators over alleged data protection violations and the second largest ever against a tech company.

WhatsApp blasted the fine as “disproportionate” and said it will appeal.

“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” the company said in a statement.

It said it provides “a secure and private service” through WhatsApp and that it has “worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”

WhatsApp says its free messaging service includes end-to-end encryption that ensures privacy and that users' contacts are not shared with Facebook.

Since 2018, when the GDPR rules began to be enforced, WhatsApp has updated its privacy statements to users. With this decision, the company was ordered to provide even more privacy details to users.

This is the second huge fine levied this year against American tech giants over data protection breaches. In July, Amazon, the online retail giant, revealed in financial disclosures that regulators in Luxembourg imposed a whopping 746 million euro (about $885 million) fine on it. Details about the case were not disclosed and remain unclear.

Up to now, fines have been relatively minor for data-protection breaches. For example, in 2019 Google was fined about $56 million for not providing adequate information on its data consent policies. Last year, the company lost an appeal against that fine.

Privacy Affairs, a nonprofit based in Romania, reports that GDPR fines amount to about 1.3 billion euros (about $1.5 billion). Meanwhile, European regulators are going after big tech companies in other areas too, such as on antitrust grounds, though with mixed results.

Max Schrems, a privacy activist who runs the Vienna-based group NOYB — short for “none of your business” — welcomed the fine but worried that Ireland's Data Protection Commission, or DPC, may back down during appeals before Irish courts and settle for a lower amount.

“In the Irish court system this means that years will pass before any fine is actually paid,” Schrems said in a statement. “It will be very interesting to see if the DPC will actually defend this decision fully, as it was basically forced to make this decision by its European counterparts.”

Courthouse News reporter Cain Burdeau is based in the European Union. Follow him on Twitter.

Follow @cainburdeau
Categories / Business, Civil Rights, Consumers, International, Technology

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.

Loading...