Jan 20, 2023Ravie Lakshmanan
The Irish Data Protection Commission (DPC) on Thursday imposed
fresh fines of €5.5 million against Meta’s WhatsApp for violating
data protection laws when processing users’ personal
information.
At the heart of the ruling is an update to the messaging
platform’s Terms of Service that was enforced in the days leading
to the enforcement of the General Data Protection Regulation
(GDPR[1]) in May 2018, requiring
that users agree to the revised terms in order to continue using
the service or risk losing access.
The complaint, filed by privacy non-profit NOYB, alleged that
WhatsApp breached the regulation by compelling its users to
“consent to the processing of their personal data for service
improvement and security” by “making the accessibility of its
services conditional on users accepting the updated Terms of
Service.”
“WhatsApp Ireland is not entitled to rely on the contract legal
basis for the delivery of service improvement and security,” the
DPC said[2]
in a statement, adding the data collected so far amounts to a
contravention of GDPR.
Aside from the fine, the messaging application has also been
ordered to bring its operations into compliance within a period of
six months. It’s worth noting that Meta has its European
headquarters in Dublin.
The DPC, however, noted it doesn’t plan to investigate whether
WhatsApp processes user metadata for advertising, calling it
“open-ended and speculative.” NOYB, in a response, criticized the
authority for declining to act on it.
“WhatsApp says it’s encrypted, but this is only true for the
content of chats – not the metadata,” NOYB’s Max Schrems said[3]. “WhatsApp still knows
who you chat with most and at what time. This allows Meta to get a
very close understanding of the social fabric around you.”
“Meta uses this information to, for example, target ads that
friends were already interested in,” Schrems further added. It
seems the DPC has now simply refused to decide on this matter,
despite 4.5 years of investigations.”
WhatsApp notably received blowback in early 2021, when it
announced[4]
a similar update to its privacy policy that required users to
accept the changes to continue using the service, prompting the
European Commission to issue a warning, urging the company to
“clearly inform” consumers of its business model.
“In particular, WhatsApp is encouraged to show how it plans to
communicate any future updates to its terms of service, and to do
so in a way that consumers can easily understand the implications
of such updates and freely decide they want to continue using
WhatsApp after these updates,” the Commission said[5]
in June 2022.
On top of that, WhatsApp has previously attracted scrutiny for
taking a U-turn on its data sharing practices with parent company
Meta (then Facebook) for ad targeting. In 2017, the E.U. fined[6]
the social media giant €110 million for “providing incorrect or
misleading information” during its probe into the merger.
The latest penalty comes two weeks after the DPC fined[7]
Meta €390 million over its handling of user data for serving
personalized ads in Facebook and Instagram, giving the company
three months to find a valid legal basis for processing personal
data for behavioral advertising.
NOYB, for its part, has written[8]
to the European Data Protection Board (EDPB), stating that the
watchdog “turned a blind eye on the revenue generated from
violating the GDPR when calculating its fine,” and that “the DPC’s
maneuver saved Meta almost €4 billion.”
Found this article interesting? Follow us on Twitter [9]
and LinkedIn[10] to read more exclusive
content we post.
References
Read more https://thehackernews.com/2023/01/whatsapp-hit-with-55-million-fine-for.html