News, 23.01.2023, 10:30 AM
The Irish Data Protection Commission (DPC) has fined WhatsApp €5.5 million for violating the EU’s General Data Protection Regulation (GDPR) when processing users’ personal data. WhatsApp has been ordered to bring its data processing into line with GDPR within six months, or face a new fine.
On 25 May 2018, the DPC launched an investigation into WhatsApp’s potential breach of the regulation. That same day, WhatsApp updated its Terms of Service, requiring users to agree to the changed terms in order to continue using the app. Failure to accept the revised terms meant that you risked losing access to the application interface.
In a complaint filed with the DPC by a non-profit organization NOYB (“None Of Your Business”), headed by well-known Austrian privacy advocate Max Schrems, alleges that WhatsApp forced users to “consent to the processing of their personal data for the purpose of improving and securing the service” by “making the availability of its services conditional on that users must accept the updated Terms of Service”.
“WhatsApp is not entitled to rely on the legal basis of the contract to provide service and security improvements,” the rating is DPCwhich considers that the data collected so far is in violation of the GDPR.
A €5.5 million fine was imposed on WhatsApp for violating Article 6 of the GDPR on “lawfulness of processing”, which requires transparency, legality and fairness in data protection processes.
In addition, the DPC will launch a new investigation covering all of WhatsApp’s data processing operations to determine whether there are any breaches of Article 9 of the GDPR on the “processing of special categories of personal data”. The Data Protection Agency wants to determine whether WhatsApp collects and processes sensitive data for behavioral advertising and marketing purposes and whether this data is shared with third parties.
WhatsApp plans to appeal the decision, as they believe their app operates in a manner that complies with the law.
The fine comes two weeks after the DPC fined Meta €390 million for using user data to display personalized ads on Facebook and Instagram, giving the company three months to find a valid legal basis for processing personal data for behavioral advertising.
NOYB, for its part, appealed to the European Data Protection Board (EDPB), alleging that the DPC “turned a blind eye to the revenue generated by GDPR violations when calculating its penalty” and that “the DPC’s maneuver saved Meta €4 billion” .
Cover photo: Anton, Pexels
