Facebook’s WhatsApp on Thursday was fined an estimated $267 million (225 million euros) by the Irish Data Protection Commission (DPC) for alleged violations of the EU’s GDPR privacy regulations.
Today’s fine was the largest ever issued by the DPC and the second-largest fine since the General Data Protection Regulation (GDPR) went into effect three years ago. The largest fine was the $887 million (746 million euros) imposed on Amazon in July 2021.
The news from the DPC concludes a nearly two-year investigation in which the agency said WhatsApp has not offered EU citizens enough transparency about what it does with their data. The DPC wants WhatsApp to change its policies and bring the company into compliance.
WhatsApp said it will appeal the fine, the first ever imposed by the Irish agency on Facebook. In a statement submitted this afternoon to SC Media, WhatsApp said the following:
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.”
Ilia Kolochenko, founder of ImmuniWeb and a member of Europol Data Protection Experts Network, said that on appeal the fine will likely be significantly reduced, as has been the trend in many of these cases. Kolochenko added that the judicial process to get a final and enforceable decision should take several years, and it’s not likely that any Europeans whose privacy rights were allegedly violated will get any compensation.
"Many privacy experts argue that GDPR does not serve its initial purpose of being a consistent pan-European privacy legislation capable of protecting personal data and deter privacy violations,” Kolochenko said. “The situation in the U.S. is even more complex. There’s no federal privacy law, but a convoluted patchwork of state legislation pioneered by California. Companies in the U.S. have to comply with dozens of similar, but diversified state laws and also pay attention to industry-specific federal laws such as HIPAA. The Facebook case will unlikely have major impact on U.S. companies operating in Europe, as this case seems to be more political than operational.”
Niamh Muldoon, global data protection officer at OneLogin, said that business leaders who do not understand that trust has become a true business differentiator are likely to see an impact on their brand and business over the next couple of years, if they haven’t already experienced it. Muldoon pointed out that by 2023, 65% of the world’s population will have their personal data covered under modern privacy regulations, up from 10% in 2020.
“This problem must be addressed at every level of the organization, including boardroom and executive management teams,” Muldoon said. “There’s a slight increase in trust and security expertise sitting at executive management and boardroom levels, but this is not consistent across all industries and businesses, and not having this representation at these levels will continue to impact trust and associated brand and reputation associated with it.”
Andrew Barratt, managing principal, solutions and investigations at Coalfire, said the penalties for privacy violations could very well outstrip those of cybersecurity breaches as regulators take a dim view of large organizations using personal data for targeted advertising and profiling.
“The regulatory view is that blame can be squarely placed on a lack of privacy-by- design and inconsistent communications to the persons whose data is in use,” said Barratt. “Unlike in cyber breaches where an adversary has compromised a system and so the organization has been victim to a crime — with a privacy breach it’s easy to point the finger of blame at executive leadership who have not taken privacy considerations, processes, and regulatory concerns seriously from day one.”