Facebook-owned WhatsApp has been fined a record 225 million euros ($267 million) by Ireland’s data watchdog for breaching EU data privacy rules.
Ireland’s Data Protection Commission said Thursday that WhatsApp did not tell citizens in the European Union enough about what it does with their data.
The regulator said WhatsApp failed to tell Europeans how their personal information is collected and used, as well as how WhatsApp shares data with Facebook.
It has ordered the platform, which is used by 2 billion people worldwide, to tweak its privacy policies and how it communicates with users so that it complies with Europe’s privacy law. As a result, WhatsApp may have to expand its privacy policy, which some users and companies have already criticized for being too long and complex.
A WhatsApp spokesperson told CNBC that the company plans to appeal the decision.
“WhatsApp is committed to providing a secure and private service,” they said. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so.”
“We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” the spokesperson added.
In an FAQ on its website, WhatsApp states that it shares phone numbers, transaction data, business interactions, mobile device information, IP addresses and other information with Facebook. It does not, however, share personal conversations, location data or call logs.
The WhatsApp fine is the largest penalty that the Irish regulator has handed out for violations of Europe’s General Data Protection Regulation, or GDPR.
GDPR requires that companies are clear and up front about how they use customer data.
The legislation — approved in April 2016 and enforced since 2018 — replaced a previous law called the Data Protection Directive and is aimed at harmonizing rules across the 28-nation EU bloc.
Some critics argue that EU regulators have been too slow to impose the law and issue penalties on Big Tech for failing to comply.
In July, Luxembourg’s data regulator fined Amazon 746 million euros for breaching GDPR rules around the use of consumer data in advertising. The Luxembourg National Commission for Data Protection said Amazon’s processing of personal data did not comply with GDPR.
Elsewhere, Google was fined 50 million euros by France’s privacy regulator, CNIL, in 2019 for GDPR ad violations. CNIL said it had levied the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”.
