WhatsApp fined €225m for breach of data protection regulation

ARTICLE 65 PROCEDURE

The case has been handled by the European Data Protection Council (EDPB) in accordance with the procedure laid down in point (a) of Article 65(1) of the General Data Protection Regulation. This occurred because WhatsApp has users in all EU countries, and other European regulators should, therefore, have a say in the decision, including the possibility of objecting.

The Irish Data Protection Agency already sent a draft decision to other European regulators at the end of 2020, proposing to issue a €50 million fine to WhatsApp. However, a number of European supervisory authorities objected and, as the supervisory authorities could not reach an agreement, the case had to be dealt with by the EDPB under the provision mentioned above.

The decision of the EDPB

The EDPB adopted a binding decision on 28 July 2021. This decision included an instruction for the Irish Data Protection Agency to reassess and increase the proposed fine based on a number of factors mentioned in the decision.

As regards the calculation of the fine, the EDPB decided that the company’s turnover was not only relevant for the determination of the maximum amount of the fine (under Article 84(4) to (6)) but that it could also be used to calculate the fine itself to ensure that the fine is "effective, proportionate, and dissuasive", in accordance with the General Data Protection Regulation. The EDPB also found the total turnover of parent company Facebook Inc. should be used when calculating the fine.

Also, the EDPB took a position on the interpretation of Article 83(3), which concerns linked infringements of several provisions of the General Data Protection Regulation. In this respect, the EDPB has held that all infringements must be taken into account when calculating the fine, regardless of the fact that the conduct of supervision must take into account the proportionality of the fine and the maximum amount of the fine laid down in the General Data Protection Regulation.

The draft from the Irish Data Protection Agency had imposed a requirement on WhatsApp to bring their processing of personal data in line with the General Data Protection Regulation within six months, but this deadline has been changed by the EDPB to a maximum of three months.

NJORD'S COMMENTS

The decision of the EDPB follows the trend in other EU countries where very large fines are imposed for infringements of the General Data Protection Regulation. These decisions are in stark contrast to the levels of fines we have seen in Denmark up until now, both in presentations from the Danish Data Protection Agency and in the Danish courts. The first case in the series of fines – the case against IDdesign A/S (now Ilva A/S), where the fine in the district court was set at DKK 100,000 (read previous news  here)– has been appealed to the High Court but is still awaiting consideration.

If this trend in Denmark continues, there is a significant risk that in the future we will be considered a safe haven in relation to fines. This may result in companies choosing to locate in Denmark to avoid higher fines if they violate the General Data Protection Regulation.