On 2 September 2021, the Data Protection Commission (“DPC”) issued a 266-page ruling in which it levied its largest fine since its establishment, and the second largest fine ever issued under the General Data Protection Regulation 2016/679 (“GDPR”).
The unprecedented penalty of €225,000,000 was levied against WhatsApp Ireland Ltd (“WhatsApp”) on the grounds of multiple breaches of the transparency principles under the GDPR.
In confirming this fine, the DPC is confirming its willingness to apply significant financial penalties where it sees data protection and security breaches arising. Interesting also that the DPC is seeking expressions of interest from forensic professional service providers in relation to technical forensic support for the DPC’s office in the context of its investigations.
The DPC’s latest decision follows the intervention of the European Data Protection Board (“EDPB”) in accordance with the dispute resolution mechanism outlined at Article 65 of the GDPR.
Notably, before the intervention of the EDPB, the DPC originally intended to issue a fine in the region of €30,000,000 to €50,000,000 however, the EDPB did not consider this amount to be effective, proportionate and dissuasive in the context. WhatsApp are appealing the decision.
In this article, we will explain how the EDPB reached this conclusion.
Background to the WhatsApp fine
The DPC, as lead supervisory authority, issued a draft decision in December 2020 (“Draft DPC Decision”) to a number of concerned supervisory authorities (“CSAs”) recording its preliminary decision and, following a number of objections from CSAs, the DPC triggered the dispute resolution process. The EDPB instructed the DPC to issue a higher fine to WhatsApp.
Infringements related to linked processing operations
Article 83(3) of the GDPR states that if a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of the GDPR, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
In the Draft DPC Decision, the DPC concluded that the infringements by WhatsApp amounted to simultaneous breaches of Articles 12, 13 and 14 of the GDPR in the context of the same set of processing operations, with the breach of Article 14 as the gravest infringement.
All CSAs argued that not taking into account infringements other than the gravest infringement was not in line with their interpretation of the GDPR.
The EDPB made reference to the Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679339 (“Guidelines”) which state that the "occurrence of several different infringements committed together in any particular single case means that the supervisory authority is able to apply the administrative fines at a level which is effective, proportionate and dissuasive within the limit of the gravest infringement".
The EDPB also referred to the wording of Article 83(3) which specifies that the total amount of the fine shall not exceed the amount for the gravest infringement. The EDPB concluded other infringements cannot be discarded when calculating the fine, appreciating that the maximum of the fine is set by the gravest infringement.
Relevance of turnover beyond establishing the cap
The EDPB Decision stated that the size of an undertaking matters when considering the need for fines to be dissuasive. Further, the inclusion of the words “due regard shall be given to the following” in Article 83(2) indicates that the list of factors is not an exhaustive one. The EDPB further emphasised the need for any fine to reflect the circumstances of a case.
What’s next?
While the EDPB Decision will generate further discussion, most will be struck by this substantial and unprecedented fine.
Two key takeaways:
- Turnover is likely to be a key factor in the DPC’s consideration of the amount of fine to impose, such that the fine is dissuasive; and
- EDPB opinions, together with the CSAs’ views, signify a move towards more punitive interpretations of the GDPR.
For further information, please contact any member of our Data Protection, Privacy and Cyber Security Group, or your usual Matheson contact.