The Irish Data Protection Authority (DPA), has issued a decision on a 2018 investigation into WhatsApps data processing. It concerned at first glance two aspects, one the uploading of WhatsApp user’s contact lists, and the retention of non-user (hashed) phone numbers, as well as the information exchange between WhatsApp and its parent company Facebook. WhatsApp argued they were not a data controller in this case, but their users were, and they were merely processing data, but that defense failed. (I think the language used by WhatsApp itself, the word ‘user’, gives away the actual locus of power quite clearly.)
The An Coimisiúm um Chosaint Sonraí, Irish Data Protection Commission, issued a fine of 225 million Euro’s. This seems right up there at the top of the potential fine range of 4% of global turnover in the last year (2020).
It is good to see the Irish DPA finally coming down with a decision. With enforcement of the GDPR starting mid 2018, a range of complaints and investigations landed on the Irish DPA’s plate, as several large tech companies maintain their EU presence in Ireland. The slow pace of the Irish DPA in handling these complaints has been itself a source of complaints. With this decision on the WhatsApp investigation there now finally is some visible movement.
Also see the earlier announcement concerning Amazon receiving a 746 million fine from the Luxembourg DPA.