WhatsApp has recently been fined $267 million for its breach of the EU’s GDPR privacy law. This fine is one of several that underscore the tension between the GDPR and tech companies whose profit margins depend on harvesting users’ data.
A Brief Introduction to GDPR
The General Data Protection Regulation (GDPR) is a data privacy law enacted by the European Union. Its objective is to protect the data of EU citizens regardless of where that data is located. The GDPR creates several rights for data subjects and imposes restrictions on how organizations can collect, store, and use the data of EU citizens. A few of the GDPR requirements that have resulted in fines include:
● Opt-In By Default: Many tech services are designed to use an “opt-out” consent model, where data is collected and processed by the company unless the data subject takes action to refuse that consent. Under the GDPR, companies are required to use an “opt-in” model where collection and processing are only permitted with consent.
● Explicit Consent: The GDPR also requires that this consent be explicit. For example, a data subject may need to click a box saying that they allow a company to collect certain types of data for use in a particular way.
● Data Minimization: Under the GDPR, companies must minimize their data collection, processing, and storage. They cannot collect extraneous data or use appropriately collected data for purposes other than those for which they have obtained consent. Additionally, companies are required to minimize their data storage, deleting data after it is no longer needed for a permitted purpose.
● Data Sharing: Tech companies commonly sell or share customer information with other organizations for targeted marketing, political profiling, etc. The GDPR restricts the sale or sharing of this data without explicit user consent.
Where Tech Companies Go Wrong with GDPR
GDPR has been around for a few years now, but challenges to it are still common. The reason for this is that many of the core requirements of GDPR are in direct opposition to how some tech companies traditionally do business.
Some tech companies’ business model is based on collecting user data, processing it, and selling the resulting insights to advertisers. In several cases, these companies have continued with business as usual until overstretched GDPR regulators have fined them and then challenge those fines in court.
The WhatsApp Case
This is the case with the recent ruling by Ireland’s Data Protection Commission (DPC). The DPC levied a fine against WhatsApp for €225 million ($267 million) for a failure to inform users about how their data was used and shared with Facebook, its parent company.
In January 2021, WhatsApp announced its intention to share data with Facebook and threatened to boot users off the platform unless they agreed. This decision inspired a massive backlash, causing the company to delay the program.
WhatsApp’s lack of transparency about its data-sharing practices inspired the €225 million fine by the DPC. The company plans to appeal the decision, claiming that it offers a secure and private service and disagreeing about its claimed lack of transparency.
Other Notable GDPR Fines Against Tech Companies
This WhatsApp fine is not the first penalty levied against tech companies by GDPR regulators. Some other companies that have faced major GDPR fines include:
GDPR regulators have received hundreds of thousands of complaints about violations, and the average case takes years to complete and finish appeals. While a relatively small number of fines have been levied against Big Tech companies, several more are working through the process.
Secure Messaging without Data Collection
WhatsApp’s struggles with GDPR regulators demonstrate the importance of choosing communication apps with a commitment to data privacy and security. While the application boasts end-to-end encryption, it also is designed to collect and monetize user data.
End-to-end encryption is a powerful tool for protecting data privacy and security, but it must be coupled with a commitment to minimize the collection and processing of user data. Ciphr apps are specifically designed to minimize the user data accessible by our servers, including support for user-controlled keys and the use of random identifiers rather than phone numbers for routing messages to members of a conversation.