In Ireland, France and the European Union as a whole, the issue of data protection is important and it is regulated by the General Data Protection Regulation (GDPR). The Data Protection Commission, Ireland's equivalent of the National Commission for Information Technology and Civil Liberties or CNIL, has singled out the WhatsApp app and handed it a record penalty. The Facebook subsidiary will have to pay 225 million euros.
The Irish data protection commission considers on WhatsApp did not comply with the RGPD
It was in December 2018 that the investigation into Whatsapp was opened, only a few months after the RGPD came into force in the EU in May 2018. It was more than two and a half years later that a decision was made by the Data Protection Commission (DPC). A verdict that took a long time to arrive as the various data protection authorities could not agree on the penalty to be imposed. In December 2020, the DPC had provided a draft decision as suggested in Article 60 on cooperation between the lead supervisory authority and other relevant supervisory authorities. Eight authorities had vetoed the initial sanction of €50 million which was considered far too low. In the end, it was the European Data Protection Board (EDPB) that asked the CPD to reconsider. The DPC thus retained four violations of the GDPR:- Article 5: Principles on the processing of personal data
- Article 12: Transparency of information and communications and arrangements for exercising the rights of the data subject
- Article 13: Information to be provided where personal data are collected from the data subject
- Article 14: Information to be provided where the personal data have not been obtained from the data subject