Ireland’s Data Protection Commission (DPC) has hit Meta's messaging service WhatsApp with an eye-popping $267M fine for violating Europe’s General Data Protection Regulation (GDPR). In response, WhatsApp launched a new privacy policy that applies only to Europe.
Let's find out why WhatsApp received such a hefty fine, what the specific DPC orders are, and how the new privacy policy will affect WhatsApp and its users.
Background: How WhatsApp Landed in Legal Trouble
Ireland's DPC is the European Union's implementing arm of GDPR in Ireland, where WhatsApp Europe is based. Following the entry into force of the GDPR on 25 May 2018, Ireland's DPC formally received complaints from both users and non-users of WhatsApp, and the German Federal Data Protection Authority, about the sharing of personal data between WhatsApp and Facebook (now Meta).
These complaints revolved around lack of transparency by WhatsApp. For this reason, the DPC decided to start an investigation.
On January 4 this year, WhatsApp made things worse for itself. They attempted to push an update forcing users to retroactively grant it permissions to share data with Facebook (now Meta). This data includes phone numbers, logs of how long and how often you use WhatsApp, device identifiers, IP addresses, transaction and payment data, cookies, and location information.
WhatsApp has been sending the data to Meta anyway since 2016 (without user consent) but only this year did they admit the fact and attempt to legalize the arrangement. This move sparked a backlash which only made things legally trickier for WhatsApp. Many users also migrated to rival apps Telegram and Signal.
How Did WhatsApp Break the Law?
The GDPR grants individuals a fundamental right to the protection of their personal data. Individuals also have a right to share their personal data or withhold it. The DPC found WhatsApp to be in violation of four key provisions of the GDPR, namely: Article 5(1)(a), Article 12, Article 13, and Article 14.
In summary, these four violations mean that WhatsApp failed to be fully transparent with users about how it shares information with Meta. In addition, non-users (third parties on other apps) also were not made aware their information could be shared by WhatsApp, denying them the ability and right to control their personal data. According to the DPC, WhatsApp provided only 41% of the required information to users of its service, while non-users did not receive any.
What Is WhatsApp's Legal Liability?
Ireland's DPC has made a decision with eight orders. This includes the substantial fine. Also, Meta and WhatsApp are required to remove the Legal Basis Notice and the Facebook FAQ from their platforms until they are compliant with all GDPR requirements.
In addition, WhatsApp has been ordered to update their privacy policy to GDPR standards and communicate the updated policy to users and non-users in a language that is simple enough for a child to understand. All orders are to be implemented within three months.
As a result, WhatsApp has updated its privacy policy to provide more information to users and non-users in three key areas:
- How they use data: More detail about data they collect and use, why they store and when they delete your data, and what services third parties provide to them.
- Global operations: More detail about why they share data across borders and how they protect that data.
- Legal: More detail about the laws they rely on for processing your data
However, WhatsApp won't have to pay the $267M fine just yet because they are appealing it.
Will the Policy Change Affect You?
If you do not live in Europe, the answer is no. You remain under the old WhatsApp privacy framework. However, if you live in Europe, you will see a notification alerting you to the updated privacy policy when you go on WhatsApp. But that's it; there will be no noticeable difference in how you experience the app.
The good news is that Europeans can opt out of WhatsApp's privacy policies with no impact on their access to the service. For them, at least, it seems data sovereignty is a reality, not an idea.