Facebook’s WhatsApp messaging service was fined nearly $ 270 million by Irish authorities on Thursday lack of transparency on the use of data collected from users of the service in a case that represents a major test of Europe’s ability to enforce its landmark data protection law.
The 265-page decision is the first major judgment against Facebook under the European Union’s far-reaching General Data Protection Regulation (GDPR), a three-year-old law that has been criticized by many for not being properly enforced. Irish regulators said WhatsApp is not clear to users about how data is shared with other Facebook properties such as its main social network and Instagram.
WhatsApp announced that it would appeal the decision and initiate what is expected to be a protracted legal battle.
The GDPR was heralded as the world’s most comprehensive data protection law when it was passed and advocated as a model for the rest of the world to counter the data hoarding practices of Facebook, Google and other internet giants. But the law incurs few fines or penalties, and many have said it failed to deliver on its promise.
The regulators in Ireland were at the center of the debate. According to the law, companies must be regulated by the countries in which they have their European headquarters. The European offices of Facebook, Google, Twitter, Apple and many other companies are based in Ireland for its low corporate tax rates and other benefits.
However, this has put tremendous pressure on the Irish Data Protection Commission, an underfunded and much criticized agency tasked with enforcing a novel and complex data protection law against some of the largest companies in the world.
In July the Irish legislature published a damning report saying that the Irish regulator “does not adequately protect the fundamental rights of citizens” because it is not being enforced.
The GDPR enforcement challenge is being closely watched as European Union officials discuss new rules for other areas of the tech industry, including stricter antitrust and content moderation guidelines. Critics argue that the GDPR shows that while the European Union has developed strong digital guidelines, it has struggled to implement them well.
The € 225 million fine, a fraction of Facebook’s annual profit, was the highest under the law by Irish regulators on a tech giant; In December, Ireland fined Twitter € 450,000 for a data breach. The ruling states that WhatsApp failed to comply with its “transparency obligations” to clearly disclose how data from Facebook users were used for its other services.
The WhatsApp case has sparked significant debates among European Union countries about the appropriate level of enforcement under the region’s data protection laws. Officials in other countries in the 27-nation bloc have criticized Ireland for not moving faster against large technology platforms.
Other countries urged Ireland to increase its originally proposed fine, which had only been set at up to € 50 million. That figure was increased to € 225 million after other national regulators used a law-created body to coordinate enforcement and dispute settlement to ask for a higher penalty.
Max Schrems, an Austrian lawyer and data protection activist who has filed several complaints with authorities in Ireland against Facebook, welcomed Thursday’s decision but said the Data Protection Commission’s fine was still too small. The GDPR allows fines of up to 4 percent of global sales. He said there were dozen other cases waiting to be dealt with.
“This shows that the DPC is still extremely dysfunctional,” said Mr Schrems, who now leads a data protection group called Noyb.
“WhatsApp strives to provide a secure and private service,” said Joshua Breckman, a spokesman for WhatsApp, in a statement. “We have worked to ensure that the information we provide is transparent and comprehensive, and we will continue to do so. We disagree with today’s decision on the transparency we gave people in 2018 and the penalties are completely disproportionate. “
Other tech companies have also been targeted under the GDPR, although critics say the penalties are relatively light and unlikely to result in significant behavioral changes.
In July, Amazon was fined almost € 750 million by the Luxembourg data protection authority for violations related to its advertising practices. In 2019, Google was fined 50 million euros by the French authorities for not receiving sufficient permission to use certain online advertisements.