Ireland’s data protection authority has fined WhatsApp Ireland €5.5 million for breaches of the GDPR relating to its service and told it comply with data processing laws within six months.
A complaint made by a German citizen in 2018 about WhatsApp after it asked users to click agree and continue to indicate their acceptance of the updated Terms of Service in advance of 25 May 2018, when the GDPR came into operation.
It has been claimed WhatsApp was seeking to rely on consent to provide a lawful basis for its processing of users’ data and that, by making the accessibility of its services conditional on users accepting the updated Terms of Service, the company was “forcing” the users to consent to such processing, in breach of the GDPR.
The DPC ruled that WhatsApp is not entitled to rely on the contract legal basis for the delivery of service improvement and security for the WhatsApp service and that its processing of this data to-date on the contract legal basis.
Earlier, the DPC fined Meta a combined €390 million for GDPR violations and directed to bring its data processing operations into compliance within a period of 3 months.