On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced that it would fine WhatsApp Ireland (“WhatsApp”) €225 million ($266 million) for GDPR violations that transparency requirements as set forth in Articles 12-14.

The investigation of WhatsApp began after the DPC received complaints from individuals regarding WhatsApp’s data processing activities and a mutual assistance request from the German Federal Data Protection Authority about WhatsApp’s compliance with EU data protection law.

The investigation focused on whether WhatsApp complied with its transparency obligations under Articles 12-14 of the GDPR, particularly regarding the sharing and processing of personal data by and with other Facebook companies. The DPC found that WhatsApp had failed to provide appropriately clear, transparent, or sufficient information concerning its processing activities as required by Articles 12-14.

The decision reviews the requirements of Article 13 and the corresponding language in the WhatsApp privacy notice to assess whether the notice meets the obligations.

The DPC found, for example, that WhatsApp failed to specify in sufficient detail the legal basis for each processing activity in which WhatsApp engages, as required by Article 13(1)(c) of the GDPR. In another instance, it was found that WhatsApp did not definitively identify whether the transfer of certain categories of data was supported by an adequacy decision, as required by Article 13(1)(f).

The fine imposed in the case represents a more than four-fold increase over that proposed in a draft decision issued by the DPC in December 2020. Because WhatsApp engages in cross-border data processing activities, other relevant supervisory authorities reviewed the DPC's draft decision as mandated by the co-operation and consistency mechanism under Chapter VII of the GDPR. Eight EU regulators objected to the DPC’s draft decision. After the DPC failed to reach a consensus with the objecting regulators, they referred their objections to the European Data Protection Board in accordance with the dispute resolution procedure under Article 65(1)(a) of the GDPR.

In July 2021, the EDPB recommended reassessing the GDPR violations fine, which the DPC cited as the rationale for raising the fine. WhatsApp has indicated that it will appeal the decision.

Ensure compliance with cross-border data processing with our expertise and unlock global operational efficiency for your business by contacting us today.