Regulators in the European Union penalized Facebook Inc.’s FB -1.67 percent messaging service WhatsApp 225 million euros ($266 million) for failing to adequately inform European Union citizens about what it does with personal data, ratcheting up privacy enforcement against U.S. tech giants.
On behalf of a board representing all of Ireland’s EU peers, the Data Protection Commission levied the second major EU privacy penalties against a US tech corporation in two months on Thursday. It was part of a ruling that concluded WhatsApp didn’t meet standards to notify Europeans about how their personal information is acquired and used, including how their data is shared with other Facebook businesses.
Officials handed WhatsApp three months to comply with many requirements of Europe’s privacy legislation, the General Data Protection Regulation, which regulators started implementing in mid-2018. This includes restructuring and clarifying portions of its privacy rules, as well as prominently displaying notifications to non-users that their phone numbers may be added to the app by their contacts.
WhatsApp’s representative stated that the company will file an appeal. “We disagree with today’s judgment about the openness we offered to individuals in 2018, and the fines are completely disproportionate,” said the spokesman, adding that the unit “has strived to ensure the information we give is transparent and comprehensive.”
In both the Amazon and WhatsApp situations, authorities made conclusions after conferring with their EU colleagues through a legal power-sharing framework. Other EU privacy officials pushed for the sanctions that were originally suggested to be increased in both cases, according to sources familiar with the cases.
According to sources familiar with the cases, Ireland, which oversees EU privacy enforcement for Facebook since its European headquarters are in Dublin, recommended a punishment of up to 50 million euros in the WhatsApp case to cover multiple infringements. Ireland, however, initiated a GDPR dispute-resolution procedure in response to concerns from eight other EU nations’ watchdogs. According to the Irish regulator, a board of all EU privacy authorities voted in late July to instruct the Irish regulator to compute a larger punishment.
Ireland, which also oversees GDPR compliance for U.S. tech giants like as Google and Apple Inc., has come under fire from campaigners and even some EU authorities for not issuing more rulings. The authority has only issued a final verdict in one case against a big digital corporation before Thursday’s ruling, fining Twitter Inc. 450,000 euros in December.
In response to the criticism, Helen Dixon, the head of Ireland’s privacy authority, said the technology matters are complicated and must be handled properly or risk being thrown out in court later. The regulator also mentioned that many additional cases involving big U.S. internet firms are reaching draft conclusions in Ireland.