Irish Data Regulator fights back against "Big Tech"

With EU regulators hardening their stance against the 'big tech' industry, the DPC (Data Protection Commission) recently fined WhatsApp over a GDPR violation - the second largest of its kind.

10 September 2021

On 2 September 2021 the Irish Data Protection Commission (DPC) fined WhatsApp €225 million for failing to comply with its data processing obligations under the General Data Protection Regulation (GDPR) – the second largest fine of this kind. 

The DPC held that WhatsApp breached the principle of transparency, a key principle of the GDPR, by failing to provide both users and non-users of its platform with clear information about how the company processes their personal data. In particular, WhatsApp's privacy policy was found to lack information about how WhatsApp shares personal data with its parent company, Facebook. The DPC highlighted that non-users of WhatsApp were not presented with the company's privacy policy, despite their personal data being processed by WhatsApp, for example, when a user uploads their contact list to WhatsApp, the personal details of non-users were being processed by WhatsApp. 

WhatsApp now has three months to amend its privacy policy to comply with the GDPR. A company spokesperson has labelled the fine "entirely disproportionate" and has said that WhatsApp will appeal this ruling.

Notably, the fine handed out by the DPC is more than four times the fine that was first proposed in January, as a result of mounting pressure from other EU data regulators to punish WhatsApp for breaching the GDPR. This suggests that EU regulators are hardening their stance against the "big tech" industry. 

Businesses should take note, as fines for breaching the GDPR can reach 4% of their annual turnover. This case highlights the importance of ensuring that privacy policies are up to date and compliant with the GDPR, particularly if data is shared between group entities. Businesses must also consider whether they process any personal data, from both users and non-users, of their services, and if so, should ensure appropriate privacy procedures are in place. 

If you require any advice our specialist data protection lawyers would be pleased to assist. Please contact Joanna Boag-Thomson, Partner in the media and technology team, at, or your usual Shepherd and Wedderburn contact.