Ireland on Thursday slapped Facebook’s WhatsApp messaging service with a record fine for breaching EU data privacy laws after European regulators demanded the penalty be increased.
Ireland’s Data Protection Commission (DPC) was entrusted with the case because Facebook’s European headquarters are situated in the country.
“And following this reassessment the DPC has imposed a fine of 225 million euros ($267 million) on WhatsApp,” the commission said, by far the largest penalty it has ever issued to a company, dwarfing the 450,000-euro fine imposed on Twitter last year.
As Ireland hosts the regional headquarters of a number of major tech players such as Apple, Google and Twitter, the DPC has been largely responsible for policing adherence to the EU’s landmark General Data Protection Regulation (GDPR) charter.
But Ireland has come under pressure for not taking a firm enough line against tech giants, who are generally understood to be drawn to the country by its low corporate tax rate of 12.5 percent.
WhatsApp said it would appeal the decision.
“We disagree with the decision today,” it said in a statement, calling the penalties “entirely disproportionate.”
The DPC launched the WhatsApp probe in December 2018 to examine whether the messaging app “discharged its GDPR transparency obligations” with regard to telling users how their data would be processed between WhatsApp and other Facebook companies.
In an initial finding submitted to other European regulators for approval last December, the DPC proposed imposing a fine of between 30 and 50 million euros, but a number of national regulators rejected the figure, triggering the launch of a dispute resolution process in June.
Last month, the European Data Protection Board (EDPB) instructed the DPC to increase the fine, with Germany’s regulator leading the calls for the penalty to be higher.
The EDPB said that the fine had to “reflect a significant level of non-compliance which impact on all of the processing carried out by WhatsApp” in Ireland.
The fine had to be “effective, dissuasive and proportionate,” it said.
Hailed as a potent weapon to bring tech titans to heel, the GDPR endowed national watchdogs with cross-border powers and the possibility to impose sizeable fines for data misuse.
But Germany’s data protection commissioner, Ulrich Kelber, in March wrote an open letter criticising the DPC for the “extremely slow” way it handled GDPR complaints.