What happened with WhatsApp?
The case that Max Schrems filed against WhatsApp back in December 2018 has been finalized at last. WhatsApp was recently fined by the Irish Data Protection Commission an amount of 225 million Euros, which is over 3,7 billion Rands. The Irish Data Protection Commission (DPC) is the equivalent of the Information Regulator in South Africa.
The reason for this fine was because the DPC found WhatsApp to be processing personal data not in line with the General Data Protection Regulation 2016/679 (GDPR). In particular, the DPC found that WhatsApp had failed to comply with the requirements under Article 13 of the GDPR. Article 13 of the GDPR provides a list of information that must be provided where personal data are collected from the data subject.
After an almost 3 year-long investigation into WhatsApp’s processing activities, the DPC found that WhatsApp was not acting transparent explaining the scope and extent of data sharing between WhatsApp and Facebook. (Though Facebook owns WhatsApp, WhatsApp remains an independent juristic entity as a Responsible Party or Data Controller. WhatsApp’s processing activities including sharing data with its parent company should be in line with data protection laws). WhatsApp was not giving clear information to the data subjects or WhatsApp users on how their data was being stored and used, what categories of data are being processed and for what purposes.
What has the Information Regulator done regarding the WhatsApp privacy terms?
Should businesses worry about fines for non-compliance with data protection laws?
Multinational companies operating in South Africa may find non-compliance with Protection of Personal Information Act, 4 of 2013 (POPIA) a small price to pay. This is because administrative fines for non-compliance are quite insignificant compared to those under the GDPR. POPIA fines can only go as high as 10 million Rands, which is still a very small amount compared to fines amounting in billions of Rands. However, local businesses may feel the pinch of these POPIA fines and should do everything to comply with the law.
Apart from approaching the Information Regulator, data subjects can still approach our courts to seek legal remedies. There are no monetary caps when courts issue their orders, so potentially the cost of court orders can end up being higher than 10 million Rands. While the WhatsApp fine may seem quite steep, privacy experts are still discontent with these fines. Initially, the DPC had imposed a fine of 50 million Euro but other EU data protection authorities did not agree with this fine. The European Data Protection Board (EDPB) adopted a binding decision in which it instructed DPC to reconsider its proposed fine. Pursuant the EDPB, the DPC increased the fine to 225 million Euros. Privacy advocacy organisations and privacy activists still consider this amount as insignificant particularly for tech companies. Under the GDPR, fines may be up to 4% of an entity’s global turnover. The WhatsApp fine is still 0.08% of Facebook’s global turnover.
It is very important for businesses to take data protection and compliance seriously. With POPIA now in full operation, we are likely to see an increase in the number of complaints being lodged with the Information Regulator. There is also going to be an increase in data protection litigation cases. Businesses need to get ready by ensuring that they have clear processes in place and they lawfully process personal information in line with POPIA and other relevant laws. In addition, businesses need to reinforce their cybersecurity measures to avoid unauthorised access to personal data. Where a local business targets EU based customers, it needs to comply with the GDPR to avoid such hefty fines.