Irish DPA Fines Whatsapp $225 Million Euro For Transparency Violations

Written by: Richard Sheinis, Esq.

We are all aware of the requirements under several laws that a company’s website must have a link to the company’s privacy policy explaining how the company treats personal information. The oxymoronic part of the privacy policy requirement, however, is that laws require more and more information to be included in a privacy policy, but at the same time the privacy policy must be clear, concise, and unambiguous.  In short, the legal requirement for privacy policies is to provide people with more information, but do it in fewer words.  Huh?

The fine against Whatsapp was based upon a finding that Whatsapp violated its transparency obligations under the GDPR by failing to tell people the full scope of how collected personal information is used.  Facebook (the owner of Whatsapp) stated the fine was “entirely disproportionate.” While the appeals process will likely take years, the looming question is what does this decision mean for further actions alleging insufficient privacy policies and when is a privacy policy transparent enough, and clear enough, yet concise enough.