The Data Protection Authority of Ireland (Data Protection Commission – DPC-) announced in early September the conclusion of an investigation into the application of EU Regulation 679/2016 (GDPR) against WhatsApp Ireland Ltd. The DPC’s investigation began on the 10 of December, 2018 examined how WhatsApp uses user data in light of the transparency obligations imposed by the privacy framework.
Following a lengthy and complex investigation, in December 2020 the DPC submitted a proposal for a decision to all Concerned Supervisory Authorities (CSAs) under Article 60 GDPR regarding cooperation between the lead supervisory authority and other relevant supervisory authorities.
As known under paragraph 3, the lead supervisory authority shall without delay communicate relevant information on the matter to the other supervisory authorities concerned. It shall forward a draft decision to the other supervisory authorities concerned without delay for their opinion and shall take due account of their views.
Furthermore, paragraph 4 below specifies that if one of the other supervisory authorities concerned raises a relevant and reasoned objection to the draft decision within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, the lead supervisory authority shall, if it does not act on the relevant and reasoned objection or considers the objection irrelevant or unjustified, submit the matter to the consistency mechanism referred to in Article 63.
The Irish Data Protection Authority (DPC) having received eight objections from as many supervisors and having failed to reach a consensus on the subject matter of the objections, on 3 June 2021 initiated the dispute resolution process under Article 65 GDPR whereby in order to ensure the correct and consistent application of the Regulation, the European Data Protection Board (EDPB) is required to adopt a binding decision in the case referred to in Article 60(4) GDPR, i.e., when a relevant supervisory authority has raised a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such objection as irrelevant or unreasoned.
The binding decision shall address all matters covered by the relevant and reasoned objection, including whether there is a violation of this regulation.
On July 28, 2021, the EDPB issued a binding decision and the Irish DPC was notified of that decision.
This decision contained a clear instruction requiring the Data Protection Commission to re-evaluate and increase its proposed penalty based on a number of factors contained in the EDPB’s decision, and as a result of that re-evaluation, the DPC imposed a penalty of €225 million on WhatsApp.
In addition to the imposition of an administrative penalty, the DPC also imposed a warning and injunction on WhatsApp to bring its processing into compliance with the Privacy Principles and Regulations by taking a series of detailed corrective actions.
SOURCE: FEDERPRIVACY