€5.5 million fined on WhatsApp

€5.5 million fined on WhatsApp

Meta’s WhatsApp has been fined by Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR).

On 19th January 2023 thee Data Protection Commission (“DPC”) of Irish released the following statement.

“The Data Protection Commission (“DPC”) has today announced the conclusion of an inquiry into the processing carried out by WhatsApp Ireland Limited (“WhatsApp Ireland”) in connection with the delivery of its WhatsApp service, in which it has fined WhatsApp Ireland €5.5 million (for breaches of the GDPR relating to its service). WhatsApp Ireland has also been directed to bring its data processing operations into compliance within a period of six months.”

A complaint was launch by a German data subject on 25 May2018 about the WhatsApp service. WhatsApp allegedly compelled users to accept the changes by making it a requirement to keep using the software, according to the complaint made to DPC.

Therefore, just opening the app required users to give their agreement to the use of their personal data. According to Article 7 Recitation 32 of the GDPR, user consent must be freely given, specific, informed, and unequivocal, without pressure, influence, or factors that induce imbalance in the data subject’s decision. This is against these requirements.

Following a comprehensive investigation, the DPC found that:

  1. WhatsApp Ireland was not clearly outlined to users, with the result that users had insufficient clarity as to what processing operations were being carried out on their personal data, for what purpose(s), and by reference to which of the six legal bases identified in Article 6 of the GDPR. The DPC considered that a lack of transparency on such fundamental matters contravened Articles 12 and 13(1)(c) of the GDPR.

“The DPC, having already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time, did not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry. “

  1. WhatsApp Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data, the “forced consent” aspect of the complaints could not be sustained. WhatsApp Ireland was not required to rely on consent.

Due to a violation of GDPR Article 6 on “lawfulness of processing,” which mandates transparency, lawfulness, and fairness in data protection processes, WhatsApp Ireland was assessed a fine of €5.5 million. In order to ascertain whether there are any violations of Article 9 of the GDPR, which deals with the “processing of special categories of personal data,” the DPC will also open a new inquiry into all of WhatsApp’s processing activities inside its service.

Source

https://www.dataprotection.ie/en/news-media/data-protection-commission-announces-conclusion-inquiry-whatsapp

https://www.bleepingcomputer.com/news/security/whatsapp-fined-55-million-by-irish-dpc-for-gdpr-violation/

https://thehackernews.com/2023/01/whatsapp-hit-with-55-million-fine-for.html

Recently,

$5.4 million fined on TikTok