On September 2, 2021, Ireland’s Data Protection Commission (“DPC”) announced that it would fine WhatsApp Ireland (“WhatsApp”) €225 million ($266 million) for its failure to meet the General Data Protection Regulation’s (“GDPR”) transparency requirements as set forth in Articles 12-14.
The investigation of WhatsApp began after the DPC received complaints from individuals regarding WhatsApp’s data processing activities and a mutual assistance request from the German Federal Data Protection Authority about WhatsApp’s compliance with EU data protection law.
The investigation focused on whether WhatsApp, which was acquired by Facebook in 2014, complied with its transparency obligations under Articles 12-14 of the GDPR, particularly regarding the sharing and processing of personal data by and with other Facebook companies. The DPC found that WhatsApp had failed to provide appropriately clear, transparent, or sufficient information concerning its processing activities as required by Articles 12-14.
The decision reviews the requirements of Article 13 and the corresponding language in the WhatsApp privacy notice to assess whether the notice meets the obligations. The DPC found, for example, that WhatsApp failed to specify in sufficient detail the legal basis for each processing activity in which WhatsApp engages, as required by Article 13(1)(c) of the GDPR. In another instance, WhatsApp was found not to have definitively identified whether or the transfer of certain categories of data was supported by an adequacy decision, a requirement under Article 13(1)(f).
The fine imposed in the case represents a more than four-fold increase over that proposed in a draft decision issued by the DPC in December 2020. Because WhatsApp engages in cross-border data processing activities, the DPC’s draft decision was reviewed by other relevant supervisory authorities as required by the co-operation and consistency mechanism under Chapter VII of the GDPR. Eight EU regulators objected to the DPC’s draft decision. Their objections were referred to the European Data Protection Board in accordance with the dispute resolution procedure under Article 65(1)(a) of the GDPR, after the DPC failed to reach a consensus with the objecting regulators.
The EDPB recommended in July 2021 that the fine be reassessed, and the DPC referred to the decision as the rationale for raising the fine. WhatsApp has indicated that it will appeal the decision.
Companies transferring data out of China for processing should be aware of new guidance issues on June 26 by China’s National Information Security Standardization Technical Committee - the Cybersecurity Standards Specification for the Certification of Cross-Border Processing of Personal Information.