In brief: Ireland's Data Protection Commission (DPC) has announced it's hitting WhatsApp with its biggest ever fine for GDPR violations. European authorities say WhatsApp hasn't been transparent enough about what information the communication app shares with other companies under the umbrella of WhatsApp's owner, Facebook.
The DPC has been investigating WhatsApp's compliance with the European Union's GDPR privacy law since 2018. This fine of €225 million (around $267 million) comes after the European Data Protection Board (EDPB) conducted its own review of the case and advised the DPC in late July on how much it should fine WhatsApp.
Reuters reports that privacy activist Max Schrems, who has opposed Facebook in multiple privacy cases in the past, said the DPC's original fine was just €50 million.
A WhatsApp spokesperson said the company disagrees with the decision and thinks the penalty is disproportionate. WhatsApp plans to appeal.
After the DPC's investigation determined that WhatsApp's transparency about what it was doing with users' information didn't meet GDPR obligations, the EDPB's investigation determined WhatsApp's infringements were more severe. "Regarding WhatsApp IE’s collection of data of non-users - when users decide to use the Contact Feature functionality - the EDPB found that in the present case, the procedure used by WhatsApp IE does not lead to anonymization [sic] of the collected personal data," the EDPB's press release states as one example.
WhatsApps' original co-founders, Brian Acton and Jan Koum, designed it to be a privacy-focused communication app. After Facebook acquired it in 2014, it wanted to collect data on WhatsApp users for targeted advertising, which led to disagreements with the co-founders. Acton and Koum eventually left. Acton started helping in the development of Signal, another privacy-focused communication app.
Earlier this year, WhatsApp announced its non-EU users would have to start sharing data with Facebook or else lose functionality. That data could include things like phone numbers, friends' phone numbers, and diagnostic data. Initially it even threatened to eventually delete accounts that didn't comply, but relented.