WhatsApp Fined $400 Million for Breaking E.U. Data Privacy Law
Regulators in Ireland, where many tech giants have their European headquarters, have been criticized for not enforcing Europe’s data-protection law, once heralded as a global standard.,
Facebook’s WhatsApp is fined for breaking the E.U.’s data privacy law.
- Sept. 2, 2021Updated 8:37 a.m. ET
Facebook’s WhatsApp messaging service was fined nearly $270 million by Irish authorities on Thursday for not being transparent about how it uses data collected from people on the service, in a case that represents a big test of Europe’s ability to enforce its landmark data privacy law.
The 265-page decision is the first major ruling against Facebook under the European Union’s far-reaching General Data Protection Regulation, or G.D.P.R., a three-year-old law that many have criticized for not being properly enforced. Irish regulators said WhatsApp was not clear with users about how data was shared with other Facebook properties like its main social network and Instagram.
WhatsApp said it would appeal the decision, setting up what is expected to be a lengthy legal battle.
The G.D.P.R. was heralded as the world’s most comprehensive data privacy law when it was enacted, and championed as a model for the rest of the world to counter the data-hording practices of Facebook, Google and other internet giants. But the law has resulted in few fines or penalties, and many have said it has not fulfilled its promise.
Regulators in Ireland have been at the center of the debate. Under the law, companies must be regulated by the countries where they have their European headquarters. The European offices of Facebook, Google, Twitter, Apple and scores of other companies are based in Ireland because of its low corporate tax rates and other benefits.
But that has put tremendous pressure on Ireland’s Data Protection Commission, an underfunded and much-criticized agency that has been tasked with enforcing a novel and complex data protection law against some of the largest companies in the world.
In July, lawmakers in Ireland’s Parliament issued a scathing report, saying the Irish regulator “fails to adequately protect the fundamental rights of citizens” because of its lack of enforcement.
The challenge of enforcing the G.D.P.R. is being closely watched as European Union officials debate new regulations for other areas of the technology industry, including stricter antitrust and content moderation policies. Critics contend that the G.D.P.R shows that although the European Union has drafted strong digital policies, it has struggled to enacting them well.
The fine of 225 million euros, a fraction of Facebook’s annual profit, was the largest issued by Irish regulators against a tech giant under the law; in December, Ireland fined Twitter 450,000 euros related to a data breach. The ruling said WhatsApp did not meet its “transparency obligations” to clearly disclose how data from users would be used by Facebook for its other services.
The WhatsApp case has generated considerable debate among European Union countries about the appropriate level of enforcement under the region’s data protection rules. Officials in other countries in the 27-nation bloc have criticized Ireland for not acting more quickly against large tech platforms.
Other countries pushed Ireland to increase its initial proposed fine, which had been set at only up to 50 million euros. That sum was raised to 225 million euros after other national regulators used a board created by the law to coordinate enforcement and adjudicate disputes to push for a larger penalty.
Max Schrems, an Austrian lawyer and privacy activist who has filed several complaints with authorities in Ireland against Facebook, welcomed Thursday’s decision but said the fine by the Data Protection Commission was still too small. The G.D.P.R. allows fines of up to 4 percent of global revenue. He said there were scores of other cases waiting to be addressed.
“This shows how the D.P.C. is still extremely dysfunctional,” said Mr. Schrems, who now runs a privacy advocacy group called Noyb.
“WhatsApp is committed to providing a secure and private service,” Joshua Breckman, a spokesman for WhatsApp, said in a statement. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
Other tech companies have also been targeted under G.D.P.R., although critics say the punishments are relatively small and unlikely to result in meaningful changes in behavior.
In July, Amazon was fined nearly 750 million euros for violations related to its advertising practices by Luxembourg’s privacy regulator. In 2019, Google was fined 50 million euros by French authorities for not getting adequate permission from uses for certain online advertising.