Ireland regulators are fining Facebook-owned WhatsApp $267 million for violating the European Union’s data privacy rules by, among other things, not properly telling EU citizens how it handles their personal data.
Ireland’s Data Protection Commission (DPC) charged that WhatsApp shared data with Facebook and other entities without fully disclosing that to its users, as required by Europe’s General Data Protection Regulation (GDPR).
The commission said the action followed “a lengthy and comprehensive investigation.”
“The DPC’s investigation commenced on 10 December 2018 and it examined whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service,” the agency said in a news release.
It’s the second-largest fine imposed under the GDPR. Amazon was fined $887 million in July for privacy violations.
WhatsApp said it would appeal and said the penalties were “entirely disproportionate.” It said it strived to offer “transparent and comprehensive” information to users.
The ruling requires WhatsApp to provide clearer disclosure and bring its sharing policies into line with the GDPR.
WhatsApp data sharing a violation
It’s not just the lack of disclosure — the commission said the data sharing itself violates the GDPR. Part of the problem is that WhatsApp stores phone number data in such a way that it could decrypt the information and identify specific users it it wanted to.
Among WhatApp’s popular features is View Once, “photos and videos that disappear from the chat after they’ve been opened, giving users even more control over their privacy,” according to an August 3, 2021 WhatsApp blog.
Facebook acquired WhatsApp in February 2014 for about $16 billion, calling it “a rapidly growing cross-platform mobile messaging company.”