Ireland: DPC fines WhatsApp €225M for transparency violations following EDPB dispute resolution.
The Data Protection Commission (‘DPC’) announced, on 2 September 2021, that it had issued a decision to fine WhatsApp Ireland Ltd. €225 million, after it was required to reassess and increase its proposed fine on the basis of a number of factors by the European Data Protection Board’s (‘EDPB’) binding dispute resolution decision, adopted on 28 July under Article 65(1)(a) of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’).
In particular, the EDPB highlighted that it had requested that the DPC amend its draft decision regarding infringements of transparency, the calculation of the fine, and the period for the order to comply. More specifically, the EDPB outlined that in addition to the DPC’s findings, that WhatApp had committed a severe breach of Articles 12, 13, and 14 of the GDPR in relation to the information provided to users, as well as that it had further identified additional shortcomings with the information provided, impacting users’ ability to understand the legitimate interests being pursued, and therefore requested that the DPC’s decision include a finding of a violation of Article 13(1)(d) of GDPR. Moreover, the EDPB outlined that there had also been a violation of the principle of transparency as enshrined under Article 5(1)(a) of the GDPR, and requested that this be reflected in the final fine amount.
In addition, the EDPB made a number of requests and provided clarifications in terms of the calculation of the fine itself. Specifically, the EDPB decided that the turnover of an undertaking is not exclusively relevant for the determination of the maximum fine amount in accordance with Article 83(4)-(6) of the GDPR, but it may also be considered for the calculation of the fine itself, where appropriate, to ensure the fine is effective, proportionate, and dissuasive in accordance with Article 83(1) of the GDPR. Therefore, the EDPB found that the consolidated turnover of the WhatsApp’s parent company, Facebook Inc., should be included in the turnover calculation. Furthermore, the EDPB provided, for the first time, clarification on the interpretation of Article 83(3) of the GDPR, highlighting that when faced with multiple infringements for the same or linked processing operations, all the infringements should be taken into consideration when calculating the amount of the fine.
Lastly, the DPC’s final decision includes an order to bring processing operations into compliance within a period of three months, having been reduced from the six-month timeframe initially provided by the DPC’s draft decision, as requested by the EDPB, which had highlighted the vital importance of ensuring compliance with transparency obligations in the shortest timeframe possible.