Facebook has been fined for not being transparent about how it uses data collected from its WhatsApp messaging service, a case that challenges the European Union’s data privacy laws.
Facebook faces its first major ruling under the EU’s General Data Protection Regulation, which some say has not been properly enforced over the past three years. According to a report by the Irish regulators, WhatsApp did not clearly communicate to its users how their data was shared with other Facebook products, including Facebook’s main social network and Instagram.
In response to the decision, WhatsApp announced that it will appeal, setting up what is likely to be a lengthy legal dispute.
When enacted, the General Data Privacy Regulations were hailed as the most comprehensive data privacy regulations in the world. Furthermore, it was praised as a way to counter the data hoarding practices of major internet companies like Facebook and Google. Yet few fines or penalties have resulted from the law, and many say it hasn’t made good on its promise.
This debate has focused largely on Ireland’s regulators. Companies with European headquarters are required to be regulated by the law of the country where they are incorporated. There are many companies that are based in Ireland, such as Facebook, Google, Twitter, Apple, among others, so they are able to take advantage of its low corporate tax rates.
Due to this, Ireland’s Data Protection Commission — a highly criticised and underfunded agency, which has been tasked with enforcing data protection laws against some of the biggest companies in the world — has been under huge pressure.
Parliamentarians in Ireland wrote a scathing report in July, accusing the regulator of failing to protect citizens’ fundamental rights due to its lack of enforcement.
While European officials debate new rules for other sectors of the technology industry, such as stricter antitrust policies and content moderation policies, the challenge of enforcing the GDPR is being closely watched. However, according to critics, despite adopting strong digital policies, the European Union has had difficulty enacting them.
The 225 million euros fine, a fraction of Facebook’s annual profit, is the largest fine imposed by Irish regulators against a tech giant according to the law; in December, Twitter was fined 450,000 euros for a data breach. According to the ruling, WhatsApp failed to meet its “transparency obligations” to make clear how its users’ data would be used by Facebook for its other products.
WhatsApp is also required to update its privacy policy and make other changes to give people more information about how their information will be used.
Several European Union countries have been discussing the level of enforcement of EU data protection rules in the wake of the WhatsApp case. Several EU member states have criticised Ireland for not taking action faster against large tech companies.
Ireland was pushed by other countries to increase its initial proposed fine of 50 million euros. The penalty was increased to 225 million euros after other national regulators used the law’s board of enforcement and dispute settlement to push for a larger fine.
A representative of WhatsApp, which Facebook purchased in 2014, condemned Ireland’s decision, arguing that it has revised its privacy policy to be more comprehensive.
G.D.P.R. has also targeted other tech companies, although critics say the resulting punishments are relatively small and unlikely to change behaviour.
As a result of privacy violations related to its advertising practices, Luxembourg’s privacy regulator fined Amazon nearly 750 million euros in July. The French government fined Google 50 million euros in 2019 for not getting adequate permission from users for some online advertising.
