The Irish Data Protection Commission (DPC), the main regulator in the field of privacy in the European Union (EU), reported Thursday that it has fined WhatsApp Ireland 225 million euros for violating data protection regulations.
This is the largest fine issued by the DPC and the second-highest imposed in the EU bloc, after Luxembourg’s National Commission for Data Protection (CNPD) sanctioned Amazon last July with €746 million.
Both fines are related to non-compliance with European privacy rules contained in the General Data Protection Regulation (GDPR).
The DPC’s investigation into WhatsApp Ireland, which began three years ago, examined whether the messaging app, owned by social network Facebook, acted transparently in informing its users and non-users about compliance with GDPR rules.
In this regard, the Irish commission analyzed whether WhatsApp provided transparent information about its management of users’ private data in this application and in other companies owned by Facebook, whose European operations base is in Dublin.
WhatsApp Ireland issued a statement today declaring that it is not satisfied with the DPC’s decision and calling the fine “wholly disproportionate”, while confirming that it will appeal the ruling.
The Irish commission had already submitted a preliminary decision on this issue to several EU regulators last December, imposing a fine of 50 million euros, but eight of these entities rejected the conclusions and asked for the amount to be raised.
The case was stopped by the European Data Protection Board (EDPB), which ordered the DPC to increase the initial fine.
“In addition to the imposition of an administrative fine, the DPC has included a reprimand together with an order aimed at making WhatsApp bring its processes into compliance by adopting a number of specific corrective measures,” the commission explained in the statement of its judgment.
According to experts, the tech company can appeal to the Irish High Court or to the European Court of Justice, where it will likely challenge the amount of the fine.
According to EU regulations, penalties in the event of non-compliance are a maximum of 20 million euros or up to 4% of the company’s overall turnover in the previous year.