WhatsApp isn't just catching flak from users over its data sharing with Facebook. The Financial Times reports the Irish Data Protection Commission has fined WhatsApp €225 million ($266.8 million) for not sharing enough details of how it shares European Union users' data with Facebook. The messaging service allegedly failed to live up to its General Data Protection Regulation (GDPR) transparency obligations.
The Commission also said the data sharing itself violated GDPR. WhatsApp was merely storing "pseudonymous" phone number data, for instance, rather than truly anonymizing it. While the numbers were stored using lossy hashes, WhatsApp had the hash key needed to decrypt that info — it could tie that number to a specific person if it wanted.
The ruling asked WhatsApp to both improve its transparency and bring the data sharing in line with the GDPR. The Irish agency initially planned to fine WhatsApp €50 million ($59.3 million) for breaking GDPR, but hiked the punishment after Germany and other countries accused the Commission of being lenient on privacy violations.
WhatsApp unsurprisingly planned to appeal the decision. It claimed that it met transparency requirements in 2018 (around when the investigation began) and that the fines were "entirely disproportionate." It maintained that it strived to offer "transparent and comprehensive" information to users.
The fine is the latest in a string of penalties for tech giants over violations. Amazon faced a record $888 million fine in July over GDPR issues, and Twitter was asked to pay €450 million ($533.6 million) when it failed to report a data leak within 72 hours. WhatsApp's fine is light by comparison, then, although it's arguably grappling with a larger blowback over its data policies.