What happened with WhatsApp?

The case that Max Schrems filed against WhatsApp back in December 2018 has been finalized at last.  WhatsApp was recently fined by the Irish Data Protection Commission an amount of 225 million Euros, which is over 3,7 billion Rands.  The Irish Data Protection Commission (DPC) is the equivalent of the Information Regulator in South Africa.

The reason for this fine was because the DPC found WhatsApp to be processing personal data not in line with the General Data Protection Regulation 2016/679 (GDPR).  In particular,  the DPC found that WhatsApp had failed to comply with the requirements under Article 13 of the GDPR.  Article 13 of the GDPR provides a list of information that must be provided where personal data are collected from the data subject.

After an almost 3 year-long investigation into WhatsApp’s processing activities, the DPC found that WhatsApp was not acting transparent explaining the scope and extent of data sharing between WhatsApp and Facebook.  (Though Facebook owns WhatsApp, WhatsApp remains an independent juristic entity as a Responsible Party or Data Controller.  WhatsApp’s processing activities including sharing data with its parent company should be in line with data protection laws).  WhatsApp was not giving clear information to the data subjects or WhatsApp users on how their data was being stored and used, what categories of data are being processed and for what purposes.

What has the Information Regulator done regarding the WhatsApp privacy terms?

While this recent fine has a lot to do with the sharing of data between WhatsApp and Facebook, we are still waiting for the Information Regulator to update us on the ‘talks’ that it initiated with Facebook South Africa.  Earlier this year, WhatsApp had advised that it was updating its Privacy Policy but provided two very different privacy policies for users within the European Union and those outside.  The Information Regulator was not happy with this distinction and hence initiated formal engagements with WhatsApp’s parent company, Facebook to discuss this matter.  At the time of writing of this article, the website of the Information Regulator is currently down due to a ransomware attack on the IT systems of the Department of Justice.  So we were unable to access any press statement or media release that may have been published by the Information Regulator commenting on the WhatsApp GDPR fine.

Should businesses worry about fines for non-compliance with data protection laws?

Multinational companies operating in South Africa may find non-compliance with Protection of Personal Information Act, 4 of 2013 (POPIA) a small price to pay.  This is because administrative fines for non-compliance are quite insignificant compared to those under the GDPR.  POPIA fines can only go as high as 10 million Rands, which is still a very small amount compared to fines amounting in billions of Rands.  However, local businesses may feel the pinch of these POPIA fines and should do everything to comply with the law.

Apart from approaching the Information Regulator, data subjects can still approach our courts to seek legal remedies.  There are no monetary caps when courts issue their orders, so potentially the cost of court orders can end up being higher than 10 million Rands.  While the WhatsApp fine may seem quite steep, privacy experts are still discontent with these fines.  Initially, the DPC had imposed a fine of 50 million Euro but other EU data protection authorities did not agree with this fine.  The European Data Protection Board (EDPB) adopted a binding decision in which it instructed DPC to reconsider its proposed fine.  Pursuant the EDPB, the DPC increased the fine to 225 million Euros. Privacy advocacy organisations and privacy activists still consider this amount as insignificant particularly for tech companies.  Under the GDPR, fines may be up to 4% of an entity’s global turnover.  The WhatsApp fine is still 0.08% of Facebook’s global turnover.

Conclusion

It is very important for businesses to take data protection and compliance seriously.  With POPIA now in full operation, we are likely to see an increase in the number of complaints being lodged with the Information Regulator.  There is also going to be an increase in data protection litigation cases.  Businesses need to get ready by ensuring that they have clear processes in place and they lawfully process personal information in line with POPIA and other relevant laws.  In addition, businesses need to reinforce their cybersecurity measures to avoid unauthorised access to personal data.  Where a local business targets EU based customers, it needs to comply with the GDPR to avoid such hefty fines.