Ireland's data protection authorities have imposed a fine of 225 million euros on WhatsApp. The accusation: lack of transparency in the disclosure of personal user data. WhatsApp has announced that it will appeal.

The investigation into this case was launched back in December 2018. WhatsApp was accused of not following the provisions of the GDPR and not making the collection and sharing of personal user data transparent. In particular, this concerned the exchange of data between WhatsApp and other companies in the Facebook Group, to which WhatsApp has also belonged since 2014.

WhatsApp and Facebook repeatedly criticized

WhatsApp has long been criticized for forwarding data to its parent company Facebook.
Back in 2017, Facebook was fined 110 million because the company claimed in 2014 that it was not possible to merge WhatsApp user data with other Facebook Group services - but later did so.

A look at the current privacy policy clearly shows that data will continue to be exchanged:

"As part of the Facebook Companies, WhatsApp receives information from other Facebook Companies and also shares information with other Facebook Companies [...]" WhatsApp - Privacy Policy

"WhatsApp also works with the other Facebook companies and shares information with them [...]" WhatsApp - Privacy Policy

The purpose of this data transfer is stated in the privacy policy as promoting the security and integrity of the services and improving, operating, adapting and marketing the services.

And Facebook is reading along!

As far as the content of the chats is concerned, WhatsApp refers to its end-to-end encryption. This means that the message is encrypted on the sender's device and only decrypted again on the recipient's device. No one - not even the company itself - can view the messages.

"End-to-end encryption ensures that only you and the person you are communicating with can read or hear what has been sent - and no one in between, not even WhatsApp" WhatsApp - Security and data protection

In an article entitled "How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users", the investigative journalist network ProPublika describes how Facebook is circumventing its promise: messages that are reported via the "Report" button as alleged violations of the terms of use are sent to the company unencrypted.

"WhatsApp will receive the latest messages you have received from the reported user or group, as well as information about your latest interactions with that user or group." WhatsApp - Security and data protection

According to ProPublica, if a message is reported, the corresponding message and the four previous messages from the sender, including all images and videos, are sent to WhatsApp in unencrypted form. These messages are then checked by employees - there are said to be more than a thousand of them for this task, according to ProPublica - with regard to the reported violations.

Metadata tapped

WhatsApp cannot read all messages, at least in this respect, but the procedure via the reporting function is ultimately only part of a broader surveillance system. In addition, users' unencrypted data is automatically recorded and compared with suspicious account information and message patterns. This data includes the user's name, profile picture, status message, telephone number, IP address, telephone ID and Facebook and Instagram accounts. This data could be linked to other content.

Such accusations continue to tarnish the image of the secure messenger that the company itself likes to portray. The fact that WhatsApp - unlike Facebook and Instagram - does not publish corresponding transparency reports that disclose the monitoring and moderating activities of its employees is also a cause for criticism.

Max Schrems on the verdict

Data protection activist Max Schrems from Noyb has commented on the ruling, saying that his organization welcomes the first decision by the Irish supervisory authority. However, he also put it into perspective that the 225 million euros correspond to just 0.08 percent of the Facebook Group's turnover, while the GDPR provides for fines of up to four percent of turnover. In addition, the DPC first had to be forced by other European data protection authorities to increase the fine from the original €50 million to €225 million. This shows that the Irish data protection authority is still extremely dysfunctional.

The Irish Data Protection Commission (DPC) often plays a key role in proceedings against international tech companies that like to relocate their European headquarters to Ireland for tax reasons.

WhatsApp has announced an appeal

WhatsApp describes the fine as "completely unreasonable" and intends to appeal. According to Schrems, this highlights another problem: "In the Irish court system, this means that it will take years before the fine is actually paid." He can imagine that the DPC will simply not put too many resources into the case or will "settle" with WhatsApp in Ireland at some point. At the same time, Schrems also announced: "We will be monitoring this case closely to ensure that the DPC actually implements this decision."