The Irish Data Protection Commission (DPC) has fined WhatsApp Ireland €5.5 million ($5.95 million) after confirming that the messaging service violated the General Data Protection Regulation (GDPR).

The authority ordered WhatsApp to bring its data processing operations into compliance within six months, on pain of a new fine.

On May 25, 2018, the DPC opened an investigation into a potential policy violation by WhatsApp following a complaint from a German data subject.

On the same day, WhatsApp updated its terms of service and invited all EU-based users to accept the changes by clicking to continue accessing the app’s main interface.

User consent ignored

The complaint submitted to DPC argued that WhatsApp required users to accept the changes by making it a condition of continuing to use the software. Therefore, users had to consent to the processing of their personal data just to open the app.

This violates Article 7 recital 32 of the GDPR, which requires that the user’s consent be given freely, and on a specific, informed and unambiguous basis, without pressure, influence or elements introducing an imbalance in the decision of the person concerned.

After a thorough investigation, the DPC concluded the following:

1. WhatsApp Ireland has not clearly defined the legal basis or explicit reasons for the processing of user data requested, which violates Articles 12 and 13 of the GDPR.
2. WhatsApp Ireland did not breach Article 7 due to forced consent, as the service did not rely on user consent to provide its service or use it as a legal basis for processing data. personal data of users.

The first point will not result in additional penalties as the DPC has already served large fines to WhatsApp for the same reasons.

“The DPC, having already imposed a very substantial fine of €225 million on WhatsApp Ireland for breaching this and other transparency obligations over the same period, has not proposed the imposition of a new fine or corrective action, having already done so in a previous investigation,” reads the rationale for ther decision.

With regard to the second point, DPC’s rejection of the German data subject’s allegations does not end the case, as the German supervisory authority will now also examine the complaint.

The fine of 5.5 million euros against WhatsApp Ireland is imposed due to a breach of Section 6 of the GDPR on “lawfulness of processing”, which requires transparency, lawfulness and fairness in data protection processes.

Additionally, the DPC will launch a new investigation covering all processing operations of WhatsApp in its service to determine if there are any breaches of Section 9 of the GDPR on the “processing of special categories of personal data”.

The data protection agency wants to determine whether WhatsApp collects and processes sensitive data for behavioral advertising and marketing purposes and whether this data is also shared with third parties.

WhatsApp told BleepingComputer that it plans to appeal the decision, as it believes its service is operating in a manner that complies with the law. Below is the full comment received from a WhatsApp spokesperson regarding DPC’s decision:

WhatsApp has dominated the private messaging industry by providing end-to-end encryption and layers of privacy that keep people safe. We strongly believe that the operation of the service is both technically and legally compliant.

We rely on contractual necessity for service improvement and safety purposes because we believe that helping to keep people safe and delivering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and intend to appeal.