The Data Protection Commission (DPC) originally intended to fine WhatsApp between €30 million and €50 million, but was told to reassess this by the European Data Protection Board (EDPB).

The DPC’s investigation was launched in December 2018, examining whether WhatsApp had discharged its GDPR transparency obligations.

In particular, it looked at the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.

The DPC issued a draft decision in December 2020 but was unable to secure consensus among all concerned supervisory authorities (CSAs), so the matter went to the EDPB, which adopted a binding decision on 28 July.

This EDPB’s decision contained a clear instruction that required the DPC to reassess and increase its proposed fine on the basis of a number of factors. Following this reassessment, the DPC imposed a fine of €225 million on WhatsApp.

The €225 million total comprises a fine of €90 million in respect of an infringement of Article 5(1)(a) of the GDPR; a fine of €30 million in respect of an infringement of Article 12; a fine of €30 million in respect of an infringement of Article 13; and a fine of €75 million in respect of an infringement of €75 million.

As well as the administrative fine, the DPC also imposed a reprimand along with an order for WhatsApp to bring its processing into compliance by taking a range of specified remedial actions.

Commenting on the outcome, John Magee, head of DLA Piper’s privacy, data protection and security practice in Ireland, said: “The decision was not the DPC’s alone and showed the EU’s complex consistency and dispute resolution processes at work.

“An eye-catching aspect of that process was the increase in the size of the fine from a range of €30m-€50m first proposed by the DPC. The fine highlights the importance of compliance with the GDPR’s rules on transparency in the context of users, non-users and data sharing between group entities.”