The Irish Data Protection Commission (DPC) on Thursday imposed fresh fines of €5.5 million against Meta's WhatsApp for violating data protection laws when processing users' personal information.
At the heart of the ruling is an update to the messaging platform's Terms of Service that was imposed in the days leading to the enforcement of the General Data Protection Regulation (GDPR) in May 2018, requiring that users agree to the revised terms in order to continue using the service or risk losing access.
The complaint, filed by privacy non-profit NOYB, alleged that WhatsApp breached the regulation by compelling its users to "consent to the processing of their personal data for service improvement and security" by "making the accessibility of its services conditional on users accepting the updated Terms of Service."
"WhatsApp Ireland is not entitled to rely on the contract legal basis for the delivery of service improvement and security," the DPC said in a statement, adding the data collected so far amounts to a contravention of GDPR.
Aside from the fine, the messaging application has also been ordered to bring its operations into compliance within a period of six months. It's worth noting that Meta has its European headquarters in Dublin.
The DPC, however, noted it doesn't plan to investigate whether WhatsApp processes user metadata for advertising, calling it "open-ended and speculative." NOYB, in a response, criticized the authority for declining to act on it.
"WhatsApp says it's encrypted, but this is only true for the content of chats – not the metadata," NOYB's Max Schrems said. "WhatsApp still knows who you chat with most and at what time. This allows Meta to get a very close understanding of the social fabric around you."
"Meta uses this information to, for example, target ads that friends were already interested in," Schrems further added. It seems the DPC has now simply refused to decide on this matter, despite 4.5 years of investigations."
WhatsApp notably received blowback in early 2021, when it announced a similar update to its privacy policy that required users to accept the changes to continue using the service, prompting the European Commission to issue a warning, urging the company to "clearly inform" consumers of its business model.
"In particular, WhatsApp is encouraged to show how it plans to communicate any future updates to its terms of service, and to do so in a way that consumers can easily understand the implications of such updates and freely decide they want to continue using WhatsApp after these updates," the Commission said in June 2022.
On top of that, WhatsApp has previously attracted scrutiny for taking a U-turn on its data sharing practices with parent company Meta (then Facebook) for ad targeting. In 2017, the E.U. fined the social media giant €110 million for "providing incorrect or misleading information" during its probe into the merger following the acquisition of WhatsApp in 2014.
The latest penalty comes two weeks after the DPC fined Meta €390 million over its handling of user data for serving personalized ads in Facebook and Instagram, giving the company three months to find a valid legal basis for processing personal data for behavioral advertising.
NOYB, for its part, has written to the European Data Protection Board (EDPB), stating that the watchdog "turned a blind eye on the revenue generated from violating the GDPR when calculating its fine," and that "the DPC's maneuver saved Meta almost €4 billion."