GDPR fines: implications of the WhatsApp decision

The Irish Data Protection Commission (DPC) recently issued its largest ever fine in respect of a breach of the General Data Protection Regulation (GDPR) by WhatsApp. Following an extensive investigation, it concluded that the messaging service, owned by Facebook, had failed to meet the transparency requirements under articles 12–14 of the GDPR. The DPC had initially proposed a fine of €30–50 million but, following a referral of the case to the European Data Protection Board (EDPB), the final figure was set far higher at €225 million.

The investigation, which started back in 2018, relates to failures of WhatsApp to relay information, to both users and non-users, about how it shares and processes personal data. Since the alleged failings related to activities across the EU, other relevant supervisory authorities got involved and objected to the draft DPC decision, resulting in a referral to the EDPB in accordance with the dispute resolution procedure under Article 65(1)(a) of the GDPR. This resulted in a binding EDPB decision on the matter which recommended a substantial increase in the fine.

WhatsApp plans to appeal the fine, stating:

“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

GDPR fines: the broader context

The maximum fine under the GDPR is the higher of €20 million or 4 per cent of annual global turnover. Since the revenue of Facebook was almost $86 billion in 2020, even the inflated final figure represented far less than the maximum penalty which could have been issued.

As well as being the Irish DPC’s largest ever issued fine, the €225 million figure also constitutes the second largest ever fiscal penalty issued under the GDPR, only superseded by a decision regarding Amazon. Part of the reason that the EDPB pushed for a larger fine might come down to their history with WhatsApp in their previous incarnation of the Article 29 Working Party.

But although there have been a number of hefty fines (sort the table by amount) issued under the GDPR since it came into effect in 2018, the largest ones have generally been significantly reduced upon appeal. For example, an initial eye watering penalty of £183 million issued by the Information Commissioner’s Office (ICO) against British Airways, after it failed to protect the credit card data of more than 400,000 customers, was later reduced to a relatively paltry sum of £20 million. Similarly, the ICO issued a notice of intention to fine Marriott International £99 million, but this was drastically reduced to £18.4 million.

The largest GDPR fine which has been upheld upon appeal so far is €50 million against Google. This represents a tiny fraction of their $182 billion revenue for 2020.

So although data protection authorities appear to be eager to initially flex their new fiscal muscles under the GDPR, the end result has not been overwhelming thus far. Part of this may be attributable to mitigations relating to Covid-19, but whether higher fines will be successfully applied in future remains to be seen.

Clarifications regarding fines

In reaching its decision, the EDPB made a couple of key clarifications regarding the application of fines under the GDPR:

Parent company. The EDPB stated that, “when a parent company and its subsidiary form the single undertaking that has been found liable for the infringement committed by the subsidiary, the total turnover of its component companies determines the financial capacity of the single undertaking in question.” In this case, that meant that it was the financials of Facebook, as opposed to WhatsApp, which should be taken into account in calculating the fine.
Multiple violations. Where there have been several breaches of the GDPR, they can all be taken into account when calculating a fine; it does not have to be based solely on the gravest infringement. The EDPB said, “while the legal maximum of the fine is set by the gravest infringement with regard to Articles 83(4) and (5) GDPR, other infringements cannot be discarded but have to be taken into account when calculating the fine.”

Aside from these clarifications, the EDPB also decided that the Irish DPC should reduce the time it allowed WhatsApp to amend its practices in order to meet compliance requirements, from six months to three months.

Advice for clients

Overall, the action taken by the EDPB indicates the likelihood that companies which breach the GDPR can expect to receive larger fines, and reduced compliance deadlines, in respect of any data protection infringements.

Although post-Brexit the UK is not bound by EDPB decisions, the UK GDPR essentially reflects the EU GDPR, and the ICO will almost certainly not want to deviate too far from the Continental consensus. There is an additional risk for companies which process the data of both UK and EU citizens, that they could be pursued for any data protection breaches on two fronts, both by the ICO and the relevant EU authorities, potentially resulting in two separate fines.

Lawyers should ensure that their clients are aware of the importance of abiding by all their data protection regulations, in all the jurisdictions in which they operate.

Commenting on the decision, Will Richmond-Coggan, data protection specialist at Freeths LLP, said:

“Lawyers need to make sure their clients engage constructively with regulators at an early stage, and can show that they have taken on board any guidance given. The EDPB will be keen to impose more precedent setting sanctions where controllers give them the opportunity through repeated non-compliance.”

CPD materials

GDPR fines: implications of the WhatsApp decision

GDPR fines: the broader context

Clarifications regarding fines

Advice for clients

Further reading