WHATSAPP IN THE SOUP
Two and two make four, right? Correct, but not for WhatsApp. The multi-media sharing and communication platform owned by Facebook has been hit with two data protection violation fines within a day of each other. Let’s find out exactly how WhatsApp landed in the soup.
FIRST THE GDPR
WhatsApp has been under the radar of Ireland’s Data Protection Commission (DPC) since the inception of the GDPR on 25 May 2018. The DPC is the lead data privacy regulator for Facebook within the European Union and claimed that WhatsApp had failed to conform to the GDPR transparency rules when the regulation came into effect. Fast forward to 2 September this year, and the DPC alleged that the Facebook subsidiary had failed to provide the necessary data protection information to its users and did not meet ‘transparency’ obligations. As such, a fine of $267 million (€225 million) was imposed on WhatsApp for breaking EU GDPR rules on user privacy. WhatsApp retorted by saying that the fine was “entirely disproportionate” and that it would appeal.
BREAKING DOWN THE FINE
Without going into the details of GDPR legislation, here are the four reasons why WhatsApp was handed down this massive €225 million fine:
- €90 million because it did not process personal data in a lawful, fair and transparent manner
- €30 million because it did not provide information to users on how data is collected in a transparent, intelligible, and easily accessible format, including that which could be easily understood by a child
- €30 million because it did not appropriately inform users where their data was stored, for what purposes it was collected and who received it
- €75 million because it failed to inform users when their personal data was obtained and processed from third parties and where this data came from
THE SECOND-BIGGEST FINE
WhatsApp’s GDPR fine is the second biggest to date but it pales in comparison to the one received by Amazon just over a month ago. In late July, Luxembourg’s National Commission for Data Protection (CNPD) punished the e-commerce giant with the biggest GDPR fine ever, a jaw-dropping $887 million penalty, for allegedly targeting customers with unsolicited relevant advertising.
NEXT THE KVKK
A day after the DPC fine, Turkey’s Personal Data Protection Board (KVKK) imposed WhatsApp with a $235,000 fine for not taking the necessary technical and administrative measures to prevent the unlawful processing of personal data. KVKK determined that WhatsApp had requested users for their express consent for their personal data to be transferred to third parties outside of Turkey. Failure to implement consent would result in the deletion of their accounts. Making the application’s services subject to the precondition of explicit consent is against the law on the protection of personal data in Turkey. WhatsApp has yet to comment.
WORRIED ABOUT GDPR COMPLIANCE – I CAN HELP
With Amazon’s fine of almost $1,000,000,000, it surely seems that the GDPR is turning the heat up. If you are worried about your GDPR compliance, don’t be. I have more than 20 years of experience in providing IT solutions to businesses both big and small, specializing in cybersecurity, data protection and the GDPR. Don’t risk the fine. Contact me today.