GDPR Issues € 225 Million to WhatsApp for Violating Transparency Principles

‘Your Privacy is Our Priority. Message Privately’

This is WhatsApp’s strapline that you can quickly notice on the company’s homepage.

The company may want to convince you that it’s committed to ensuring private conversations. Yet, the many scandals that have surrounded WhatsApp make it difficult to believe the validity of these strong words.

In the latest news, WhatsApp received a fine for disregarding to properly notify European users how it collects and uses their data, as well as how it shares users’ data with Facebook, the app’s parent company.

Let’s find out more details about WhatsApp’s breaking EU’s data privacy law and what this means to you.

The Implications of the Second-Largest GDPR Fine

WhatsApp has been sharing metadata (including phone number, IP address, cookies, location) with Facebook since 2016. However, since GDPR (General Data Protection Regulation) was enforced in 2018, it was under a legal loophole even if this practice was privacy-invasive.

The investigation related to WhatsApp’s GDPR violations started in December 2018 in Ireland – Facebook’s European headquarters.

Ireland’s DPC (Data Protection Commission) found inconsistencies in WhatsApp’s sharing users data with Facebook and Instagram. WhatsApp users didn’t explicitly consent to share their personal data with other companies, which breaks the GDPR terms.

For example, at the beginning of 2021, you might remember that WhatsApp delivered pop-up messages informing you that your account would be suspended or deleted if you don’t agree to share your personal data with Facebook. The messaging service received a wave of criticism coming from its numerous users and privacy rights groups.

As a result, many users abandoned WhatsApp and downloads of the app dropped to 10.6 million, down from 12.7 million in just one week during January 2021.

Now, WhatsApp has to pay a fine of €225 million for failing to comply with EU’s data protection and transparency obligations. The fine is the second-largest GDPR penalty ever given, after Amazon’s €746 million ($887 million) in Luxembourg in July 2020. It’s also the biggest the Irish regulator has ever issued under the EU’s GDPR data rights charter.

The Data Protection Commission also ordered the messaging app to add new terms to its privacy policy that would adhere to Europe’s data protection regulation within three months.

Representatives of the WhatsApp company stated they disagree with the decision and plan to appeal, as reported by the Irish Times.

Notorious Data Privacy Issues Around WhatsApp


Facebook Data Sharing Controversy

WhatsApp changed its terms and conditions and privacy policy, notifying the possibility of linking your WhatsApp phone numbers with your Facebook profile. The European Commission fined Facebook, as the mentioned option already existed since 2014, when the social media company merged with WhatsApp.

The Fake News Scandal

WhatsApp was a media target for spreading fake news and hoaxes during the Brazilian government elections. Media related that various shady companies hired people to spread misinformation against Brazilian candidates.

The Pegasus Spyware

WhatsApp and Facebook disclosed that third party actors exploited a security weakness in the messaging app through Pegasus software. Pegasus targeted Indian journalists, lawyers, activists, and government officials during Indian elections and accessed their WhatsApp information. WhatsApp stated they had notified the Indian government twice about this bug. Many security experts and casual WhatsApp users still wondered how it enabled such a huge privacy breach.

The Easy Way to Make Your WhatsApp Messages Private

Your phone has pretty much become the extension of your arm. In the same way, WhatsApp is your most convenient tool to communicate important stuff with friends and family, or your kids’ schoolteacher, or your doctor.

Sure, you can always drop WhatsApp and choose a more private messaging app. That may be impossible sometimes, for practical reasons. Most people use WhatsApp, so you still have a few or more contacts you need to message on this platform even if you get a different app.

However, you can double your encryption methods if you use a VPN. That’s because a VPN encryption adds an extra layer of protection and security to all your data, including online messages.

No digital spy can see anything that you do online, so you’re covering all your personal information. Even if someone could get access to your data, they would only see scrambled untranslatable codes.

Give CyberGhost VPN a test drive with our free trial and discover the wonders of staying invisible on the web.


What is GDPR?

GDPR stands for General Data Protection Regulation, a data protection law the European Commission established to handle consumer data. GDPR unifies data privacy laws across different countries, aiming to enforce stricter rules on data protection and to get people control over their personal information.

What does consent mean?

Consent means companies (including online services, websites, and apps) should give users genuine choice and control over how you use their data. If users have no real choice, it means they didn’t freely give their consent, so it’s not valid. You should have the choice to either your personal data or not, and should have the option to withdraw your consent at any time.

What is personal data?

Under the GDPR, personal data means any information related to a person (‘data subject’) that can lead to having that person’s identity directly or indirectly exposed. Personal information includes name, email address, identification number, location, and even online identifiers as IP address.

What is a data breach?

A data breach is an incident where someone steals or takes information from a system without the knowledge or authorization of the system’s owner. Stolen data may include sensitive, or confidential information such as credit card numbers, customer data, trade secrets, or matters of national security.

Who needs to report a data breach?

Businesses have to publicly report and inform its clients about a breach within 72 hours of first having become aware of it. Businesses have to assess the nature, volume and sensitivity of the compromised data, if it’s easy to identify the affected data subjects and what the consequences might be.


Did you ever consider ditching WhatsApp? What was the reason why you’ve thought about it?

Let me know in the comments below.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*