How Ground-Breaking is WhatsApp's Fine?

“WhatsApp is great for protecting the privacy of your message content,” says Johns Hopkins University cryptographer, Matthew Green, “But it feels like the privacy of everything else you do is up for grabs.”

WhatsApp’s fine of €225m (£193m) is the largest fine ever from the Irish Data Protection Commission (DPC) and the second-highest under EU GDPR rules. Facebook, which owns WhatsApp, has its EU headquarters in Ireland, and the DPC is the lead authority for the tech giant in Europe. 

The fine relates to an investigation starting in 2018 about whether WhatsApp had been transparent enough about handling information. Investigators solely focused on how much clear information the messaging app supplies to users and non-users. The investigation did not look at the data-sharing practices, just the practices’ transparency. 

Article 12 of the GDPR mandates businesses to be transparent as to how personal data is processed. 

The Facts

In 2014, WhatsApp became a “standalone” app owned by Facebook, with its end-to-end encryption being its unique selling point (USP). The privacy policy, introduced in 2016, allowed WhatsApp to share user information and metadata with Facebook. Similarly, the messaging service offered its then-billion existing users 30 days to opt-out of some sharing. 

The billion-plus users WhatsApp added since 2016, including anyone who missed that opt-out window, have had their data shared with Facebook. However, the DPC has questioned how aware these users are of this.

What Does This Mean? 

  1. The obvious is the size (€225m) and the target. Many have concluded that the European regulators have been cautious in fining and confronting big tech and that, without the fines, the GDPR remains aspirational. 
  2. The DPC was pressured by the European Data Protection Board (EDPB) to increase the sanction. The original proposed fine by the DPC was €50m. This begs the question, is a pan-European stance emerging?
  3. The counter view is best expressed by the Long-time European privacy campaigner Max Schrems: “We welcome the first decision by the Irish regulator. However, the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial €50m fine and was forced by the other European data protection authorities to move towards €225m, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.”
  4. The privacy policy regarding data sharing with Facebook states: "Personal Data to operate, provide, improve, understand, customize, support, and market our services.” In practice, this extended to Facebook receiving account information. This includes phone numbers, logs of how long and how often a user uses WhatsApp, information about how users interact with other users and device identifiers. Other information includes device details like IP address, operating system, browser details, battery health information, app version, mobile network, language and time zone. Personal data is defined in the GDPR as (and this is a summary of the more extended definition): "‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)."

Therefore, to what extent is this data personal data — in particular, note the inclusion of “device data” — and therefore subject to the jurisdiction of the GDPR?

Conclusion 

This regulatory action involves a regulator looking at a company’s procedures and policies. The action does not relate to the more typical data breach or aggressive direct marketing practices. However, the privacy policies and procedures surrounding their introduction were found wanting. 

There may have been a temptation for businesses to use a privacy policy as a “get out of jail card.” For users to use the service, they have to accept or are shown a link, but in the actual policy, the company can, for example, give itself the right to transfer data to non-obvious third parties.  

The takeaway here is that every privacy policy needs careful thought and reflects the company’s actual data processing. Therefore, the policies must be bespoke and evolve with the business. The more controversial changes can be better highlighted by pop-ups or emails highlighting these points. Those measures will better meet the transparency requirements of the GDPR than just asking consumers to agree to a long document with the changes hidden in the text. 

What’s Hot on Infosecurity Magazine?