In what is the second-largest GDPR fine to date, Ireland’s Data Protection Commission (DPC) announced today that they have fined Facebook subsidiary WhatsApp €225million, or the equivalent of $267,198,750.00 USD, for several gross violations of GDPR (the General Data Protection Regulation in effect in the EU, as well as the UK since the UK’s ICO adopted it’s own “UK GDPR” following Brexit).
At issue, among other things, was the question of WhatsApp’s substandard (or nonexistant) transparency about the fact that it mines its users’ contact information on their mobile phones for the telephone numbers and other data of not just other WhatsApp users, but also of contacts who do not even have WhatsApp accounts, so who could not possibly have given permission for WhatsApp to have that personal data.
According to the decision, WhatsApp defended this practice by saying that “The utility of the Service rests in substantial part on existing users being in a position to communicate readily with their contacts, including from the point that these contacts join WhatsApp as new users. The purpose of this processing is to enable existing users to quickly and efficiently keep their WhatsApp contacts up-to-date with other WhatsApp users who are in their device’s address book. Users are free to use the contact Feature for this purpose or not. Users are also free to refuse permission for WhatsApp to access their mobile phone address book or withdraw any permission given at any time. WhatsApp would not be processing any such data for this purpose if it were not directed to by the user, and the user is the one who benefits. The purpose of the processing is limited to the provision of the contact Feature and WhatsApp does not further process that data for any other purpose, in line with the fact that it does not have authority from the user to carry out any additional processing.”
In other words, “We grab that data because we can, in case at some point in the future that individual decides to use WhatsApp, so we can inform everyone else that they know that they are now using WhatsApp, whether they want us to or not.”
Oh, and then there is this gem from WhatsApp in response to the investigation: “We consider it would be self-evident to users that they would grant WhatsApp permission to access their entire mobile phone address book – which by definition cannot be divided in advance into a WhatsApp user and non-user list – when asked to “Upload your contacts to WhatsApp’s servers” in order to use the Contact Feature.”
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
You can read the whole decision, which Facebook / WhatsApp has said they will appeal, here.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
