Facebook-owned messaging platform WhatsApp will learn within a month the extent of a fine by Ireland’s privacy watchdog over an alleged breach of the EU privacy framework following a binding decision by the bloc’s data protection board.
The time frame for the long-awaited decision was laid down in a binding decision by the European Data Protection Board (EDPB), the body that oversees all EU data protection authorities, on Wednesday (28 July).
The decision addresses objections raised by a number of EU privacy watchdogs against a draft decision by the Irish Data Protection Commissioner (DPC), the competent supervisory authority given that Whatsapp has its European headquarters in Ireland.
The DPC has been investigating the messaging service over an alleged GDPR breach, notably for claims it failed to provide clear information on what data was shared with Facebook, the service provider’s parent company.
“We welcome the EDPB’s announcement of its decision and hope this leads to swift action by the Irish authority against WhatsApp for not complying with data protection rules,” said Maryant Fernández Pérez, Senior Digital Policy Officer at the European Consumer Organisation (BEUC).
A WhatsApp spokesperson stated that they “continue to cooperate with the IDPC and await its final decision.”
The DPC now has a month to finalise its decision, a draft of which was shared with counterparts across the EU in December 2020 in accordance with a GDPR procedure repeatedly criticised for causing delays. The probe was already delayed by a procedural complaint from WhatsApp.
The EU data protection agencies could not agree on a response to the draft. Several objections were raised over the type of infringements, the personal nature of the data concerned and the “appropriateness of the envisaged corrective measures.”
The DPC in turn did not agree with these objections and referred the case to the Board, which upheld the complaints, finding them “relevant and reasoned.”
“The Irish DPC’s proposed WhatsApp fine would have been by far the highest that the regulator has ever imposed. But it seems that, according to other EU data protection authorities, the penalty was still too small,” Robert Bateman, Analyst and Research Director at GRC World Forums, told EURACTIV.
Bateman sees the decision as “another blow” for the Irish authority, which has been roundly criticised several times by its peers for the slow pace of its investigations. In May, MEPs voted for a resolution calling for the opening of an infringement procedure against Ireland for failing to enforce GDPR.
Under GDPR, fines can amount to up to 4% of the companies’ annual sales. In November last year, WhatsApp was reported to be allocating €77.5 million in anticipation of a potential fine and for any potential measures related to it.
The DPC has only issued one other fine for a GDPR breach against a US tech company, Twitter, the value of which also had to be raised following opposition from fellow EU regulators.
“This incident means there is more pressure than ever on Ireland to toughen its stance on the big tech firms established within its borders,” Bateman added.
[Edited by Josie Le Blond]