WhatsApp Ireland Ltd. – €5,500,000 Fine (Ireland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
WhatsApp Ireland was fined EUR 5.5 million for not being clear about how they use people's data. They updated their terms of service and made users agree to them to keep using the app, but didn't explain the legal reasons for processing data. This matters because businesses must be transparent about data use under GDPR.
What happened
WhatsApp updated its terms of service and required users to agree without clearly explaining the legal basis for data processing.
Who was affected
WhatsApp users who had to agree to new terms without clear information on data processing.
What the authority found
The Irish Data Protection Commission found that WhatsApp violated GDPR by not clearly explaining the purpose and legal basis for processing personal data.
Why this matters
This case highlights the importance of transparency in data processing under GDPR. Companies must clearly inform users about why and how their data is used, or they risk significant fines.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The Irish DPA (DPC) has fined WhatsApp Ireland Ltd. EUR 5.5 million. The Austrian organization 'None of Your Business' (NOYB) had filed a complaint with the DPA on behalf of an individual. WhatsApp had updated its terms of service shortly before the GDPR came into force. In its new terms of service, WhatsApp informed its users to click 'Agree and Continue' to indicate their agreement with the new terms of service. This was required for further access to the services. WhatsApp assumed that the acceptance of the updated terms of use constituted a contract between WhatsApp and the user, since the processing of the data would be necessary for the provision as well as the improvement of the services. According to WhatsApp, the data processing was therefore lawful pursuant to Art. 6 (1) b) GDPR. However, the complainant argued that WhatsApp was actually trying to rely on consent as a legal basis for processing users' data. By making the access to its services conditional on users' consent to the updated terms of service, WhatsApp was forcing users to consent to the processing of their personal data. Following the investigation, the DPC submitted a draft decision under Art. 60 GDPR to other European supervisory authorities concerned. The DPC found that WhatsApp did not rely on user consent as a legal basis, and did not consider 'coerced consent' in this case. It also did not rule out the possibility that WhatsApp relied on a contractual legal basis. In response, the DPC received objections from different supervisory authorities. However, the DPC found that WhatsApp had breached its transparency obligations under the GDPR, by not clearly explaining to users for what purpose and on what legal basis their personal data would be processed. As no agreement could be reached on the disputed points, the DPC initiated a dispute resolution procedure pursuant to Art. 65 GDPR. In its decision, the EDPB confirmed the violation of transparency obligations by WhatsApp. However, the EDPB
Related Enforcement Actions (1)
Other enforcement actions involving WhatsApp Ireland Ltd. in IE
Details
Fine Date
19 January 2023
Authority
Data Protection Commission
Fine Amount
€5,500,000
Enforcement Tracker ID
ETid-1578
About this data
Cite as: Cookie Fines. WhatsApp Ireland Ltd. - Ireland (2023). Retrieved from cookiefines.eu
Last updated: