WhatsApp fined record $267M over breach of European data protection rules

WhatsApp on Thursday was fined roughly $267 million by Ireland’s privacy watchdog due to alleged violations of the European Union’s data privacy rules, the largest penalty issued yet by the group since the strict 2018 regulations took effect. 

The Data Protection Commission (DPC) said in a statement that it had concluded its investigation into WhatsApp’s privacy practices, which it first launched in December 2018.

The commission found that the platform violated EU data transparency rules about sharing user data with fellow Facebook-owned companies. 

The DPC’s investigation specifically focused on whether Facebook followed requirements under the EU’s General Data Protection Regulation (GDPR) rules by making clear to users how their data was being used by WhatsApp and other Facebook companies. 

The commission said that a draft of the decision had been sent to European regulators in December 2020. This past July, the European Data Protection Board (EDPB) ordered the DPC to reassess the decision to increase an initially proposed fine of $59 million to $267 million. 

The fine marks the largest penalty from the regulatory body under the EU’s GDPR rules, and is only the second one issued to date. The watchdog issued a fine against Twitter last year for roughly $534,000 over a security breach. 

The penalty is also the second largest issued among all EU privacy regulators, following Luxembourg’s roughly $886 million fine against Amazon in July over alleged data privacy violations, according to The Associated Press. 

In response to the fine, a WhatsApp spokesperson said in a statement shared with The Hill that its leaders “disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” adding that the company planned to appeal the decision. 

“WhatsApp is committed to providing a secure and private service,” the spokesperson added. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”  

In July, the European Consumer Organization (BEUC), a consumer network based in Brussels, along with eight of its members, filed a complaint against WhatsApp over a privacy policy update, arguing that the platform had been “intrusive” about pushing users to accept the changes. 

BEUC Director General Monique Goyens said in a statement at the time, “WhatsApp has been bombarding users for months with aggressive and persistent pop-up messages to force them to accept its new terms of use and privacy policy.” 

“They’ve been telling users that their access to their app will be cut off if they do not accept the new terms,” Goyens added. “Yet consumers don’t know what they’re actually accepting.”