The Data Protection Commission (DPC) has fined WhatsApp 5.5 million euros. The messaging service had no legal basis to process user data, in direct violation of European privacy laws. Parent company Meta will be given six months to put its house in order.
The Irish regulator announced the fine through a press release (1).
For the beginning of this case, we must go back to May 25, 2018. On this date, the General Data Protection Regulation (AVG) went into effect. To get around the new European privacy laws and regulations, the chat service changed its terms of use. Anyone who wanted to continue using WhatsApp after the effective date of the AVG had to accept these new terms. If not, the service would be made inaccessible.
A German was not amused by this and filed a complaint with the DPC. In his view, WhatsApp was trying to coerce consent from users in order to obtain a legal basis to process user data. In doing so, the messaging service exercised coercion over its users, in violation of the AVG.
WhatsApp said these data were necessary to ensure the service and security of the platform. By agreeing to the new terms, users entered into a contract with the chat service. In order for the company to continue providing its services, it was necessary to collect data from users. According to Article 6(1)(b) of the AVG, this gave WhatsApp a lawful ground to collect and process user data.
Initially, the DPC refused to intervene. After pressure from the European Data Protection Board (EDPB), which represents all of Europe's privacy watchdogs, the Irish regulator decided that "contractual necessity" was insufficient to lawfully collect user data. The EDPB held that it was not necessary for WhatsApp to collect user data to improve the continuity and security of the service. After much deliberation, the Irish regulator adopted this conclusion.
In the press release, the DPC writes that WhatsApp violated the AVG by not being transparent enough with users. For that reason, they were not sufficiently informed about what data the messaging service collected, and for what purposes this data was necessary. That is a violation of Article 12 and Article 13 paragraph (c) of the AVG. For this, WhatsApp was already fined 225 million euros by the DPC in September 2021.
The regulator, like the members of the EDPB, did not believe that WhatsApp put undue pressure on users to agree to the new terms. All in all, the DPC felt it was justified in imposing a fine of 5.5 million euros on WhatsApp. Meta, WhatsApp's parent company, will be given six months to put things right.
A spokesman for WhatsApp informed Reuters news agency that it is challenging the fine.
Austrian privacy foundation Noyb is unhappy with the DPC's ruling. According to chairman Max Schrems, the Irish regulator is ignoring the heart of the matter, which is whether the chat app is allowed to collect and share user data with Facebook and Instagram in order to show personalized ads there.
Unlike these companies, WhatsApp admittedly does not dish out targeted ads to users. However, the platform does provide metadata to Facebook and Instagram. This metadata reveals a lot of personal information about users' communication behavior. Also, WhatsApp collects things like phone number and associated Facebook or Instagram profile. Meta uses this information to offer personalized ads on these platforms.
"WhatsApp says it's encrypted, but that only applies to the content of chats, not the metadata. WhatsApp still knows who you chat with the most and at what time. This allows Meta to get very good insight into the social fabric around you. Meta uses this information to target ads that friends were already interested in, for example. It seems that the DPC now simply refuses to make a decision on this, despite four-and-a-half years of research," Schrems said.
It is not the first privacy fine the DPC is issuing to Meta this year. Last week, the regulator ruled that Facebook and Instagram did not properly seek consent to collect data from users for targeted ads. For this, they must pay a sum of 210 million euros and 180 million euros, respectively.
Noyb was critical of the fine decision. According to the privacy foundation, the Irish regulator forgot to consider the revenue gained by parent company Meta by violating the AVG. In Noyb's view, the DPC handed out a gift worth €4 billion to Meta.
"We all know about Meta's huge revenues. It is amazing that the DPC did not take that into account. The DPC did not even use its legal powers to ask Meta for the information. We therefore examined publicly available information and found that this factor alone should have increased the fine by 3.97 billion euros," Schrems said of the matter.
https://www.dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-inquiry-whatsapp
