WhatsApp hit with giant €225 million (~$267M) million GDPR fine

Ireland's data protection agency has announced today a €225 million ($267 million) fine against Facebook's WhatsApp for failing to comply with the European Union's General Data Protection Regulation (GDPR).

The fine represents the second-largest GDPR penalty after Amazon was fined €746 million ($887 million) in Luxembourg at the end of July.

According to the Irish Data Protection Commission (DPC), WhatsApp was fined for failing to properly inform users how their WhatsApp data would be used by Facebook, the app's parent company.

The investigation into WhatsApp's GDPR violations began in December 2018 in Ireland, where Facebook's European headquarters are based.

Following a first investigation, Irish officials wanted to fine WhatsApp €50 million, but the initial fine was vetoed by other data protection agencies part of the European Data Protection Board (EDPB), the EU privacy watchdog, who forced the Irish regulator to assess other GDPR violations, resulting in the larger fine announced today.

The DPC's subsequent investigation found that WhatsApp broke four GDPR articles:

• Article 5(1)(a) of the GDPR, for which it received a fine of €90 million; 
• Article 12 of the GDPR, for which it received a fine of €30 million; 
• Article 13 of the GDPR, for which it received a fine of €30 million; 
• Article 14 of the GDPR, for which it received a fine of €75 million.

See below for a breakdown, per the DPC and EDPB investigation report [PDF]:

In a canned statement, WhatsApp said the fine reflected the status of its service in 2018, not 2021, and planned to appeal.