The WhatsApp GDPR fine handed down in September 2021 has recently been a hot topic in the news. WhatsApp, an app that allows people to send text messages for free, has received a $267 million (€225 million) fine from European Union regulators because WhatsApp failed to comply with European General Data Protection Regulation (GDPR) regulations.

Ireland's Data Protection Commission (DPC) handed down the fine following an investigation, which began in December 2018. The investigation itself followed several complaints filed against Facebook properties, including WhatsApp, by Max Schrems, a long-time Facebook (now Meta Platforms, Inc.) privacy critic.

The Schrems complaint against WhatsApp stated that the company used a strategy called "forced consent" in order to continue processing an individuals' personal data. However, the EU law demands that unless consent is strictly necessary to provide a service, users must be given a free choice as to whether they give up personal data or not.

In this article we're going to take a deeper look at what happened here, and help you take practical steps to avoid a similar situation with your own business.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Some Background

Meta Platforms previously claimed that its main product is social networking and not farming peoples' personal data for advertising purposes.

For its part, the Irish DPC chose to focus on WhatsApp's obligation to remain transparent as per GDPR regulations. It overlooked more basic complaints about the messaging app's legal basis for processing the vast amounts of data it collects.

In fact, the DPC took no issue with how WhatsApp collects data at all.

Instead, the huge financial penalty handed down was based on WhatsApp's failure to disclose the entire range of ways in which it uses the personal information it collects from users.

After the ruling, WhatsApp showed that it clearly was not open to paying the steep penalty imposed by the DPC (the second-largest GDPR fine ever) and is currently appealing the EU privacy watchdog's decision.

In fact, WhatsApp issued a statement covered by Reuters in response to the GDPR fine claiming that the fine was "entirely disproportionate."

With that said, the company followed the decision to appeal by stating that it was willing to amend its privacy policies to conform with EU and UK regulations.

That's precisely what WhatsApp has done. It amended its Privacy Policy, but only for the EU and UK.

It insists, however, that there is no change in its actual service.

"This update does not change the way we operate our service, including how we process, use or share your data with anyone, including our parent company Meta."

According to further WhatsApp statements published by the British Broadcasting Corporation (BBC), the tweaks to its privacy policy are intended to:

"Add additional detail around our existing practices, and will only appear in the European version of the privacy policy, which is already different from the version that applies in the rest of the world."

Additionally, WhatsApp stated that:

"There are no changes to our processes or contractual agreements with users, and users will not be required to agree to anything or to take any action in order to continue using WhatsApp."

The new EU and UK version of WhatsApp's Privacy Policy will include more information about the Meta-owned business, including how it collects and uses customer data and how that information is stored and deleted.

Further details were added to the policy about why WhatsApp uses data from other countries and the legal basis for using that information. WhatsApp also stated that users in the UK and EU will be notified of the latest updates to its privacy policy but won't be required to do anything.

The new policy is effective immediately.

Why the WhatsApp Fine is Significant

Why the WhatsApp Fine is Significant

In addition to the Irish data protection watchdog issuing one of the highest GDPR fines to date, the ruling underscores the importance EU authorities place on an individual's right to privacy and the need for businesses to respect those rights.

For example, underlying the findings of Data Protection Commissioner Helen Dixon were the rights secured under Article 13 of the GDPR.

According to the law, WhatsApp Ireland (the data controller in this case) was required to give WhatsApp users (the data subjects) a clear understanding of how their personal data was used and stored, what categories of information were processed, and why.

According to the Irish DPC, WhatsApp clearly didn't comply with GDPR requirements and, in some cases, severely violated both the spirit and the letter of the law.

WhatsApp's blatant violations of the GDPR and subsequent punishment are a cautionary tale for all companies doing business within the EU and elsewhere as global privacy laws proliferate.

Non-compliance with GDPR regulations can lead to costly penalties for small and large businesses. They were designed to apply to all business types, from multinationals to micro-enterprises.

The GDPR's Article 8 fines are flexible and can be adjusted to suit the company's size. No matter how large the organization, it is subject to significant liability if it fails to comply with GDPR, as can be seen by the penalties faced by WhatsApp.

It's worth noting here that the GDPR clearly states that certain violations are more severe than others.

For less serious violations, the penalty could be as high as €10 million ($11.3 million) or 2% of the company's worldwide revenue for the preceding financial years, whichever is greater.

More serious infractions could lead to a fine up to €20 million ($22.6 million) or 4% of the firm's worldwide annual revenues from the preceding year, whichever is greater.

What WhatsApp's Privacy Policy Was Missing

What WhatsApp's Privacy Policy Was Missing

Essentially, what WhatsApp was missing in its Privacy Policy was transparency. The Irish DPC found the messaging app violated articles 5(1)(a), 12, 13 and 14 of the GDPR.

These regulations require that personal data is processed fairly and transparently. Companies must also state their legitimate interests in collecting data from users. Users must also be informed if a company obtains information about them from other sources as well as how the company processes data, and the categories of data they have obtained.

