WhatsApp’s $267 million Irish privacy fine shows the GDPR is growing teeth

In this photo illustration the WhatsApp logo seen displayed on a smartphone.
Rafael Henrique-SOPA Images/LightRocket via Getty Images

Good morning. David Meyer here in Berlin, filling in for Alan.

The EU has a very tough online privacy law in the General Data Protection Regulation (GDPR), which can in theory see companies fined up to 4% of global revenues for serious infringements. But the law has so far been poorly enforced, most notably by the somewhat sluggish Data Protection Commission (DPC) in Ireland, the European headquarters for much of Big Tech.

That honeymoon may be drawing to a close, though—not only because the EU’s top court said in June that other national regulators can also tackle tech firms more freely, but because pressure from those other watchdogs has now forced changes in Ireland, too.

At the start of this year, the Irish DPC proposed a fine of up to €50 million ($59 million) for WhatsApp, due to the Facebook subsidiary’s GDPR infringements—it didn’t give users enough information about how it used their personal data. Although the law came into effect in May 2018, and this case was one of the first to be launched after that happened, legal wrangles severely delayed the regulator’s response.  

The DPC’s counterparts on the European continent were not impressed with that response, when it finally arrived. Eight of them objected, saying the amount was too low. Following a dispute-resolution procedure, the European Data Protection Board—the umbrella body for the regulators, established under the GDPR—ordered the DPC in July to increase the fine.

This morning, the Irish regulator did just that, whacking WhatsApp with a €225 million penalty and ordering the company to fix the problems that led to it. It’s the second-biggest GDPR fine to be issued thus far, after Luxembourg’s €746 million penalty for Amazon in July.

WhatsApp says it will appeal the fine. “We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate,” it said in a statement.

That’s to be expected—it’s very rare for a company not to appeal a fine of this size, and WhatsApp had only set aside €77.5 million for this fine. The broad takeaway here is that, after a languid introduction, the GDPR is growing teeth. This was a pretty embarrassing episode for the Irish regulator, and it’s a lot less likely to play nice in future.

More news below.

David Meyer



Net neutrality

The EU's top court has delivered what may be a mortal blow to telecoms operators' practice of "zero rating" or exempting certain services' Internet traffic—for commercial considerations—from customers' data caps. The court said this broke net neutrality rules. Fortune

Abortion law

The Supreme Court has declined to block a Texan law that not only bans abortion after six weeks of pregnancy (before many women realize they're pregnant), but also allows any U.S. citizen to sue anyone facilitating such an abortion. The 5-4 decision is a direct repudiation of Roe v. Wade—which it skirts by enabling citizens rather than the government to enforce the ban—and confirmation of liberal fears over President Trump's appointment of three heavily conservative justices. Fortune

Office attitudes

A new Harris Poll shows 42% of Americans are comfortable with returning to the office even if some of their co-workers are not vaccinated against COVID-19. A third said they would only return to the office under those conditions if their employer demanded it, and a quarter said no way, either way. Fortune

Climate protest

Activists from the Extinction Rebellion group yesterday broke windows at JPMorgan's central London offices, due to the bank's copious loans to corporate polluters. Last week, the group also splattered red paint on the offices of Standard Chartered. Fortune


COVID-19 trauma

As the 20th anniversary of 9/11 looms, mental-health advocate Helaina Hovitz Regal writes for Fortune about how the event traumatized children and adults across the U.S.—and how the COVID-19 pandemic has done the same: "If the events of the past year and a half are affecting how you’re able to function on the day-to-day, or friends or loved ones have shared that you seem different and that they're concerned, it is likely a good time to look into finding a therapist who understands your experience and is able to help you actively address your issues." Fortune

Hey Mu

Meet Mu, the latest COVID-19 variant that's been added to the World Health Organization's list of "variants of interest." It was first identified in Colombia and has been in the U.S. for over a month, though it's still small fry on the global scale. The WHO says Mu's mutations may indicate resistance to vaccines and natural immunity. Fortune

Spying employers

Employers' surveillance of their workers has increased during the pandemic, according to new research from Top10VPN. As Jennifer Alsever writes: "Most office workers are aware that their employer can gain access to the Slack messages, emails, and websites they visit on their company computer. But more extensive tracking of workers inside their own homes is relatively new, and it creates a new level of concern for workers’ privacy." (Bonus read: the FTC just cracked down on a "stalkerware" provider, SpyFone.) Fortune

'Financial astrologer'

Fortune's Shawn Tully had a chat with Irish astrologer Clarisse Monahan, who has thoughts on the future of cryptocurrencies—Bitcoin could go to zero, she says, and the stars are aligning for Ethereum and Cardano. Bitcoin is a Capricorn, apparently. Fortune

This edition of CEO Daily was edited by David Meyer.

Our mission to make business better is fueled by readers like you. To enjoy unlimited access to our journalism, subscribe today.

Read More

CEO DailyCFO DailyBroadsheetData SheetTerm Sheet