Social media giant Meta has been again fined by the EU for breaking the bloc’s General Data Protection Regulation (GDPR) rules – this time, on its WhatsApp instant messaging service. Critics say it’s not enough.
Meta will have to pay €5.5 million ($5.9 million), the Irish Data Protection Commission (DPC), where the company has its EU headquarters, announced on Thursday.
The fine is related to intentionally designed pop-up messages that Meta used to show to WhatsApp users in recent years. These prompts were urging people to accept Meta’s new Terms of Service or else be unable to access WhatsApp.
The GDPR was just about to come into operation in 2018, and WhatsApp used the occasion to inform users that they had to click “agree and continue” if they wanted to use the app following the introduction of the GDPR.
The statement of the DPC now says that WhatsApp Ireland took the position that “the processing of users’ data in connection with the delivery of its service was lawful and necessary for the performance of that contract to include the provision of service improvement and security features.”
However, a complainant in Germany – a data subject – contended that the company was in fact “seeking to rely on consent to provide a lawful basis for its processing of users’ data.” In other words, WhatsApp Ireland was “forcing” users to consent to the processing of personal data and, thus, breaching the GDP.
The DPC said in its decision that Meta relied on an incorrect legal basis "for its processing of personal data for the purposes of service improvement and security.” The company was also found to have acted “in breach of its obligations in relation to transparency.”
The watchdog also directed WhatsApp to bring its data processing operations into compliance within six months. According to Reuters, a spokesperson for WhatsApp said it intended to appeal the decision and that it strongly believed that the way its service operates is both technically and legally compliant.
What’s more, not only WhatsApp is unhappy. The complainant, a privacy group NOYB, on Thursday criticized the size of the latest fine and slammed the DPC for ignoring other issues with how WhatsApp uses data for advertising purposes.
"We are astonished how the DPC simply ignores the core of the case after a 4.5-year procedure," said NOYB founder Max Schrems who also said that the DPC “clearly” ignored the binding decision of the European Data Protection Board (EDPB).
According to NOYB, the core matter of data use for "the purposes of behavioral advertising, for marketing purposes, as well as for the provision of metrics to third parties and the exchange of data with affiliated companies " were not dealt with by the Irish DPC – despite a binding decision of the EDPB that these matters must be investigated.
Earlier this month, Meta was fined €390 million (over $400 million) for breaches of EU data privacy rules relating to Facebook and Instagram.
The DPC also fined WhatsApp €225 million ($ 244 million) in September 2021 for breaches that occurred in May 2018, the same period of time as the complaint dealt with on Thursday. According to Reuters, Meta’s fines by Ireland’s Data Privacy Commissioner (DPC) have already reached around €1 billion ($1.08 billion).
WhatsApp is in the process of appealing that fine through the Irish courts. In December 2022, the company also had to deal with a big data leak investigated by the Cybernews Research team.
More from Cybernews:
Subscribe to our newsletter