WhatsApp Hit with Substantial Fine for Data Security Violations

WhatsApp Hit with Substantial Fine for Data Security Violations

Ireland’s data watchdog has imposed a record £193 million (€225 million) fine on WhatsApp, owned by Facebook, marking the largest penalty ever issued by the Irish Data Protection Commission and the second-highest under EU GDPR regulations. Facebook’s EU headquarters in Ireland designates the Irish regulator as the lead authority for the tech giant in Europe. 

WhatsApp, expressing disagreement with both the decision and the fine’s severity, plans to appeal. The fine stems from a 2018 investigation into WhatsApp’s transparency regarding data handling practices. The intricate issues examined included whether WhatsApp provided sufficient information to users about data processing and the clarity of its privacy policies, which have been updated multiple times. 

A spokesperson for WhatsApp emphasized the company’s commitment to a secure and private service, asserting efforts to ensure transparent and comprehensive information provision. The spokesperson deemed the penalties disproportionate, stating, “We disagree with the decision today regarding the transparency we provided to people in 2018.”  

Under GDPR rules, significant fines of up to 4% of the offending company’s global turnover are permitted. The Irish Data Protection Commission submitted its decision to other national data authorities, as mandated by GDPR. Eight countries, including Germany, France, and Italy, raised objections, citing disagreements on breached GDPR articles, fine calculations, and other issues. 

In late July, the European Data Protection Board directed the Irish DPC to adjust its findings, “reassess” the proposed fine of  £26-43 million (€30-50 million), and revise its decision by proposing a higher fine amount. The developments highlight ongoing challenges in harmonizing GDPR enforcement across European jurisdictions. 


Meta Faces Huge Fines After Potential Data Security Breaches

Meta Faces Huge Fines After Potential Data Security Breaches

Meta, Facebook’s parent company, faces a record £1bn (€1.2bn) fine from Ireland’s Data Protection Commission (DPC) for violating GDPR. The penalty, resulting from a challenge by privacy advocate Max Schrems, requires Meta to suspend EU-to-US data transfers, with a five-month implementation period.

Additionally, the DPC demands a six-month halt to the “unlawful processing” of already transferred EU data in the US, necessitating removal from Facebook servers. Meta, planning to appeal, claims unfair targeting and vows to seek a stay on the data transfer order.

The DPC cites Meta’s use of standard contractual clauses (SCCs) as insufficient safeguards, as per a 2020 European Court of Justice ruling. The ruling doesn’t affect Instagram and WhatsApp data transfers. Meta warns of potential disruptions in EU services without SCCs or alternatives. Despite a promised grace period, the company’s recent quarterly results hint at service limitations in Europe.

Meta’s net income reached $23.2bn last year; shares rose 2.2%, valuing the company at over $640bn. The DPC decision follows a disagreement with other EU regulators, prompting the European Data Protection Board to intervene. Legal experts suggest an appeal might not fully overturn the decision, emphasizing the US government’s access to EU personal data under national security. The fine aims to deter businesses from mishandling international data transfers. The UK’s Information Commissioner’s Office acknowledges the decision, intending to review details in due course.


Amazon Faces Record Data Processing Fine

Amazon Faces Record Data Processing Fine

Amazon is facing a substantial £636 million ($886.6 million) fine from Luxembourg’s National Commission for Data Protection, alleging the tech giant’s breach of European Union data protection laws. The fine, issued on July 16 according to a US Securities and Exchange Commission filing, claims Amazon’s processing of personal data did not comply with EU law.

In response, Amazon dismissed the fine as “without merit” and asserted its intention to vigorously defend itself against the allegations. The company emphasized that there was no data breach and expressed strong disagreement with the ruling, stating its plan to appeal.

This fine marks the largest under the EU’s General Data Protection Regulation (GDPR) since its inception in 2018, highlighting increased regulatory scrutiny on major tech companies over privacy and misinformation concerns. The Wall Street Journal previously reported in June that Amazon could face a fine exceeding £380 million ($425 million) under the EU’s privacy law.

While Amazon is not the first large company to face GDPR penalties, this fine is notably substantial. The GDPR imposes strict limits on the use, storage, and processing of sensitive data. Previous fines for breaches by companies like Google, British Airways, H&M, and Marriott Hotels were in the tens of millions, making Amazon’s penalty stand out. 

The details of Amazon’s infringement leading to the severe penalty remain undisclosed. The gravity, duration, and character of the breach factor into penalty decisions by national authorities. Amazon’s response underscores its disagreement with the Luxembourg authority’s decision and its commitment to challenge the fine. 

Amazon, among other US tech giants, has faced accusations of “monopoly power,” leading to calls for regulatory intervention. Previous concerns centered around Amazon’s access to and use of data, including sensitive commercial information on third-party products. The European Commission charged Amazon in November with abusing its dominant position in online retail. In May, Amazon successfully overturned a European Commission order to repay £250 million ($320-340 Million) in back taxes to Luxembourg, alleging unfair special treatment.