WhatsApp refines privacy to comply with Irish watchdog’s order

Messaging app provides additional information to EU users after order with €225m fine

WhatsApp said there were no changes to its processes or contractual agreements with users. File photograph: Getty
WhatsApp said there were no changes to its processes or contractual agreements with users. File photograph: Getty

Messaging platform WhatsApp has updated its privacy policy for European users after the record €225 million fine by the Irish privacy watchdog over transparency breaches under EU law.

In addition to the fine, the tech giant was ordered by the Irish Data Protection Commission – WhatsApp's lead regulator for the EU under data privacy law – to make required changes to privacy notices for its European users within three months of the ruling in August.

The regulator found that WhatsApp – owned by Meta, formerly Facebook – had failed to comply with transparency obligations under the EU's General Data Protection Regulation (GDPR), the 2018 privacy law that creates sweeping powers over tech multinationals.

WhatsApp said that while it disagrees with the decision and is appealing both the Irish watchdog’s ruling and the severity of the fine through the courts, it is required to update its privacy policy in order to comply with the regulatory decision.

READ SOME MORE

The updated privacy policy will include more information on how the company collects and uses data, including why it stores and when it deletes data, why data is shared across borders and how this is protected, and the legal basis that the company relies on for processing data.

European users will be able to see a small, dismissible, in-app banner notification at the top of their WhatsApp chat list that users can click on to learn more about the changes.

No action required

The company said that there were no changes to its processes or contractual agreements with users, and that users would not be required to agree to anything or be required to take any action in order to continue using WhatsApp.

“As ordered by the Irish Data Protection Commission, we have reorganised and added more detail to our privacy policy for people in the European region,” said a spokeswoman for the company.

“We disagree with the decision and are appealing because we believe we already provided the required information to all our users.”

She said the update did not change its commitment to user privacy or how it operated the service, including how it processed, used or shared user data with anyone, including Meta.

“Wherever you are in the world, we protect all personal messages with end-to-end encryption, which means no one, not even WhatsApp, can read or listen to them,” she said.

Helen Dixon, the data protection commissioner, said at the time of the WhatsApp fine that there was a ‘very significant information deficit’ behind WhatsApp’s violations. Photograph: Nick Bradshaw
Helen Dixon, the data protection commissioner, said at the time of the WhatsApp fine that there was a ‘very significant information deficit’ behind WhatsApp’s violations. Photograph: Nick Bradshaw

Helen Dixon, the data protection commissioner, said at the time of the fine that there was a "very significant information deficit" behind WhatsApp's violations and that it provided only 41 per cent of the prescribed information to users of its services and none to non-users.

Fine increased

Ms Dixon had proposed a fine of €30 million-€50 million but it was increased to €225 million after objections from data regulators in other EU countries and an arbitration process.

WhatsApp disagreed that the level of information provided to people in 2018 wasn’t transparent enough and described the penalty as “disproportionate”.

It wants the regulator's decision judicially reviewed in legal proceedings before the High Court and is seeking declarations from the court including that certain provisions of the 2018 Data Protection Act are invalid and unconstitutional.

The company claims in the legal action that the fine constitutes the imposition of a criminal sanction. The fine was the largest imposed by the Irish regulator and the second-highest under EU GDPR rules. Online retailer Amazon was fined €746 million by Luxembourg's regulator in July.

Simon Carswell

Simon Carswell

Simon Carswell is News Editor of The Irish Times