Company will appeal the ruling declaring that the penalties are entirely disproportionate

WhatsApp Ireland has been slapped with a record €225-million fine over data protection breaches under European Union (EU) data laws.

In fact, the €225-million fine represents the largest fine ever imposed by the EU’s Data Protection Commission (DPC) and is the second largest penalty ever levied on an organisation under EU data laws. The fine imposed by the EU’s Data Protection Commission (DPC) relates to infringements of data protection rules.

Irish News outlet, RTÉ reports that the DPC has also ordered the messaging service to bring its processing into compliance by taking a range of specified remedial actions. However, WhatsApp has declared its disagreement with the decision, claiming that the penalties are entirely disproportionate and has stated it will appeal the ruling.

The DPC acts as the lead supervisory authority for WhatsApp across Europe. RTÉ reports that the probe was launched by the DPC three years ago, after new rules on data protection were brought into force by the EU.

The inquiry examined whether WhatsApp had met its obligations under the General Data Protection Regulation (GDPR) regarding the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services. This included the transparency of information provided to users about the processing of their data between WhatsApp and other Facebook companies.

WhatsApp ordered to take remedial action

In a statement on the matter, the DCP emphasised that, “in addition to the imposition of an administrative fine, the DPC has also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions”.

However, WhatsApp Ireland, which had previously set aside €77.5 million for a possible fine, has said it does not agree with the decision and is committed to providing a secure and private service.

“We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” said a WhatsApp spokesperson.

The spokesperson added: “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.”

An appeal can be made either to the Irish High Court or directly to the European Court of Justice, and would likely focus on the size of the fine. It is understood that WhatsApp believes the fine is not about its data sharing practices but the level of detail provided in its 2018 privacy policy.

Sources close to the company, which is owned by Facebook, tell RTÉ that rather than making its policy shorter and less complicated, the decision would mean it would have to add even more information to its already long and complicated privacy policy.

In December of last year, having concluded its investigation, the DPC sent its draft decision to other European data regulators for consideration, as required by the GDPR. However, eight of around 40 of those authorities disagreed with the draft conclusions, including the DPC’s proposed fine of up to €50 million.

Because the DPC was not able to reach a consensus with the other regulators on how to proceed, the case was referred to the European Data Protection Board earlier this summer and it made its binding ruling at the end of July, which the DPC must now enforce.