Following an investigation, Ireland’s Data Protection Commission (DPC) has fined WhatsApp €5.5 million ($5.95 million) for violating the General Data Protection Regulation (GDPR).
The privacy watchdog gave the Meta-owned platform six months to comply with European Union data processing laws or get another fine.
The ruling follows up on a 2018 complaint from a German citizen about a potential GDPR violation. On May 25, 2018, when the GDPR came into effect, WhatsApp updated its Terms of Service and prompted all EU-based users to accept them.
The complaint claimed that European users had to agree with the changes to access the interface. In other words, it alleged that WhatsApp constrained access to its platform by forcing users to consent to data processing, which violates the GDPR.
The regulation’s Article 7 Recital 32 states that consent “should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.”
It adds that “the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
DPC’s investigation concluded that WhatsApp Ireland didn’t violate Article 7, as the service didn’t rely on user consent for operational purposes nor did the service use it as a lawful basis for data processing. Furthermore, the commission ruled that the company violated Articles 12 and 13 of the GDPR for not giving exact reasons or legal basis for processing user data.
According to BleepingComputer, WhatsApp plans to appeal the decision. The company said its service is technically and legally compliant and needs the highly-disputed user data for security and to improve its service.