Coming to WhatsApp, the decision made by the DPC is the conclusion of an inquiry concerning a complaint made on May 25, 2018, by a German data subject about the WhatsApp service.
Following a comprehensive investigation by the DPC, the watchdog found WhatsApp guilty to be “in breach of its obligations in relation to transparency”, as it did not provide sufficient clarity about how data processing and for what purposes this was done.
The DPC found that WhatsApp Ireland did not, in fact, rely on users’ consent as providing a lawful basis for its processing of their personal data.
WhatsApp Ireland is “not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security,” it added and said that the legal basis for the service’s data processing is in breach of EU law.
The final decision of the fine adopted by the DPC on January 12, 2023, follows the three binding decisions by the EU’s data protection regulator, the European Data Protection Board (EDPB), in early December.
Besides the fine, the EDPB has also purported to direct the DPC to conduct a fresh investigation regarding the following:
In response to the DPC’s decision made on Thursday, Meta said it will appeal against the decision and would look to overturn it.
“We strongly believe that the way the service operates is both technically and legally compliant. We rely upon the contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service,” a WhatsApp spokesperson said.
“We disagree with the decision and we intend to appeal.”
