The Irish DPC fined WhatsApp €5.5M for violating GDPR

The Irish Data Protection Commission (DPC) fined Meta’s WhatsApp €5.5 million for violating data protection laws.

The popular messaging app WhatsApp has been fined €5.5m by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR).

The DPC has given six months to the Meta-owned company to bring its data processing operations in compliance with the privacy regulation.

“The Data Protection Commission (“DPC”) has today announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland Limited (“WhatsApp Ireland”) in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland €5.5 million (for breaches of the GDPR relating to its service).” reads the DPC’s announcement. “WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months.”

On May 2018, ahead of the adoption of the GDPR, WhatsApp updated the Terms of Service imposing users to agree to the revised terms in order to continue using the messaging app.

The inquiry concerned a complaint filed by the non-profit organization NOYB – European Center for Digital Rights on 25 May, 2018.

The Irish regulator pointed out that by making the accessibility of its services conditional on users accepting the updated Terms of Service, WhatsApp Ireland forced them to consent to the processing of their personal data. The company claimed that the updates aimed at improving the security end the service, but it clearly breached the GDPR.

The company was not transparent about what processing operations were being carried out on the users personal data. According to the DPC, the lack of transparency contravened Articles 12 and 13(1)(c) of the GDPR. 

“The final decision adopted by the DPC on 12 January 2023 reflects the EDPB’s binding determination, as set out above.” continues the announcement. “Accordingly, the DPC’s decision includes findings that WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security (excluding what the EDPB terms as “IT security”) for the WhatsApp service, and that its processing of this data to-date, in purported reliance on the contract legal basis, amounts to a contravention of Article 6(1) of the GDPR.”

WhatsApp announced that it will appeal the fine.

“We strongly believe that the way the service operates is both technically and legally compliant,” a WhatsApp spokesperson said. “We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service.”

In a post published by NOYB, the organization claims that WhatsApp doesn’t encrypt metadata and share it with Facebook and Instagram, which use this information to customize ads.

The organization pointed out that metadata can be used to acquire knowledge of the communication behaviour of users,  including who communicates with whom and when, who uses the app when, for how long and how often.

“While the communication itself is encrypted, the phone numbers and associated Facebook or Instagram accounts of people are collected. Such information can then be used to personalize ads for users on other Meta platforms like Facebook and Instagram. The DPC seems to have refused to investigate this core matter of the complaints.” reads the post published by Noyb.

The bad news is that the DPC doesn’t plan to open an investigation whether WhatsApp processes user metadata for advertising.

“WhatsApp says it’s encrypted, but this is only true for the content of chats – not the metadata. WhatsApp still knows who you chat with most and at what time. This allows Meta to get a very close understanding of the social fabric around you.” explained NOYB founder, Max Schrems. “Meta uses this information to, for example, target ads that friends were already interested in. It seems the DPC has now simply refused to decide on this matter, despite 4.5 years of investigations.”

Early this year, the Data Protection Commission (DPC) concluded two inquiries into the data processing operations of Meta Platforms Ireland Limited (“Meta Ireland”) over the delivery of its Facebook and Instagram services.

DPC fined Meta Platforms a total of €390 million (roughly $414 million).

The inquiries were related to Facebook and Instagram services; one complaint was made by an Austrian data subject and was related to the data processing operations of Facebook, and the second one was made by a Belgian data subject in relation to Instagram.

Both complaints were made on the date on which the GDPR came into operation, on 25 May 2018.

In advance of 25 May 2018, Meta Ireland had changed the Terms of Service for its Facebook and Instagram services.

The DPC has now imposed fines of more than €1.3bn on Meta, Instagram and WhatsApp.

November 2022 – Irish data protection commission (DPC) fined Meta $414 million for not protecting Facebook’s users’ data from scraping.

September 2022 – The Irish Data Protection Commission has fined Instagram €405 million for violations of the General Data Protection Regulation.

September 2021 – The Irish Data Protection Commission has fined WhatsApp €225 million over data sharing transparency for European Union users’ data with Facebook.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Facebook)

[adrotate banner=”5″]

[adrotate banner=”13″]