Ireland’s data protection authorities have imposed a fine of 225 million euros on WhatsApp. The accusation: lack of transparency in the sharing of personal user data. WhatsApp has announced that it will appeal.

The investigation into the case began back in December 2018. WhatsApp was accused of not following the provisions of the GDPR and not making the collection and sharing of personal user data transparent. In particular, the case concerned the exchange of data between WhatsApp and other companies in the Facebook group, to which WhatsApp has also belonged since 2014.

WhatsApp and Facebook repeatedly criticized

WhatsApp has long been criticized for forwarding data to its parent company Facebook.
Back in 2017, Facebook was fined 110 million because the company had claimed in 2014 that it was not possible to merge user data from WhatsApp with other services of the Facebook group – but later did so.

A look at the current privacy policy clearly shows that data is still very much being shared:

“As part of the Facebook companies, WhatsApp receives information from other Facebook companies and also shares information with other Facebook companies […]” WhatsApp – Privacy Policy

“WhatsApp also works with and shares information with the other Facebook companies […]” WhatsApp – Privacy Policy

The purpose of this data transfer is stated in the privacy policy as promoting the security and integrity of the services or improving, operating, customizing and marketing the services.

And Facebook does read!

As far as the content of the chats is concerned, WhatsApp refers to its end-to-end encryption. This means that the message is encrypted on the sender’s device and only decrypted again on the recipient’s device. No one – not even the company itself – can view the messages, it says.

“End-to-end encryption ensures that only you and the person you’re communicating with can read or hear what’s been sent – and no one in between, not even WhatsApp. “WhatsApp – security and data protection

The Investigative Journalism Network ProPublika describes in a post “How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users” how Facebook circumvents the promise: Messages reported via the “Report” button as alleged violations of the terms of service are sent to the company unencrypted.

“WhatsApp receives the most recent messages you’ve received from the reported user or group, as well as information about your most recent interactions with that user or group.” WhatsApp – security and privacy

According to ProPublika, when a message is reported, the corresponding message, as well as the sender’s four previous ones, including all pictures and videos, are sent to WhatsApp in unencrypted form. These messages are eventually reviewed by employees – more than a thousand of whom are said to exist for this task, according to ProPublica – regarding the reported violations.

Metadata tapped

WhatsApp cannot completely read all messages, at least in this respect, but the procedure via the reporting function is ultimately also only part of a broader monitoring. In addition, the unencrypted data of users is automatically recorded and compared with suspicious account information and message patterns. Part of this data would include the user’s name, profile picture, status message, phone number, IP address, phone ID and Facebook and Instagram accounts. This data could be linked to other content.

The corresponding accusations continue to scratch the image of the secure messenger that the company itself likes to paint. The fact that WhatsApp – unlike Facebook and Instagram – does not publish any corresponding transparency reports that disclose the reviewing and moderating activities of its employees is also cause for criticism.

Max Schrems on the ruling

Data privacy activist Max Schrems of Noyb has spoken out about the ruling, saying his organization welcomes the Irish regulator’s initial decision. However, he also put into perspective that the 225 million euros correspond to only 0.08 percent of the Facebook Group’s turnover, but that the GDPR provides for fines of up to four percent of turnover. Moreover, the DPC had first had to be forced by other European data protection authorities to increase the fine from the original 50 million euros to 225 million euros. This shows that the Irish Data Protection Authority is still extremely dysfunctional, he said.

The Irish Data Protection Commission (DPC) often plays a key role in proceedings against international tech companies that like to move their European headquarters to Ireland for tax reasons.

WhatsApp has announced appeal

WhatsApp calls the penalty “completely unreasonable” and plans to appeal. According to Schrems, this highlights another problem: “In the Irish court system, this means it will take years before the fine is actually paid.” He said he can imagine that the DPC simply won’t put too many resources into the case or will eventually “come to an agreement” with WhatsApp in Ireland. At the same time, Schrems also announced, “We’ll be watching this case closely to make sure the DPA actually implements this decision.”

Subscribe to our newsletter

and stay always updated on data protection.