Instant messaging and VOIP service WhatsApp has been hit with a whopping €225m fine after Ireland’s privacy watchdog found it had breached EU data protection rules.

The announcement wraps up an investigation that began in December 2018, after the General Data Protection Regulation (GDPR) took effect.

This is the largest fine ever from the Irish Data Protection Commission, and the second-highest under EU GDPR rules.

Topping the list, Amazon was fined a record €746 million fine for processing personal data in violation of GDPR rules at the end of July.

Transparency of data

An investigation by the watchdog found that WhatsApp broke strict regulations in relation to transparency of data shared with other companies also owned by parent firm Facebook, which bought WhatsApp in 2014 for approximately $19bn.

In addition, the Irish Data Protection Commission said yesterday it was ordering WhatsApp to take "remedial actions", to ensure its processing complies with EU rules.

The commission said the case against WhatsApp looked at whether Facebook followed GDPR requirements to be transparent for both users as well as those who didn't use its service, including how people's data is processed between WhatsApp and other Facebook companies, including Instagram.

WhatsApp said it disagreed with the decision, as the fine was disproportionate, and said it planned to appeal.

The instant messenger company said it is committed to providing a secure and private service. "We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”

No compensation

Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, believes that Facebook will appeal the ruling, and the fine will be significantly reduced in court as has been seen with other major cases.

“The judicial process to get a final and enforceable decision will likely take several years. It's very unlikely any Europeans, whose privacy rights were allegedly violated by WhatsApp, will get any compensation.”

He adds that privacy experts argue that GDPR does not serve its initial purpose of being a consistent pan-European privacy legislation that is capable of protecting personal data and detering privacy violations.

“Given the growing disagreement between European DPAs on GDPR enforcement priorities and imposition of penalties, these concerns become even more real today. Moreover, data subjects are reluctant to enforce their rights under GDPR as it’s always time-consuming and may require a complex and costly process to litigate for penny compensation if any.”

Kolochenko adds that GDPR is comprehensive and balanced, but its enforcement lacks teeth, and without an overhaul, impunity for GDPR violations will become the norm.