WhatsApp Reportedly Facing $60.7M EU Privacy Fine

By Robert Bateman

WhatsApp faces a fine of up to $60.7 million for breaching EU privacy rules in a penalty that could be among the largest ever issued, but some privacy experts say that the fine still is too lenient.

The EU General Data Protection Regulation (GDPR), in effect since 2018, requires companies to clearly disclose how they share personal data.

According to news reports, the draft fine relates to WhatsApp’s alleged failure to meet these requirements when explaining how its messenger app shares data with Facebook, which acquired the company in 2014.

“The current alleged proposed penalty is around 375 minutes’ worth of revenue for Facebook,” said Alexander Hanff, CEO of the Swedish consultancy Think Privacy. “It is little more than a rounding error in the grand scheme of things.”

“It is long past time that we start to enforce our laws in a meaningful way.”

Facebook did not respond to a request for comment from Digital Privacy News.

Consultations Underway

The fine reportedly is under consultation among the EU’s data-protection authorities. Once made final, it would be issued by the Irish Data Protection Commissioner (DPC).

The penalty would be the second time a Facebook company has been fined under the law. Facebook’s German arm was handed a $61,900 fine in February 2019 for failing to appoint a data-protection officer.

“The current alleged proposed penalty is around 375 minutes’ worth of revenue for Facebook.”

Alexander Hanff, Think Privacy consultancy, Sweden.

Google holds the current record for the largest GDPR fine, having received a $60.7 million penalty in January 2019 for violating the law’s transparency and consent requirements.

But for some privacy advocates, the proposed WhatsApp fine would not go far enough.

Think Privacy’s Hanff claimed that Irish DPC Helen Dixon had a history of having a “light touch” regarding GDPR enforcement. 

“Helen Dixon knows full well that this level of penalty does nothing to incentivize big tech to obey the law,” Hanff told Digital Privacy News. “This is a fraction of a percent of Facebook group’s earnings in 2019.”

Facebook’s 2019 investor report shows that the company generated gross revenues of more than $70 billion. The maximum penalty available under the GDPR is 4% of worldwide turnover.

“Helen Dixon’s office should be pushing penalties to around $2.8 billion to hit that 4% threshold,” Hanff said. “Anything less is a mockery of the rule of law.”

‘One-Stop Shop’

Under GDPR’s “one-stop shop” provision, the Irish DPC takes lead responsibility for regulating several big tech firms that have their EU headquarters in Ireland.

However, the DPC long has been criticized over its enforcement of GDPR against these companies. 

In December 2020, the commissioner was forced to reconsider a proposed fine against Twitter after other EU regulators intervened under the European Data Protection Board’s “consistency mechanism.”

The Irish regulator’s fine, issued after Twitter’s 2018 data breach, faced harsh criticism from data-protection authorities in Germany, Austria, Hungary and Italy — all of whom successfully argued that the amount was too low.

The differing approaches between regulators have caused concern about the consistency of data protection across the EU.

In a Jan. 14 opinion, the EU’s most senior legal officer, Michal Bobek, urged greater cooperation between EU data-protection authorities when dealing with cross-border GDPR cases.

“The board’s consistency mechanism is now grappling with some serious high-impact cases.”

David Erdos, University of Cambridge.

David Erdos, senior lecturer in law and the open society at the University of Cambridge, said that GDPR’s enforcement mechanisms might not be sufficient to ensure proper regulation.

“These press reports indicate that the board’s consistency mechanism is now grappling with some serious high-impact cases involving substantive data protection and that this may lead to significant fines,” Erdos told Digital Privacy News. 

“However, as Advocate General Bobek pointed out earlier this month in the ongoing case involving Facebook and the Belgian data-protection authority,” he continued, “there are serious question marks over whether the one-stop shop can properly function to secure appropriately effective and complete data protection through regulatory action.”

Further Pushback Seen

Hanff argued that the DPC’s reported WhatsApp fine could cause further tensions among EU regulators.

“I can’t see other supervisory authorities being happy with this given the size of WhatsApp and their general lack of compliance over the years,” he said.

“Expect to see pushback from Germany, France and Italy at the very least — probably Spain and Belgium as well.”

Robert Bateman is a writer in Brighton, U.K.