Ireland: Issued DPC ruling in investigation into WhatsApp including EUR 225 million fine for violations of GDPR user privacy rules

On 2 September 2021, the Irish Data Protection Commission (DPC) concluded its investigation into WhatsApp for violations of the General Data Protection Regulation (GDPR). The DPC sanctioned WhatsApp with a fine of EUR 225 million and further handed WhatsApp a reprimand and a compliance order pursuant to Articles 58(2)(i) and 83 of the GDPR. The investigation was opened on 10 December 2018 when the DPC received several breach notifications regarding WhatsApp's alleged violations of the GDPR. More specifically, it was questioned whether WhatsApp fulfilled its transparency obligations towards users, as stated in the GDPR. As part of the investigation, the Irish DPC submitted a draft decision to all concerned Data Protection Authorities in Europe under Article 60 GDPR. An agreement on the appropriate decision could however not be reached. As a consequence, the European Data Protection Board (EDPB) was contacted pursuant to Article 65 of the GDPR. The EDPB's decision gave clear instructions to the Irish DPC to increase its sanction of WhatsApp. WhatsApp has now been fined for violations of Articles 5(1)(a), 12, 13 and 14 of the GDPR. WhatsApp has the possibility to appeal the decision.