The initial complaint into WhatsApp and its privacy breach was made by a German who took issue with the way users were being asked to accept its Terms of Service.
WhatsApp has been issued with a fine of €5.5m by the Irish Data Protection Commission (DPC) over GDPR breaches.
The Meta-owned messaging platform was ordered to ensure its data processing operations are fully GDPR compliant within six months.
The fine, which was announced today (19 January) is the latest in a string of decisions made by the DPC in relation to Meta-owned platforms.
In 2022, Meta and Instagram were hit with fines by the DPC, also for GDPR violations.
In September 2021, WhatsApp was issued a massive €225m fine for GDPR breaches – the largest fine to be issued by the DPC at the time.
Following that fine, WhatsApp tweaked its privacy policy for European users to provide more detail on how their data is collected and used.
The decision announced by the watchdog today stemmed from an inquiry into a complaint made against WhatsApp in 2018.
That complaint was made by a German data subject, who took issue with the updates WhatsApp made to its Terms of Service when the GDPR came into operation.
The platform’s updated Terms of Service informed users that if they wished to continue to have access to the WhatsApp service following the introduction of the GDPR in 2018, they would have to click “agree and continue” to indicate their acceptance of the updated terms.
If they did not accept the terms, they could not access the platform.
From WhatsApp Ireland’s point of view, by clicking “agree and continue” the user entered into a contract with the company which allowed it to process that user’s data to deliver the service.
However, the complainant argued that WhatsApp was effectively forcing users to consent to the processing of their personal data to access the service. They said this was a breach of the GDPR.
WhatsApp maintains that its methods are fully compliant with the law.
Following a DPC inquiry, the watchdog consulted with its peer regulators in the EU/EEA. A decision could not be reached and it referred the matter to the European Data Protection Board (EDPB).
The EDPB’s view was reflected in the DPC’s final decision, which was adopted a few days ago on 12 January.
In response to the DPC’s decision, a WhatsApp spokesperson told SiliconRepublic.com that the company “has led the industry on private messaging by providing end-to-end encryption and layers of privacy that protect people”.
“We strongly believe that the way the service operates is both technically and legally compliant. We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and we intend to appeal.”
According to Nigel Jones, co-founder of the Privacy Compliance Hub, the way the decisions were being communicated by multiple regulators was “unhelpful”.
He added that the manner in which the regulators decide how to communicate proceedings with companies is not helpful to companies “seeking certainty” on how to comply with the GDPR.
Updated, 4.15pm, 19 January 2023: This article has been updated to include a statement from WhatsApp, a comment from Nigel Jones and changes made for clarity.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.