Ireland’s Data Protection Commission fined Facebook-owned messenger WhatsApp for $225 million for failing to provide users enough information about the data it shared with other Facebook companies.
The fine is the largest penalty that the Irish regulator has waged since the European Union data protection law, the General Data Protection Regulation, or GDPR, went into effect in 2018.
The watchdog, which kicked off its probe in 2018, ruled that Facebook failed to fully explain what “legitimate interests” the company used personal data for or how that data was processed. In addition to the fine, the ruling requires WhatsApp to take “corrective measures” in order to come into compliance with GDPR.
WhatsApp plans to appeal the fine, according to a spokesperson.
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” the spokesperson wrote in an email to CyberScoop. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
Facebook is also facing a lawsuit from privacy activist Max Schrems under GDPR for its handling of targeted ads. The case was referred to the European Union’s highest court in July for a ruling.
Facebook isn’t the only major technology company to get slapped by the law. France’s data protection watchdog fined Google $57 million in 2019 for making it difficult for new Android users to understand how their data is processed. Luxembourg fined Amazon for a record-breaking $887 million in July for using customer data to manipulate their behavior.
Both Google and Amazon appealed the rulings. Google lost its appeal.