Facebook’s WhatsApp messaging service was fined nearly $270-million by Irish authorities Thursday for not being transparent about how it uses data collected from people on the service, in a case that represents a big test of Europe’s ability to enforce its landmark data privacy law.
The 265-page decision is the first major ruling against Facebook under the European Union’s far-reaching General Data Protection Regulation, or GDPR, a three-year-old law that many have criticized for not being properly enforced. Irish regulators said WhatsApp was not clear with users about how data was shared with other Facebook properties like its main social network and Instagram.
WhatsApp said it would appeal the decision, setting up what is expected to be a lengthy legal battle.
The GDPR was heralded as the world’s most comprehensive data privacy law when it was enacted, and championed as a model for the rest of the world to counter the data-hoarding practices of Facebook, Google and other internet giants. But the law has resulted in few fines or penalties, and many have said it has not fulfilled its promise.
Regulators in Ireland have been at the centre of the debate. Under the law, companies must be regulated by the countries where they have their European headquarters. The European offices of Facebook, Google, Twitter, Apple and scores of other companies are based in Ireland because of its low corporate tax rates and other benefits.
But that has put tremendous pressure on Ireland’s Data Protection Commission, an underfunded and much-criticized agency that has been tasked with enforcing a novel and complex data-protection law against some of the largest companies in the world.
In July, lawmakers in Ireland’s Parliament issued a scathing report, saying the Irish regulator “fails to adequately protect the fundamental rights of citizens” because of its lack of enforcement.
“GDPR enforcement against Big Tech has been paralyzed by Ireland’s failure to deliver,” said Johnny Ryan, a privacy activist and senior fellow at the Irish Council for Civil Liberties.
The challenge of enforcing the GDPR is being closely watched as EU officials debate new regulations for other areas of the technology industry, including stricter antitrust and content moderation policies. Critics contend that the GDPR shows that although the EU has drafted strong digital policies, it has struggled to enact them well.
The fine of €225-million, a fraction of Facebook’s annual profit, was the largest issued by Irish regulators against a tech giant under the law. In December, Ireland fined Twitter €450,000 related to a data breach. The ruling said WhatsApp did not meet its “transparency obligations” to clearly disclose how data from users would be used by Facebook for its other services.
The decision requires WhatsApp to update its privacy policy and make other changes to make people more aware of how data will be used.
The WhatsApp case has generated considerable debate among EU countries about the appropriate level of enforcement under the region’s data protection rules. Officials in other countries in the 27-nation bloc have criticized Ireland for not acting more quickly against large tech platforms.
Other countries pushed Ireland to increase its initial proposed fine, which had been set at only up to €50-million. That sum was raised to €225-million after other national regulators used a board created by the law to co-ordinate enforcement and adjudicate disputes to push for a larger penalty.
Max Schrems, an Austrian lawyer and privacy activist who has filed several complaints with authorities in Ireland against Facebook, welcomed Thursday’s decision but said the fine by the Data Protection Commission was still too small. The GDPR allows fines of up to 4 per cent of global revenue. He said there were scores of other cases waiting to be addressed.
“This shows how the DPC is still extremely dysfunctional,” said Schrems, who now runs a privacy advocacy group called Noyb.
WhatsApp, which Facebook purchased in 2014, criticized Ireland’s decision, saying it has updated its privacy policy to be more comprehensive.
“WhatsApp is committed to providing a secure and private service,” Joshua Breckman, a spokesman for WhatsApp, said in a statement. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
Other tech companies have also been targeted under GDPR, although critics say the punishments are relatively small and unlikely to result in meaningful changes in behaviour.
In July, Amazon was fined nearly €750-million for violations related to its advertising practices by Luxembourg’s privacy regulator. In 2019, Google was fined €50-million by French authorities for not getting adequate permission from uses for certain online advertising.
Be smart with your money. Get the latest investing insights delivered right to your inbox three times a week, with the Globe Investor newsletter. Sign up today.