For instance, this might include uploading the phone numbers of non-users if one user consents to the messaging platform having their contact list.

As TechCrunch wrote, "Transparency is a key principle of the regulation," and WhatsApp clearly failed in that regard. Writing about WhatsApp's privacy infringements and lack of transparency, the publication implied the messaging app's violations weren't a mere oversight but were somewhat more intentional, saying:

"... systematic opacity toward people whose data your adtech empire relies upon to turn a fat profit looks rather more intentional; indeed, it's arguably the whole business model."

Staying Compliant with GDPR Privacy Legislation

Staying Compliant with GDPR Privacy Legislation

There are a few key things that companies need to do in order to comply with the GDPR. First, you must have a Privacy Notice (also called a Privacy Policy) on your website.

This notice should detail exactly what data you're collecting and how you plan to use it.

Here's an example of an introduction section of a standard Privacy Notice that outlines what information the policy will contain. You can see how it works towards increasing transparency and disclosure:

Arts International Bakery Privacy Policy intro clause

Make sure your Privacy Notice is easy for customers to find. It won't count much towards legal compliance and transparency if you aren't transparent about the fact that you have a Privacy Notice in the first place.

Display a link to your Privacy Notice in your website's footer, as well as anywhere where you collect personal information. This includes places such as email newsletter sign-up forms, account registration forms, cookie consent notices, and on checkout pages if you engage in ecommerce.

Here's an example of a Privacy link in a site footer:

Screenshot of the email footer from The Economist with Privacy Policy link highlighted

And here's how you can display a link within a sign-up form:

Matomo sign up for newsletter pop-up with Privacy Policy link highlighted

For more information, check out our article: Where Should I Place My Privacy Policy?

You must also get active consent from customers before collecting or using certain types of data.

Active consent includes having users take some active action to prove they consent/agree, such as checking an "I Agree" checkbox or clicking an "I Accept" or "I Consent" button.

Here's how this looks when implemented:

And finally, you need to ensure that your data security practices meet GDPR requirements.

Complying with the GDPR can seem daunting, but plenty of resources are available to help you get started. We've created a comprehensive guide to GDPR compliance, which we recommend viewing.

With that said, let's briefly go over a few of the highlights right here.

What is a Privacy Notice?

What is a Privacy Notice?

A Privacy Notice is a document that describes how an organization handles personal data. It also explains data protection principles, and must do so in a way that's easy to read and understand. Articles 12, 13, and 14 of GDPR give detailed instructions for creating a Privacy Notice.

The GDPR requires that organizations provide individuals with a Privacy Notice that is:

  • Concise, intelligible, transparent, and easily accessible
  • Written in clear and plain language
  • Provided in a timely manner, and
  • Free of charge

An organization that collects information directly from an individual must include the following information:

  • Contact details and identity of the organization and its representative
  • The legal basis for processing personal information of individuals and the purpose for processing it
  • Where applicable, the legitimate interests of the organization or third party
  • Any recipient of data from an individual or any categories of recipients
  • Details about any transfer of personal information to a third-country and the security measures in place
  • The retention period of time, or criteria used to determine the retention time of data
  • The existence of each data subject's rights
  • The right of users to withhold consent at any moment (where applicable)
  • The right of users to file a complaint with the supervisory authority
  • Whether the provision of personal information is part of a contractual or statutory obligation or requirement and the results of failing to provide the personal information
  • Information about the existence of an automated decision making system including profiling and information about its setup, significance and consequences

Here's an example of a table of contents of a Privacy Policy (Notice) that adresses the relevant information:

Amazon Privacy Notice with table of contents highlighted

If you indirectly obtain your data from another organization, the privacy notice must contain all relevant information, except for the following:

  • Whether the provision of personal information is part of a contractual or statutory requirement or obligation and what consequences if the personal data is not provided

Instead, you must add the categories of any personal data you acquire.

Paragraphs and sentences should be well-structured, with bullets highlighting key points. You should also avoid unnecessary legalistic or technical terminology.

Here's an example of easy to read, good formatting in a Privacy Notice clause:

Amazon UK Privacy Notice: For What Purposes Does Amazon Europe Process Your Personal Information clause excerpt

Summary

WhatsApp has been hit with a financial penalty of $267 million (€225 million) for privacy breaches by the European Union's privacy watchdog, Ireland's Data Privacy Commissioner (DPC).

The DPC began an investigation into WhatsApp's privacy practices following complaints in 2018. It found that WhatsApp was processing data without being fully transparent to users about how their private, personal information is collected, used, stored, and shared.

While WhatsApp's violations appear related to GDPR Article 13, which addresses the issue of transparency and consent, many feel this case seems more focused on ensuring users are aware of what they're signing up for when agreeing to share their personal information.

For private businesses, the WhatsApp fine is a warning designed to ensure that their respective Privacy Policies are up-to-date, accurate, and fully transparent.

Make sure to create a compliant Privacy Policy with all the required information. Display it adequately, and get users to give active consent to it. This will help you immensely with compliance.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy