It’s been a long time coming but Facebook is finally feeling some heat from Europe’s much trumpeted data protection regime: Ireland’s Data Protection Commission (DPC) has just announced a €225 million (~$267 million) fine for WhatsApp.

The Facebook-owned messaging app has been under probe by the Irish DPC since December 2018 — some months after the first complaints were fired at WhatsApp over how it processes user data under Europe's General Data Protection Regulation (GDPR), once it begun being applied in May 2018.

While accepting a large number of specific complaints about WhatsApp, the DPC enquiry it has now decided was of the "own volition" type, that means that the regulator decided on its own criteria to select an area of its inquiry and thus chose to zero in on an investigation into WhatsApp's "transparency" obligations.

A key principle of the GDPR is that entities which are processing people's data must be clear, open and honest with those people about how their information will be used.

The DPC's decision today (which runs to a full 266 pages) concludes that WhatsApp failed to live up to the standard required by the GDPR.

Its inquiry addressed the question of whether or not WhatsApp meets its transparency obligations to users and non-users of its service (WhatsApp, for example, may upload the phone numbers of non-users if a user agrees to it ingesting their phone book which contains other people's personal data); as well as examining the transparency that the platform affords over its sharing of data with its parent entity Facebook - an issue of the highest controversy at the time that the privacy U-turn was announced back in 2016, though it predated GDPR being applied).

The DPC found the following ranges of transparency infringement by WhatsApp: articles 5(1)(a); 12, 13, and 14 of the GDPR.

In addition to a sizeable financial penalty, it has ordered that WhatsApp take various actions that improve the level of transparency which it offers its users and non-users with a deadline of three months to do so.

In a statement about the decision made by DPC, WhatsApp denied these conclusions while also referring the fine "entirely disproportionate". Furthermore, the app confirms appeal. It has stated writing:

WhatsApp is committed to giving its users a safe and private service. We have made sure the information we give to them is transparent and exhaustive, and will continue doing that. We disagree with today's ruling on the transparency provided to people in 2018 and penalties entirely disproportionate. We will appeal.

Thereby ending at long last the scope of the DPC inquiry, which was only concerning this aspect of WhatsApp's obligation to be transparent.

Of course, the regulator expressly clarified that it was not canvassing some complaints — which have been registered against Facebook's data-mining empire for more than three years — regarding the prima facie legal basis, which WhatsApp claims for the very processing of people's information in the first place.

So the DPC will continue to take flak over both the speed and manner of its GDPR enforcement.

https://twitter.com/maxschrems/status/1433371977109094401

Indeed, before today, Ireland's regulator had issued just one decision in a significant cross-border case against "Big Tech" — against Twitter when, back in December, it knuckle-tapped the social network over a historical security breach with a fine of $550,000.

In contrast, WhatsApp's first GDPR penalty is quite a bit bigger — reflecting what EU regulators (plural) evidently consider to be a far more serious infringement of the GDPR.

Transparency is a core principle of the regulation. And while a security breach may indicate sloppy practice, systematic opacity toward people whose data your adtech empire relies on to turn a fat profit looks rather more intentional; indeed, it's arguably the whole business model.

And — at least in Europe — such companies are going to find themselves being forced to be up front about what they're doing with people's data.
 Is the GDPR working?
 The WhatsApp decision will reopen a debate about whether the GDPR is working effectively where it counts most: against the most powerful companies in the world, which are also of course internet companies.

Under the EU's flagship data protection regulation, cross-border cases require all relevant regulators within the 27 Member States to agree on decisions. Thus, while the GDPR's "one-stop shop" mechanism aims to simplify the regulatory burden for cross-border businesses by channeling complaints and investigations through a lead regulator—usually the country where a company has its principal place of business in the EU—objections can still be made against that lead supervisory authority's decision (and any penalties imposed), which has been done in this case of WhatsApp.

The company initially sought much more modest damages of as much as €50 million, for its WhatsApp service. However the other EU regulators protested her draft decision on various grounds—and the EDPB eventually had to take a binding decision, released this summer, to try and settle all of those squabbles.

Through that rather painful joint working, the DPC was made to up-size a fine WhatsApp had incurred. Like the case with the draft on its decision involving Twitter — wherein the DPC also proffered a punier first instance punishment.

While there is clearly a cost in terms of time in ironing out the disputes between the EU's smorgasbord of data protection agencies — the DPC submitted its draft WhatsApp decision to the other DPAs for review back in December, so it's taken well over half a year to work out all the disputes about WhatsApp's lossy hashing and so forth — that "corrections" are being made to its decisions and conclusions can land — if not jointly agreed but at least arriving via a consensus getting pushed through by the EDPB — suggests that the process, although slow and creaky, is working. At least technically.

Even so, Ireland's data watchdog will continue to face criticism for its outsized role in handling GDPR complaints and investigations — with some accusing the DPC of essentially cherry-picking which issues to examine in detail (by its choice and framing of cases) and which to elide entirely (those issues it doesn't open an enquiry into or complaints it simply drops or ignores), with its loudest critics arguing it's therefore still a major bottleneck on effective enforcement of data protection rights across the EU.

The associated conclusion from that critique is that tech giants like Facebook are still getting a pretty free pass to violate Europe's privacy rules.

Of course, it is true that the sort of $267 million fine equivalent to a parking ticket would constitute a small price to pay for Facebook's business empire, but orders to adjust what's possible for adtech giants to process people's information at least have a chance to be a rather more meaningful correction on such problematic business models.

Yet again, though, only time will tell whether or not such broader orders will be having the desired effects.

In a statement reacting to the DPC's WhatsApp decision today, noyb – the privacy advocacy group founded by long-time European privacy campaigner Max Schrems – said: "We welcome the first decision by the Irish regulator. However, the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine.". The DPC also proposed an initial fine of €50MK. Still, it was forced to amend this by the other European data protection authorities in movement towards €225M and is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how dysfunctional the DPC is now again.

Schrems added that he and noyb also have a range of further cases pending at the DPC — including against WhatsApp.

In additional comments, they raised further issues about the duration of an appeal process and whether the DPC would vigorously defend an order it had only had to raise to another level after other DPAs elsewhere in the EU made similar objections.

"WhatsApp will be sure to appeal the ruling.". In the Irish court system this means that years will pass before any fine is actually paid. In our cases we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork. It will be very interesting to see if the DPC will actually defend this decision fully, as it was basically forced to make this decision by its European counterparts. I can envision that the DPC will just not put much resources on the case or 'settle' with WhatsApp in Ireland. We will be keeping a close eye on this case to ensure that the DPC is actually going through with this decision.

Update: In another reaction statement, the European consumer protection association BEUC — which has also pressed complaints against Facebook-owned WhatsApp, labeled the decision "well overdue".

David Martin, its lead digital policy, commented: "It sends a very serious message to Facebook and its subsidiaries that breaking the EU's rules on data protection has consequences. It also shows the decisive role of the European Data Protection Board in enforcing the GDPR: the Irish data protection authority was forced by its peers in the other member states to take a much harder line.". We hope that consumer authorities take heed of this decision and act fast on BEUC's separate complaint against WhatsApp for unfairly forcing users to accept the new terms and conditions and privacy policy.