WhatsApp GDPR fine fallout: EDPB actions shift enforcement landscape
On 2 September 2021, Ireland’s Data Protection Commission (DPC) announced in a press release a fine EUR 225 million against WhatsApp Ireland Ltd (hereinafter: “WhatsApp”) for failure to meet the transparency requirements of Art. 12-14 of the EU General Data Protection Regulation (GDPR). Due to the cross-border nature of WhatsApp’s data processing activities, the DPC’s draft decision issued in December 2020 was reviewed by other European data protection authorities (hereinafter: “DPAs”), as required by the cooperation and consistency mechanism of the GDPR. Eight other DPAs objected to the DPC’s draft decision. Their objections were referred to the European Data Protection Board (hereinafter: “EDPB”), after the DPC failed to reach a consensus with the objecting regulators. The objections concerned the way how the fine of the DPC’s draft decision was calculated. According to the EDPB, closer attention is to be paid to WhatsApp’s global turnover (and not only to the turnover in the European internal market), thereby more than quadrupling the final fine.
While WhatsApp already announced it will appeal the decision, several experts are of the opinion that fines against GDPR violations will be higher in future now that the EDPB has confirmed the importance of turnover. In a newly published article in Compliance Week, Neil Hodge brings together different analyses as well as assessments and concludes that organisations might need to reconsider their approach to GDPR compliance going forward.