WhatsApp was fined a record €225m by the Irish data protection regulator after the EU privacy watchdog pressured Ireland to raise the penalty for the company’s privacy breaches.


It is a vastly substantial increase in fine from the first proposed range of between €30 to €50 million (approx. US$35.6 to US$59 million). The decision marks the end of an investigation dating back to December 2018, concerning allegations that WhatsApp had failed to discharge its transparency obligations with regard to the provision of information to users and non-users of its service.

One of the largest sanctions issued under the GDPR, and the largest to date in Ireland, the fine comes after Ireland triggered a formal dispute resolution process, required to resolve disagreements with other EU privacy regulators over the size of the eventual penalty. 

1. Infringements of transparency

In addition to the DPC’s findings, the EDPB stated that WhatApp had committed a severe breach of General Data Protection Regulation Articles 12-13-14 related to the information to be provided to individuals, and identified additional shortcomings with the information provided, impacting individuals’ ability to understand the legitimate interests being pursued.

2. Calculation of the fine

The EDPB decided that the turnover of an undertaking, although not exclusively relevant for the determination of the fine amount, has to be taken into consideration to ensure the fine is proportionate and effective. In this case, the EDPB decided to include the consolidated turnover of the parent company (Facebook Inc.) into the calculation.

3. Compliance timeframe

The initial DPC’s decision provided a six-month compliance period for Whataspp to bring its processing operations into compliance. However, under the influence of the EDPB, DPC shortened the compliance period to three months in order to highlight the importance of GDPR’s transparency obligations.