Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
The WhatsApp GDPR fine handed down in September 2021 has recently been a hot topic in the news. WhatsApp, an app that allows people to send text messages for free, has received a $267 million (€225 million) fine from European Union regulators because WhatsApp failed to comply with European General Data Protection Regulation (GDPR) regulations.
Ireland's Data Protection Commission (DPC) handed down the fine following an investigation, which began in December 2018. The investigation itself followed several complaints filed against Facebook properties, including WhatsApp, by Max Schrems, a long-time Facebook (now Meta Platforms, Inc.) privacy critic.
The Schrems complaint against WhatsApp stated that the company used a strategy called "forced consent" in order to continue processing an individuals' personal data. However, the EU law demands that unless consent is strictly necessary to provide a service, users must be given a free choice as to whether they give up personal data or not.
In this article we're going to take a deeper look at what happened here, and help you take practical steps to avoid a similar situation with your own business.
Meta Platforms previously claimed that its main product is social networking and not farming peoples' personal data for advertising purposes.
For its part, the Irish DPC chose to focus on WhatsApp's obligation to remain transparent as per GDPR regulations. It overlooked more basic complaints about the messaging app's legal basis for processing the vast amounts of data it collects.
In fact, the DPC took no issue with how WhatsApp collects data at all.
Instead, the huge financial penalty handed down was based on WhatsApp's failure to disclose the entire range of ways in which it uses the personal information it collects from users.
After the ruling, WhatsApp showed that it clearly was not open to paying the steep penalty imposed by the DPC (the second-largest GDPR fine ever) and is currently appealing the EU privacy watchdog's decision.
In fact, WhatsApp issued a statement covered by Reuters in response to the GDPR fine claiming that the fine was "entirely disproportionate."
With that said, the company followed the decision to appeal by stating that it was willing to amend its privacy policies to conform with EU and UK regulations.
It insists, however, that there is no change in its actual service.
"This update does not change the way we operate our service, including how we process, use or share your data with anyone, including our parent company Meta."
Additionally, WhatsApp stated that:
"There are no changes to our processes or contractual agreements with users, and users will not be required to agree to anything or to take any action in order to continue using WhatsApp."
The new policy is effective immediately.
In addition to the Irish data protection watchdog issuing one of the highest GDPR fines to date, the ruling underscores the importance EU authorities place on an individual's right to privacy and the need for businesses to respect those rights.
For example, underlying the findings of Data Protection Commissioner Helen Dixon were the rights secured under Article 13 of the GDPRa.
According to the law, WhatsApp Ireland (the data controller in this case) was required to give WhatsApp users (the data subjects) a clear understanding of how their personal data was used and stored, what categories of information were processed, and why.
According to the Irish DPC, WhatsApp clearly didn't comply with GDPR requirements and, in some cases, severely violated both the spirit and the letter of the law.
WhatsApp's blatant violations of the GDPR and subsequent punishment are a cautionary tale for all companies doing business within the EU and elsewhere as global privacy laws proliferate.
Non-compliance with GDPR regulations can lead to costly penalties for small and large businesses. They were designed to apply to all business types, from multinationals to micro-enterprises.
The GDPR's Article 8 fines are flexible and can be adjusted to suit the company's size. No matter how large the organization, it is subject to significant liability if it fails to comply with GDPR, as can be seen by the penalties faced by WhatsApp.
It's worth noting here that the GDPR clearly states that certain violations are more severe than others.
For less serious violations, the penalty could be as high as €10 million ($11.3 million) or 2% of the company's worldwide revenue for the preceding financial years, whichever is greater.
More serious infractions could lead to a fine up to €20 million ($22.6 million) or 4% of the firm's worldwide annual revenues from the preceding year, whichever is greater.
These regulations require that personal data is processed fairly and transparently. Companies must also state their legitimate interests in collecting data from users. Users must also be informed if a company obtains information about them from other sources as well as how the company processes data, and the categories of data they have obtained.
For instance, this might include uploading the phone numbers of non-users if one user consents to the messaging platform having their contact list.
As TechCrunch wrote, "Transparency is a key principle of the regulation," and WhatsApp clearly failed in that regard. Writing about WhatsApp's privacy infringements and lack of transparency, the publication implied the messaging app's violations weren't a mere oversight but were somewhat more intentional, saying:
"... systematic opacity toward people whose data your adtech empire relies upon to turn a fat profit looks rather more intentional; indeed, it's arguably the whole business model."
This notice should detail exactly what data you're collecting and how you plan to use it. You must also get explicit consent from customers before collecting or using certain types of data.
And finally, you need to ensure that your data security practices meet GDPR requirements.
Complying with the GDPR can seem daunting, but plenty of resources are available to help you get started. We've created a comprehensive guide to GDPR compliance, which we recommend viewing.
With that said, let's briefly go over a few of the highlights right here.
A Privacy Notice is a document that describes how an organization handles personal data. It also explains data protection principles, and must do so in a way that's easy to read and understand. Articles 12, 13, and 14 of GDPR give detailed instructions for creating a Privacy Notice.
The GDPR requires that organizations provide individuals with a Privacy Notice that is:
An organization that collects information directly from an individual must include the following information:
If you indirectly obtain your data from another organization, the privacy notice must contain all relevant information, except for the following:
Instead, you must add the categories of any personal data you acquire.
Privacy Notices should not contain qualifiers like "may," or "might," or "some," etc. These terms are far too vague.
Writing should be done in the active tense.
Paragraphs and sentences should be well-structured, with bullets highlighting key points. You should also avoid unnecessary legalistic or technical terminology.
WhatsApp has been hit with a financial penalty of $267 million (€225 million) for privacy breaches by the European Union's privacy watchdog, Ireland's Data Privacy Commissioner (DPC).
The DPC began an investigation into WhatsApp's privacy practices following complaints in 2018. It found that WhatsApp was processing data without being fully transparent to users about how their private, personal information is collected, used, stored, and shared.
While WhatsApp's violations appear related to GDPR Article 13, which addresses the issue of transparency and consent, many feel this case seems more focused on ensuring users are aware of what they're signing up for when agreeing to share their personal information.
For private businesses, the WhatsApp fine is a warning designed to ensure that their respective Privacy Policies are up-to-date, accurate, and fully transparent.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022