Skip to main content
Canada’s most-awarded newsroom for a reason
Enjoy unlimited digital access
$1.99
per week
for 24 weeks
Canada’s most-awarded newsroom for a reason
$1.99
per week
for 24 weeks
// //

Facebook’s WhatsApp messaging service was fined nearly $270-million by Irish authorities Thursday for not being transparent about how it uses data collected from people on the service, in a case that represents a big test of Europe’s ability to enforce its landmark data privacy law.

The 265-page decision is the first major ruling against Facebook under the European Union’s far-reaching General Data Protection Regulation, or GDPR, a three-year-old law that many have criticized for not being properly enforced. Irish regulators said WhatsApp was not clear with users about how data was shared with other Facebook properties like its main social network and Instagram.

WhatsApp said it would appeal the decision, setting up what is expected to be a lengthy legal battle.

Story continues below advertisement

The GDPR was heralded as the world’s most comprehensive data privacy law when it was enacted, and championed as a model for the rest of the world to counter the data-hoarding practices of Facebook, Google and other internet giants. But the law has resulted in few fines or penalties, and many have said it has not fulfilled its promise.

Regulators in Ireland have been at the centre of the debate. Under the law, companies must be regulated by the countries where they have their European headquarters. The European offices of Facebook, Google, Twitter, Apple and scores of other companies are based in Ireland because of its low corporate tax rates and other benefits.

But that has put tremendous pressure on Ireland’s Data Protection Commission, an underfunded and much-criticized agency that has been tasked with enforcing a novel and complex data-protection law against some of the largest companies in the world.

In July, lawmakers in Ireland’s Parliament issued a scathing report, saying the Irish regulator “fails to adequately protect the fundamental rights of citizens” because of its lack of enforcement.

“GDPR enforcement against Big Tech has been paralyzed by Ireland’s failure to deliver,” said Johnny Ryan, a privacy activist and senior fellow at the Irish Council for Civil Liberties.

The challenge of enforcing the GDPR is being closely watched as EU officials debate new regulations for other areas of the technology industry, including stricter antitrust and content moderation policies. Critics contend that the GDPR shows that although the EU has drafted strong digital policies, it has struggled to enact them well.

The fine of €225-million, a fraction of Facebook’s annual profit, was the largest issued by Irish regulators against a tech giant under the law. In December, Ireland fined Twitter €450,000 related to a data breach. The ruling said WhatsApp did not meet its “transparency obligations” to clearly disclose how data from users would be used by Facebook for its other services.

Story continues below advertisement

The decision requires WhatsApp to update its privacy policy and make other changes to make people more aware of how data will be used.

The WhatsApp case has generated considerable debate among EU countries about the appropriate level of enforcement under the region’s data protection rules. Officials in other countries in the 27-nation bloc have criticized Ireland for not acting more quickly against large tech platforms.

Other countries pushed Ireland to increase its initial proposed fine, which had been set at only up to €50-million. That sum was raised to €225-million after other national regulators used a board created by the law to co-ordinate enforcement and adjudicate disputes to push for a larger penalty.

Max Schrems, an Austrian lawyer and privacy activist who has filed several complaints with authorities in Ireland against Facebook, welcomed Thursday’s decision but said the fine by the Data Protection Commission was still too small. The GDPR allows fines of up to 4 per cent of global revenue. He said there were scores of other cases waiting to be addressed.

“This shows how the DPC is still extremely dysfunctional,” said Schrems, who now runs a privacy advocacy group called Noyb.

WhatsApp, which Facebook purchased in 2014, criticized Ireland’s decision, saying it has updated its privacy policy to be more comprehensive.

Story continues below advertisement

“WhatsApp is committed to providing a secure and private service,” Joshua Breckman, a spokesman for WhatsApp, said in a statement. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

Other tech companies have also been targeted under GDPR, although critics say the punishments are relatively small and unlikely to result in meaningful changes in behaviour.

In July, Amazon was fined nearly €750-million for violations related to its advertising practices by Luxembourg’s privacy regulator. In 2019, Google was fined €50-million by French authorities for not getting adequate permission from uses for certain online advertising.

Be smart with your money. Get the latest investing insights delivered right to your inbox three times a week, with the Globe Investor newsletter. Sign up today.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error
Tickers mentioned in this story
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies