Ireland’s Data Protection Commission (DPC) has fined Facebook-owned WhatsApp €225 million ($267 million) for breaking the European Union’s data privacy rules. In an 89-page summary (PDF), DPC announced its decision. WhatsApp breaches GDPR privacy rules by not correctly inform EU citizens how it handles personal data, including how it shares that information with Facebook, its parent company. WhatsApp became part of Facebook in 2014 through a $19.3 billion acquisition.
WhatsApp has been ordered to update and change its policy of notifying users about sharing their data. Tech companies must comply with Europe’s General Data Protection Regulation (GDPR), which governs how they gather and use data in the European Union. GDPR came into effect in May 2018, and WhatsApp is one of the first companies that DPC has hit with privacy lawsuits under the regulation.
On its website, WhatsApp states that it shares transaction data, phone numbers, mobile device information, IP addresses, business interactions, and other information with Facebook. However, the website states it does not share personal conversations, location data, and call logs with the parent company.
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” the spokesperson said. “We disagree with the decision today regarding the transparency we provided to people in 2018, and the penalties are entirely disproportionate.”
In July 2021, Luxembourg National Commission for Data Protection fined Amazon 746 million euros for breaching GDPR rules for using consumer data in advertising. Luxembourg’s data regulator stated that Amazon didn’t comply with GDPR in processing customer’s data.