Record GDPR fine has implications for calculation of GDPR fines and regulatory expectations around transparency rules
On 2 September 2021, the Data Protection Commission (DPC) announced it has imposed a €225 million administrative fine against WhatsApp Ireland Limited, as well as a reprimand and an order to bring its processing into compliance. This comes following a lengthy background including the EDPB’s first urgent binding decision in relation to the investigation earlier this year.
This is the highest GDPR fine ever issued by the DPC, and the second highest by any EU regulator to date. The fine represents a significant increase from the initial €30m-€50m proposed by the DPC, reflecting the numerous factors raised by the EDPB who called for a higher sanction. Factors for increasing the fine included additional infringements identified by Concerned Supervisory Authorities, the EDPB’s view on GDPR’s fining limit for multiple infringements as well as the method for calculating turnover. WhatsApp has announced its intention to appeal the decision.