A spokesperson for the messaging platform, which is already challenging a separate €225 million fine imposed for GDPR breaches in 2021, said: “We disagree with the decision and we intend to appeal.”

The DPC initially accepted WhatsApp Ireland’s argument that the processing was necessary for the performance of a contract, namely the terms of service users are required to accept, but its decision was overturned by the European Data Protection Board (EDPB) last month.

Similar decisions in separate DPC inquiries into Facebook and Instagram — which, like WhatsApp, are owned by Meta — were also overturned by the EDPB last month, leading to the DPC imposing hefty fines earlier this month.

The inquiry into WhatsApp concerned a 2018 complaint by a German data subject who contended that, contrary to its stated position, WhatsApp Ireland was in fact seeking to rely on consent to provide a lawful basis for its processing of users’ data.

The complainant argued that, by making the accessibility of its services conditional on users accepting the updated terms of service, WhatsApp Ireland was in fact “forcing” them to consent to the processing of their personal data for service improvement and security. The complainant argued that this was in breach of the GDPR.

In its draft decision, the DPC considered whether, in principle, the GDPR precluded WhatsApp Ireland’s reliance on the contract legal basis it asserted and concluded it was not precluded.

However, six other data protection agencies raised objections and took the view that WhatsApp Ireland should not be permitted to rely on the contract legal basis on the basis that the delivery of service improvement and security could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.

The matter was referred to the EDPB, which took a different view to the DPC on the legal basis question, finding that, as a matter of principle, WhatsApp Ireland was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.

The DPC last week handed down its final decision, in which it imposed a €5.5 million fine on WhatsApp and directed it to bring its data processing operations into compliance within a period of six months. This is the decision which WhatsApp has said it will now appeal.

The EDPB has separately directed the DPC to conduct fresh investigations of all WhatsApp data processing operations, a decision which the DPC has said it will challenge in the European courts on jurisdictional grounds.

The DPC reiterated, as it already said earlier this month, that it does not believe the EDPB has “a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation”.

“To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction,” it said.