The popular messaging app WhatsApp has been fined €5.5m by the Irish Data Protection Commission (DPC) for violating the General Data Protection Regulation (GDPR).
In addition, the Meta-owned company has been given 6 months by the DPC to bring its data processing operations in compliance with the privacy regulation.
The penalty relates to an update to WhatsApp’s Terms of Service in May 2018, ahead of the adoption of the GDPR. The updated Terms of Service imposed users to agree to the revised terms in order to continue using the messaging app.
By making the accessibility of its services conditional on users accepting the updated Terms of Service, WhatsApp Ireland forced them to consent to the processing of their personal data. The company claimed that the updates aimed at improving the security end the service, but it clearly breached the GDPR.
The inquiry concerned a complaint filed by the non-profit organization NOYB – European Center for Digital Rights on 25 May, 2018.
The company was not transparent about what processing operations were being carried out on the user’s personal data.
WhatsApp announced that it will appeal the fine. According to a spokesperson, the way the service operates is both technically and legally compliant.
In a post published by NOYB, the organization claims that WhatsApp doesn’t encrypt metadata and share it with Facebook and Instagram, which use this information to customize ads.
The organization pointed out that metadata can be used to acquire knowledge of the communication behavior of users, including who communicates with whom and when, who uses the app when, for how long and how often.
The DPC, however, noted it doesn’t plan to investigate whether WhatsApp processes user metadata for advertising, calling it “open-ended and speculative.”
This is the latest in a series of heavy fines issued by Ireland’s DPC against WhatsApp’s parent company Meta. These include a €405m penalty for Instagram’s handling of children’s data in September 2022, and a €265m fine in November 2022 relating to failing to protect the personal details of 533 million Facebook users that were leaked in April 2021.
In January 2023, Meta announced it will be appealing a €390m fine issued relating to the company’s choice of legal basis on which it relied to process users’ personal information.
Image Credits : Silicon Republic