The Data Protection Commission (DPC) officially revealed the results of an investigation into the processing carried out by WhatsApp Ireland Limited in connection with the delivery of its WhatsApp service.
WhatsApp has been fined €5.5 million as a result of the investigation for breaches of the GDPR relating to its service.
Additionally, they have been instructed to comply with regulations by bringing its data processing operations within six months.
Reports stated that the conclusion was issued as a result of a German citizen’s 2018 complaint against WhatsApp after the messaging app requested users to click “agree and continue” to confirm their approval of the revised Terms of Service prior to 25 May 2018, the date the GDPR took effect.
According to the complaint, WhatsApp was trying to use users’ consent as a lawful basis for processing their data, and by making access to its services dependent on users accepting the updated Terms of Service.
“WhatsApp Ireland was in fact “forcing” them to consent to the processing of their personal data for service improvement and security. The complainant argued that this was in breach of the GDPR”, the DPC said in a statement.
WhatsApp Fined For Privacy Law Violations
Reports mention that users were not given a clear explanation of the legal basis WhatsApp Ireland was using, in violation of its transparency obligations.
As a result, users were not adequately informed about the processing operations being carried out on their personal data, and the purposes for which they were being used.
“Imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time”, reports DPC.
Finally, the DPC’s decision includes findings that WhatsApp Ireland is not permitted to rely on the contract legal basis for the delivery of service improvement and security for the WhatsApp service (other than what the EDPB refers to as “IT security”), and that its processing of this data up to this point, in purported reliance on the contract legal basis, is unlawful.
“In terms of sanctions, and in light of this additional infringement of the GDPR, the DPC has imposed an administrative fine of €5.5 million on WhatsApp Ireland and ordered that WhatsApp Ireland must bring its processing operations into compliance with the GDPR within a period of 6 months”, according to DPC.
Additionally, according to the DPC, who took the EDPB’s perspective into consideration, WhatsApp is not permitted to rely on the contract legal basis to deliver service improvement and security for the WhatsApp service, and that it’s the processing of this data up to this point in purported reliance on the contract legal basis constitutes a violation of the GDPR.
Notably, earlier this month, the DPC fined Meta a combined €390 million ($414 million) sum for GDPR violations and directed the social media group to “bring its data processing operations into compliance within a period of 3 months.”
Network Security Checklist – Download Free E-Book