Ireland’s Data Privacy Commissioner (DPC) conducted an investigation into the way WhatsApp processes personal data in accordance with General Data Protection Regulation (GDPR). The purpose of the investigation was to establish whether WhatsApp had been transparent enough about how they process people’s data.
The DPC concluded that WhatsApp in the processing of their data was failing to be transparent to both users and non-users and was therefore in breach of GDPR. WhatsApp was fined €225 million as a result. This is the second-highest fine under GDPR.
WhatsApp has stated that they entirely disagree with the decision and the severity of the fine. They have indicated that they intend to appeal the decision reached.
What is the transparency principle?
Under 5(1)(a) of UK GDPR, personal data should be processed lawfully, fairly and in a transparent manner. In essence, transparent processing is about:
- Being clear, open and honest with people about who you are;
- Why you need their data; and
- What you are doing with it.
Organisations need to ensure that when they tell people about their processing they do so in a way that is easy to understand and in plain language.
Even when an organisation has no direct relationship and collects data from another source, they still need to be transparent about their processing. This was the issue with the way in which WhatsApp processed its data. They were not transparent about the way in which they shared data with its parent company, Facebook. When making its decision, the DPC not only implemented a fine but also an order for WhatsApp to take a range of specified remedial actions. They were given three months to implement the remedial actions.
The above acts as a reminder of just how important it is to ensure that you are compliant with data protection legislation. Whilst €225 million seems like an incredibly high fine, it is only around 0.08% of WhatsApp annual turnover. The DPC could have ordered a fine of up to 4% of the total global turnover.