The Irish Data Protection Commission (DPC) has fined WhatsApp 5.5 million euros ($5.9 million) for GDPR violations.
In addition to the fine, WhatsApp Ireland was instructed to comply with data processing practices within six months.
The lawsuit demonstrates that there has been significant disagreement among European data protection authorities over the scope of WhatsApp’s liability.
This penalty is related to the update of WhatsApp’s terms of service on May 25, 2018, when the EU’s GDPR took effect. This will allow existing and new users to continue to access the WhatsApp service after the introduction of the new regulations.[同意して続行]I was informed that I had to click to indicate my acceptance of the updated Terms of Service.
WhatsApp Ireland considered that acceptance of the new Terms of Service constitutes a contract and the processing of your data in connection with the provision of its services is necessary for the performance of that contract. This included provisions for service improvements and security features deemed legitimate under Article 6(1)(b) of the GDPR.
However, privacy advocate Max Schrems argued that WhatsApp forced users to consent to the processing of their data by making accessibility to the service contingent on agreeing to its updated terms of service.
After an investigation, the Irish DPC concluded that WhatsApp violated its GDPR transparency obligations. This is because users “did not have sufficient clarity as to what processing operations were being carried out on their personal data”.
It has already fined the company a “very large” €225 million ($266 million) for violating this and other transparency obligations in the same period, and the fines for this fine have been revised. did not propose.
The DPC disagreed with the “compulsory consent” aspect of the complaint. WhatsApp Ireland has determined that it does not need to rely on your consent as providing the legal basis for processing your personal data.
The agency then concluded that the GDPR did not preclude WhatsApp’s reliance on its claim that acceptance of the new terms of service constitutes a contract. This is because the premise of WhatsApp is to provide services including service improvement and security.
However, six of the 47 Concerned Supervisory Authorities (CSAs) to whom the Irish DPC has submitted a draft decision pursuant to the GDPR disagreed with this aspect of the judgment.
Unable to reach consensus, the DPC referred the disputed matter to the European Data Protection Board (EDPB), which did not agree with the DPC on the contract as a matter of legal basis. This resulted in him being fined 5.5 million euros in administrative fines against WhatsApp.
In its statement, the DPC clarified its objection to another directive by the EDPB to conduct a new audit of WhatsApp Ireland’s data processing practices, including special categories of personal data.
The DPC argued that this direction fell outside the EDPB’s mandate, arguing that “the EDPB cannot direct and direct the authorities to engage in unrestricted and speculative investigations.”
It suggested it could file a lawsuit with the Court of Justice of the European Union to “seek to put aside the EDPB’s instructions.”
The ruling is the latest in a series of heavy fines issued by Ireland’s DPC against Meta, the parent company of WhatsApp. This includes fines of €405 million ($402.2 million) for Instagram’s handling of children’s data in September 2022 and the personal data of 533 million Facebook users leaked in April. Includes a €265 million ($275 million) fine for November 2022 related to failure to protect. 2021 years.
In January 2023, Meta will appeal a €390 million ($413 million) fine issued in connection with choosing the legal basis on which the social media giant relies on processing users’ personal data. announced.
