In late July this year, powerhouse e-commerce giant Amazon received the biggest GDPR fine ever. The whopping $887 million penalty for allegedly targeting customers with unsolicited yet relevant advertising was issued by Luxembourg’s National Commission for Data Protection (CNPD). The CNP claimed the tech giant’s processing of personal data did not comply with EU law. Now it’s the turn of Facebook’s child, WhatsApp. And the multi-media sharing and communication platform has been hit not with one but two fines – with in a day of each other.



On 2 September, the Data Protection Commission (DPC) in Ireland fined WhatsApp $267 million (€225 million) for breaking EU GDPR rules on user privacy. The DPC alleged that the Facebook subsidiary had failed to provide the necessary data protection information to its users and did not meet ‘transparency obligations.’ The DPC is the lead data privacy regulator for Facebook within the European Union and claimed that WhatsApp had failed to conform to the GDPR transparency rules when the regulation came into effect in the EU on 25 May 2018. Part of the Irish regulator’s statement read:


“This includes information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.”




Without going into the nitty-gritty of the litigation, here are the four reasons why WhatsApp was handed down this massive fine:


  • €90 million because it did not process personal data in a lawful, fair and transparent manner
  • €30 million because it did not provide information to users on how data is collected in a transparent, intelligible, and easily accessible format, including that which could be easily understood by a child
  • €30 million because it did not appropriately inform users where their data was stored, for what purposes it was collected and who received it
  • €75 million because it failed to inform users when their personal data was obtained and processed from third parties and where this data came from



The messaging platform said that the fine was “entirely disproportionate” and that it would appeal. In an email to The Verge, a WhatsApp spokesperson said:


“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”




A day after the DPC fine, Turkey’s Personal Data Protection Board (KVKK) imposed WhatsApp with a $235,000 fine for not taking the necessary technical and administrative measures to prevent the unlawful processing of personal data. KVKK determined that WhatsApp had requested users for their express consent for their personal data to be transferred to third parties outside of Turkey. Failure to implement consent would result in the deletion of their accounts. Making the application’s services subject to the precondition of explicit consent is against the law on the protection of personal data in Turkey. WhatsApp has yet to comment.




With more than 20 years as a provider of professional business IT services, Zhero knows the ins and outs of the GDPR. Our multi-layered security solutions include intrusion prevention systems (IPS), advanced threat protection (ATP), anti-virus, web intelligence, ransomware protection, threat control tools, firewall and patch management. All this makes for a tried and tested GDPR-ready offering. Are you concerned about GDPR compliance? Don’t be. Contact Zhero today. We’ll sort IT out.