WhatsApp was slapped with a 225 million euro fine on Thursday after a GDPR investigation conducted by Ireland's Data Privacy Commissioner (DPC) found that the platform was not transparent about how it shared data with its parent company, Facebook.
The investigation started in December 2018 and "examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp's service."
"This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies," the DPC said in a statement.
The DPC initially submitted its decision in December 2020 but faced backlash from eight other EU regulating bodies because the fine was considered too small at just 50 million euros.
The European Data Protection Board decided to force the DPC to increase the proposed fine to 225 million euros by the end of July.
"In addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions," the DPC added.
The DPC found that WhatsApp -- which has more than two billion monthly users -- violated sections 5(1)(a); 12, 13 and 14 of the GDPR by not being transparent about the data it collected both from users and non-users. Regulators took issue with the technical ways WhatsApp processed user data and the way those processes are explained in its privacy policies.
WhatsApp now has three months to make changes to its transparency. The fine is the second-largest ever issued after the 886.6 million euro fine handed down to Amazon in July, but experts said WhatsApp and Facebook will spend years in court fighting the fine before it is ever paid.
WhatsApp called the fine "disproportionate" in a statement and said it is "committed to providing a secure and private service."
Max Schrems, a European privacy expert and chair of non-profit noyb.eu, said in a statement that the fine was a step forward for privacy regulations but criticized the DPC for waiting this long to issue a fine.
"The DPC gets about ten thousand complaints per year since 2018, and this is the first major fine. The DPC also proposed an initial 50 million euro fine and was forced by the other European data protection authorities to move towards 225 million euros, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional," Schrems said.
"WhatsApp will surely appeal the decision. In the Irish court system, this means that years will pass before any fine is actually paid. In our cases, we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork."
Schrems added that noyb has a number of pending cases before the DPC and has closely monitored the Irish DPC situation since 2011. They questioned whether the DPC will fully defend this decision because it was "basically forced to make this decision by its European counterparts."
"I can imagine that the DPC will simply not put many resources on the case or 'settle' with WhatsApp in Ireland. We will monitor this case closely to ensure that the DPC is actually following through with this decision," Schrems explained.
Regulators have long taken issue with Facebook's control over WhatsApp since the social media giant purchased the secure messaging platform in 2014 for $19 billion.
WhatsApp openly says on its website that it provides phone numbers, transaction data, business interactions, mobile device information, IP addresses and other information to Facebook but does not send personal conversations, location data or call logs to its parent company.
WhatsApp has repeatedly been forced to update its privacy policies to reflect the data it shares with Facebook. Last week they also had to make changes to the platform to ensure data protection and consumer rights are observed in Brazil.
Cillian Kieran, a privacy expert and CEO of Ethyca, told ZDNet that a common thread persists: Facebook and its subsidiaries continue to fail to provide the transparency that individuals deserve.
"Within the published decision, EU authorities point out that there are additional substantive complaints to address in WhatsApp's data practices. There is much work still to be done to bring accountability to WhatsApp's practices, beyond this announced fine," Kieran said.
"As with Luxembourg's recently announced fine against Amazon, this fine comes with another, perhaps more important, component: an order to bring data systems into compliance. A nine-figure fine is a drop in the bucket for WhatsApp and its parent, Facebook. For long-term, structural improvements, the compliance order could prove more meaningful."
Niamh Muldoon, global data protection officer at OneLogin, noted that by 2023, 65% of the world's population will have their personal data covered under modern privacy regulations, up from 10% in 2020.
"This problem must be addressed at every level of the organization, including boardroom and executive management teams," Muldoon said.