€225mn Fine for WhatsApp GDPR Failures

Something extraordinary happened last week: the Irish data protection watchdog did something useful. The Irish Data Protection Commission (DPC), widely considered to be the most ineffective data protection authority in the European Union, imposed a hefty EUR225mn (USD268mn) fine on WhatsApp for failing to comply with several provisions of the General Data Protection Regulation (GDPR). This is the second-largest fine in the history of the EU-wide GDPR, though a long way behind the surprising EUR746mn (USD888mn) penalty recently imposed by Luxembourg on Amazon.

To give a full explanation of the GDPR infringements that WhatsApp committed would be so tedious as to bring tears to every reader’s eyes. The best summary is that all of the failings related to inadequately informing individuals of how their personal data was used by WhatsApp. WhatsApp did not meet their obligations to either their customers or to non-users. The processing of personal data of non-users occurs because users may choose to upload the phone numbers of all their contacts.

This is by far the largest fine imposed by Ireland’s DPC, whose previous record was a EUR450,000 penalty imposed on Twitter for failing to promptly declare and properly document a data breach. However, the DPC would have fined WhatsApp no more than EUR50mn (USD59mn) if the Irish had been left to choose the amount for themselves. The penalty was more than quadrupled as a result of complaints from other data protection regulators in the EU, who collectively belong to an appeals and standardization process designed to avoid inconsistent enforcement of GDPR. A DPC press release described the process which led their decision to be overruled by other regulators:

Following a lengthy and comprehensive investigation, the DPC submitted a draft decision to all Concerned Supervisory Authorities (CSAs) under Article 60 GDPR in December 2020. The DPC subsequently received objections from eight CSAs. The DPC was unable to reach consensus with the CSAs on the subject-matter of the objections and triggered the dispute resolution process (Article 65 GDPR) on 3 June 2021.

On 28 July 2021, the European Data Protection Board (EDPB) adopted a binding decision and this decision was notified to the DPC. This decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors contained in the EDPB’s decision and following this reassessment the DPC has imposed a fine of €225 million on WhatsApp.

The vagueness of so many GDPR rules is demonstrated by the enormous gulf in how different regulators interpreted the way these rules should be applied to WhatsApp. The only way you can fully understand the differences of opinion is to read the EDPB’s 89-page binding decision for this case, but it is possible to illustrate the disparate thinking of different regulators by summarizing an argument that concerned the hashing of phone numbers belonging to non-users and the sharing of the resulting hashcode with third parties.

The DPC accepted WhatsApp’s description of their ‘lossy’ hashing process, which takes an actual phone number and maps it to a shorter code number which is not an actual phone number, and which then is made available to third parties. As a consequence, the DPC lowered the fine because they did not consider the resulting hashcode to be personal data. This might seem a superficially sound argument, but the German data protection authority pointed out serious flaws with this interpretation of the rules.

The key point raised by the Germans was that if you can identify a specific individual from the data then it must be personal. It is wrong to look at data in isolation from other data that is also possessed by the same organization where the combination tells you more about the individual than each datum would if only looked at separately. Accepting WhatsApp’s misleading description of their hashing process led the DPC to overlook the substance of the original compliance investigation, which found it is possible for third parties to indirectly identify the individual referred to by a hashcode.

The Germans even mocked the way the Irish had been manipulated by WhatsApp’s choice of words, stating that…

…hashes are inherently lossy, the existence of “lossless” hashing cannot be applied to the concept of a hash.

WhatsApp was fined for being insufficiently transparent but the transparency rules they failed to satisfy are so difficult to understand that few people would be able to assess whether they might be the victim of an infringement. That members of the public cannot protect themselves compounds the issues created by weak, inconsistent and slow enforcement of the rules by the authorities.

Complaints about WhatsApp were lodged as soon as GDPR came into effect in May 2018. It took until December 2018 before an investigation was launched into a limited subset of those complaints. Two full years passed before the DPC made a decision, then six months were spent failing to get agreement between Europe’s data protection authorities, another two months were required for the EDPB to resolve the dispute, then the DPC took another month just to do what the EDPB told them to do. WhatsApp have responded by saying they will appeal the decision, which means this case will be tied up in Irish courts for several more years yet. It would be a big surprise if WhatsApp pays a single penny in fines within eight years of their initial infringement. By then the WhatsApp decision-makers responsible for violating the rules are likely to be retired or working elsewhere.

The more Europeans struggle to implement GDPR in practice, the more it becomes apparent their data protection laws are based on a pretentious wishlist drafted by ignorant politicians who never concerned themselves with how to keep their promises in practice. This case has confirmed two especially ugly facts about GDPR. If it takes this much effort to impose the rules on unusually large and prominent businesses like WhatsApp then they will never be meaningfully applied to smaller entities. But at least citizens of other EU countries can take some small comfort from the fact that they are slightly better protected than anyone relying on the wretched, lazy and incompetent oafs at Ireland’s Data Protection Commission.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.