WhatsApp has been fined €225 million by the Irish Data Protection Commission for breaching data protection rules. The tech giant has criticised the fine, calling it excessive and disproportionate. The fine is the result of a three-year investigation into the company, which is owned by Facebook.
The fine is the largest ever imposed by the Irish Data Protection Commission and only the second highest ever issued in the EU. Luxembourg’s National Commission for Data Protection fined Amazon €746 million earlier this year for breaches of data protection rules, the highest fine ever issued under the legislation.
The Irish Commission said that WhatsApp had committed severe and serious infringements of the GDPR, including sharing information about data subjects between WhatsApp and other Facebook companies.
The Irish watchdog has been subject to sharp criticism by other European data privacy watchdogs. It has been accused of lacking teeth. Ireland’s role in enforcing privacy rights is central to the working of the GDPR given that most of the international tech giants have their European headquarters in Ireland. The EU country where the European headquarters is located is responsible for leading in any complaints and investigations under the one-stop shop mechanism introduced by the GDPR.
Concern has been expressed that the record fine does not necessarily indicate sharper teeth in Ireland. When Helen Dixon, the Irish Data Protection Commissioner, finished her investigation into WhatsApp last year she proposed a much more modest fine reportedly in the region of between €30 to €50 million. Eight other EU watchdogs rejected that proposal as being too low. The issue was referred to the European Data Protection Board, which oversees interactions between EU member states and the GDPR. It made a binding ruling in July. The Irish Commission must now enforce the ruling.
*In contentious business, a solicitor may not calculate fees or other charges as a percentage or proportion of any award or settlement.*