As a result of WhatsApp Ireland’s violation of the General Data Protection Regulation, the Irish Data Protection Commission (DPC) has fined the messaging service €5.5 million ($5.95m) (GDPR).
In order to avoid more fines, the regulator has given WhatsApp six months to bring its data processing activities into line. On May 25, 2018, the DPC opened an investigation into possible regulatory violations by WhatsApp in response to a complaint from a German data subject.
In order to continue using the app’s main interface, WhatsApp required all EU-based users to accept the changes by clicking on the prompt the same day it revised its Terms of Service.
Disregarding User Consent:
WhatsApp allegedly compelled users to accept the modifications by making it a requirement to keep using the service, according to the complaint made to DPC. Therefore, merely opening the app required users to provide their agreement to the use of their personal data.
According to Article 7 Recitation 32 of the GDPR, user permission must be freely provided, explicit, informed, and unequivocal, without pressure, influence, or factors that induce imbalance in the data subject’s decision. This is against these requirements.
Following a thorough inquiry, the DPC came to the following conclusions:
In violation of Articles 12 and 13 of the GDPR, WhatsApp Ireland failed to provide a clear justification for the required processing of user data.
Because the service did not rely on user consent to perform its service or utilise it as a legal basis for processing personal user data, WhatsApp Ireland did not breach Article 7 owing to coerced consent.
The DPC has already levied significant fines against WhatsApp for the identical reasons, therefore the initial offence will not result in extra penalties.
The justification for the choice is stated as follows: “The DPC did not propose the imposition of any further fine or corrective measures, having done so already in a previous inquiry, given that it had already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time.”
Regarding the second issue, the DPC’s denial of the claims made by the German data subject does not put an end to the matter because the German Supervisory Authority will now also be looking into the complaint.
Due to a violation of GDPR Article 6 on “lawfulness of processing,” which mandates openness, lawfulness, and fairness in data protection processes, WhatsApp Ireland was assessed a fine of €5.5 million.
In order to find out whether there are any violations of Article 9 of the GDPR, which deals with “processing of special categories of personal data,” the DPC will also open a fresh inquiry into all of WhatsApp’s processing activities inside its service.
The data protection authority wants to know if WhatsApp gathers and uses sensitive data for behavioural advertising and marketing purposes and if this data is also shared with any third parties.