Thursday, the Irish Data Protection Commission (DPC) fined Meta’s WhatsApp an additional EUR5.5 million for breaking data protection laws when it handled users’ personal information.
At the heart of the ruling is an update to the messaging platform’s Terms of Service that was made in the days before the General Data Protection Regulation (GDPR) went into effect in May 2018. Users had to agree to the new terms in order to keep using the service or risk losing access.
The complaint, which was filed by a privacy group called NOYB, said that WhatsApp broke the law by forcing its users to “consent to the processing of their personal data for service improvement and security” by making it so that users couldn’t use its services unless they agreed to the updated Terms of Service.
“WhatsApp Ireland is not allowed to use the contract as a legal basis for improving and securing services,” the DPC said in a statement, adding that the data collected so far is a violation of GDPR.
“Meta uses this information to, for example, show ads for things that friends have already shown interest in.”
– Max Schrems
In addition to the fine, the messaging app has been told to change how it works within six months. It’s important to know that Dublin is where Meta’s European headquarters are.
The DPC, on the other hand, said it has no plans to look into whether or not WhatsApp uses user metadata for advertising. It called the question “open-ended and speculative.” In response, NOYB said that the authority was wrong not to do anything about it.
Max Schrems of NOYB said, “WhatsApp says it’s encrypted, but that’s only true for the content of chats, not the metadata.” “WhatsApp still knows when and with whom you talk the most. This lets Meta learn a lot about how you and the people around you interact.”
“Meta uses this information to, for example, show ads for things that friends have already shown interest in,” Schrems said. Even though this has been looked into for 4.5 years, it seems that the DPC has now just refused to make a decision. “
When WhatsApp announced a similar change to its privacy policy in early 2021, users had to agree to the changes in order to keep using the service. This caused the European Commission to warn the company and tell it to “clearly inform” consumers of its business model.
In June 2022, the Commission said, “In particular, WhatsApp is encouraged to show how it plans to communicate any future changes to its terms of service, and to do so in a way that consumers can easily understand what these changes mean and decide for themselves if they want to keep using WhatsApp after these changes.”
On top of that, WhatsApp has already been criticised for doing a U-turn on how it shared data with parent company Meta (then Facebook) for ad targeting, which drew attention to the company. In 2017, the E.U. fined the social media giant EUR110 million for giving “incorrect or misleading information” during its investigation into the merger after it bought WhatsApp in 2014.
Two weeks ago, the DPC fined Meta EUR390 million for how it handled user data to serve personalised ads on Facebook and Instagram. The company was given three months to find a legal way to use personal data for behavioural advertising.
NOYB, on the other hand, has written to the European Data Protection Board (EDPB) to say that the watchdog “turned a blind eye to the revenue generated by violating the GDPR when calculating its fine” and that “the DPC’s move saved Meta almost EUR4 billion.”
Info source – The Hacker News