Meta has been fined €5.5m by the Data Privacy Commissioner (DPC) in Ireland over the way it uses user data for service improvements in its messaging platform WhatsApp. This is an additional breach of the European Union’s privacy laws and follows a similar order issues by the regulator to Meta for its other platforms Facebook and Instagram. One analyst told Tech Monitor it comes amid increasing disagreement between the Irish regulator and its European counterparts.
The company has been ordered to reassess how it targets advertising through the use of personal data and to further examine the legal basis behind the techniques it uses. WhatsApp disputes the claims and says it will appeal as it believes the way its services operate is technically and legally compliant with EU privacy laws.
As part of the action from DPC, WhatsApp was also ordered to ensure its data processing operations were fully compliant with Europe’s General Data Protection Regulation (GDPR) within six months or face further action. Ireland’s data watchdog acts as the lead EU regulator for Big Tech companies due to the number of them which have their EU headquarters in the country.
The regulator described the penalty as “administrative” and is low in comparison to some of the other recent sanctions against Meta and its services. The draft version of the ruling suggested there wouldn’t be a fine for these breaches, but it appears the decision to apply the sanctions came after a review by the European Data Protection Board (EDPB).
The fine was the result of a complaint from a user over the way WhatsApp asked them to agree to accept updated terms of service when GDPR first came into effect in May 2018. It informed users that if they wanted to use the app they had no choice but to agree to the updated terms. This, they argued, amounted to WhatsApp forcing them to consent to their personal data being processed for service improvement and security which runs counter to GDPR.
WhatsApp fine: regulators airing ‘dirty laundry’
The original complaint was rejected by the DPC but the regulator did find Meta was in breach of obligations related to transparency. In the draft report it had no intention of fining WhatsApp on the transparency charge due to other fines against Meta for similar breaches. This including a “major” €225m fine in September 2021 related to the same breach in May 2018.
Originally DPC argued that GDPR did not stop WhatsApp from relying on the provision within the contract for service improvements and security features but other data watchdogs within the EU disagreed with the ruling, referring it for review by the EDPB – which ruled against the DPC, finding there was evidence of a breach.
DPC accepted the resolution made by the review board, leading to the most recent fine. However, the board also told the DPC to carry out a new investigation into the wider WhatsApp processing operation to ensure it was fully compliant with GDPR but the regulator says this may amount to “overreach” and plans to bring an action for annulment to the Court of Justice in the hope of stopping the investigation.
“These repeated disagreements between the Irish regulator and its EU counterparts are particularly unhelpful,” said Nigel Jones, co-founder of the Privacy Compliance Hub, which helps companies navigate data law requirements. “The announcements from the DPC increasingly look like the regulators are airing their dirty washing in public. They don’t help those companies seeking certainty on how to comply with the GDPR,”
So far Meta has been fined a total of €1.3bn by the Irish regulator with 10 other inquiries open into its services, including the disputed review of WhatsApp data processing efforts.