Facebook Fined $400 Million for Breaking E.U. Data Privacy Law
Regulators in Ireland, where many tech giants have their European headquarters, have been criticized for not enforcing Europe’s data-protection law, once heralded as a global standard.
Facebook’s WhatsApp is fined for breaking the E.U.’s data privacy law.
Facebook’s European headquarters in Dublin.Credit…Paulo Nunes dos Santos for The New York Times
Sept. 2, 2021, 8:05 a.m. ET
Facebook’s WhatsApp messaging service was fined nearly $270 million by Irish authorities on Thursday for not being transparent about how it uses data collected from people on the service, in a case that represents a big test of Europe’s ability to enforce its landmark data privacy law.
The 266-page decision is the first major ruling against Facebook under the European Union’s far-reaching General Data Protection Regulation, or G.D.P.R., a three-year-old law that many have criticized for not being properly enforced. Irish regulators said WhatsApp was not clear with users about how data was shared with other Facebook properties like its main social network and Instagram.
WhatsApp said it would appeal the decision, setting up what is expected to be a lengthy legal battle.
The G.D.P.R. was heralded as the world’s most comprehensive data privacy law when it was enacted, and championed as a model for the rest of the world to counter the data-hording practices of Facebook, Google and other internet giants. But the law has resulted in few fines or penalties, and many have said it has not fulfilled its promise.
Regulators in Ireland have been at the center of the debate. Under the law, companies must be regulated by the countries where they have their European headquarters. The European offices of Facebook, Google, Twitter, Apple and scores of other companies are based in Ireland because of its low corporate tax rates and other benefits.
But that has put tremendous pressure on Ireland’s Data Protection Commission, an underfunded and much-criticized agency that has been tasked with enforcing a novel and complex data-protection law against some of the largest companies in the world.
The fine of 225 million euros, a fraction of Facebook’s annual profit, was the largest issued by Irish regulators against a tech giant under the law; in December, Ireland fined Twitter 450,000 euros related to a data breach. The ruling said WhatsApp did not meet its “transparency obligations” to clearly disclose how data from users would be used by Facebook for its other services.
“WhatsApp is committed to providing a secure and private service,” Joshua Breckman, a spokesman for WhatsApp, said in a statement. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”