German Whatsapp user (represented by noyb - European Centre for Digital Rights) – €5,500,000 Fine (Ireland, 2023)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The Irish Data Protection Commission fined WhatsApp €5.5 million for requiring users to accept new terms and conditions to continue using the service. This was seen as 'forced consent', violating GDPR rules. The decision highlights the need for companies to ensure consent is freely given, not coerced.
What happened
WhatsApp required users to accept new terms and conditions to continue using the service, which was deemed 'forced consent'.
Who was affected
WhatsApp users who were forced to accept new terms and conditions to keep using the app.
What the authority found
The Irish Data Protection Commission found that WhatsApp's practice of requiring acceptance of new terms was 'forced consent', violating GDPR.
Why this matters
This case emphasizes that consent must be freely given and not coerced. Companies should review their consent practices to ensure compliance with GDPR, especially in terms of user agreements.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
In order to access Whatsapp, an online instant messaging platform ultimately owned and controlled by “Meta Platforms Inc.”, a user was required to accept a series of terms and conditions (the “Terms of Service”) and a Privacy Policy. Under the GDPR, Whatsapp IE was obliged to have a lawful basis for the processing of any personal data. Article 6(1) GDPR detailed the lawful bases upon which such data can be processed. The company was also obliged to provide detailed information to users at the time their personal data was obtained in relation to, among others, the purposes of any data processing and the legal basis for such processing. To continue to access the Whatsapp platform, all users were required to accept the updated Terms of Service and privacy policy prior to 25 May 2018, the date the GDPR became applicable. Those existing users who were not willing to accept the new terms were advised of the option to delete their Whatsapp account. A German Whatsapp user, the “data subject” and “complainant”, filed a complaint against Whatsapp IE, the controller. The complainant was represented by “noyb – European Centre for Digital Rights”, a privacy NGO based in Austria. The complainant alleged that Whatsapp IE’s data processing practices on the Whatsapp platform amounted to “forced consent”, and constituted a violation of the GDPR. The complaint, originally filed with the Hamburg DPA (HmbBfDI) and later transferred to the German Federal DPA (BfDI), advanced a number of grounds upon which the consent of the data subject could not be considered “freely given”. Firstly, there existed a clear imbalance of power between controller and data subject. This is likely to affect the voluntariness of the latter’s consent for the processing of personal data. The complaint alleged that, in this case, the controller undisputedly has a dominant market position in the area of social networking services and, in combination with the “lock in” and “network” effects, the data subject is le
Related Enforcement Actions (0)
No other enforcement actions found for German Whatsapp user (represented by noyb - European Centre for Digital Rights) in IE
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
12 January 2023
Authority
Data Protection Commission
Fine Amount
€5,500,000
GDPRhub ID
gdprhub-5630About this data
Cite as: Cookie Fines. German Whatsapp user (represented by noyb - European Centre for Digital Rights) - Ireland (2023). Retrieved from cookiefines.eu
Last updated: