“And following this reassessment the DPC has imposed a fine of € 225 million ($ 267 million) on WhatsApp,” the commission said, by far the largest penalty it has ever issued to a company, dwarfing the 450,000-euro fine imposed on Twitter last year.
As Ireland hosts the regional headquarters of a number of major tech players such as Apple, Google and Twitter, the DPC has been largely responsible for policing adherence to the EU’s landmark General Data Protection Regulation (GDPR) charter.
But Ireland has come under pressure for not taking a firm enough line against tech giants, who are generally understood to be drawn to the country by its low corporate tax rate of 12.5%.
WhatsApp said it would appeal the decision. “We disagree with the decision today,” it said in a statement, calling the penalties “entirely disproportionate.”
The DPC launched the WhatsApp probe in December 2018 to examine whether the messaging app “discharged its GDPR transparency obligations” with regard to telling users how their data would be processed between WhatsApp and other Facebook companies.
In an initial finding submitted to other European regulators for approval last December, the DPC proposed imposing a fine of between € 30 million and € 50 million, but a number of national regulators rejected the figure, triggering the launch of a dispute resolution process in June.
The EDPB said that the fine had to “reflect a significant level of non-compliance which impact on all of the processing carried out by WhatsApp” in Ireland.
The fine had to be “effective, dissuasive and proportionate,” it said.
Hailed as a potent weapon to bring tech titans to heel, the GDPR endowed national watchdogs with cross-border powers and the possibility to impose sizeable fines for data misuse.