Ireland’s Data Protection Commission (DPC) recently slapped WhatsApp Ireland with a €5.5 million fine after it confirmed that the messaging service had violated the GDPR. The Irish regulator has now ordered WhatsApp to ensure its current data processing operations are compliant with GDPR within six months. If it fails to do so, it will face a further penalty on top of the massive fine.

Back in May 2018, the Irish DPC began an inquiry following a data subject from Germany making a complaint regarding a potential violation of the GDPR by WhatsApp. At the same day the inquiry was initiated, a change was made to the Terms of Service of WhatsApp, which then prompted its users based in the EU to accept the update by clicking to retain access of the application’s main interface.

Ignoring app user consent

The nature of the complaint sent to DPC stated that WhatsApp had forced users into accepting the update by making it a specific condition required to continue utilising its software. As a result, it also forced users to consent to their personal data being processed, to simply open the application.

This action violates the GDPR’s Article 7 recital 32, which demands that user consent must always be provided freely and on an explicit, unambiguous, informed basis, without influence, pressure, or elements that may cause imbalance in a data subject’s personal decision.

After a full investigation, the Irish regulator made its conclusion. It judged that WhatsApp Ireland had not clearly outlined the specific reasons or legal basis for the user data processing requested, in violation of the GDPR’s Articles 12 and 13.

However, it found that WhatsApp Ireland had not broken Article 7 because the messaging service did not depend on user consent for providing its service or employing it as a lawful basis for the processing of user data.

As the regulator had already served large fines to WhatsApp for previous issues, the first point incurred no additional penalties. It explained:

“The DPC, having already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time, did not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry.”

However, regarding the second point, the regulator’s rejection of the allegations made by the German data subject did not close the case, as the complaint will now be reviewed in Germany.

Facing the penalty

The DPC issued a fine of €5.5 million to WhatsApp Ireland because of its violation of the GDPR’s Article 6 which covers “lawfulness of processing.” The article requires transparency, fairness, and lawfulness in all data protection processes performed.

Furthermore, the DPC will now launch a new investigation that encompasses all processing operations used by WhatsApp in its services to ascertain if there are any violations of Article 9.

The DPC wants to assess whether WhatsApp is collecting and processing sensitive data for behavioural advertising or marketing purposes and if this data harvested is then shared with third party firms.

Protecting data in your organisation

Here at Galaxkey, we provide a state-of-the-art encryption platform that is GDPR-compliant, ensuring that even if an attack happens sensitive data won’t be breached, and there won’t be any fines to your organisation. You can get in touch with us today and get a demonstration of just how easy-to-use our platform is.