The Irish data protection authority has fined WhatsApp Ireland Ltd. for failing to provide transparent information to users about how their data is processed and shared, particularly with related companies in the Meta Platforms Inc. family. The fine, issued under the European Union’s General Data Protection Regulation (GDPR), reflects shortcomings in disclosures made to users when they sign up for the messaging service.
The penalty was imposed by the Irish Data Protection Commission, which acts as the lead regulator for Meta’s services in the EU. The authority said WhatsApp’s privacy notices did not clearly explain how user data is processed, stored, and shared with other companies in the Meta group, including for operational and marketing purposes. Regulators determined that the information provided to users was fragmented and difficult to understand.
Under GDPR, companies must explain clearly and concisely to users what personal data they collect and how it is used. The regulator said WhatsApp’s disclosures fell short of this standard because they were overly complex and did not allow users to fully grasp the extent of data flows to related services. The Irish authority said this lack of clarity undermined users’ ability to make informed decisions about their privacy.
WhatsApp Ireland Ltd. was ordered to pay a fine calculated based on the severity of the violation and the number of users affected in the EU. The amount reflects both the reach of WhatsApp’s services and the need to enforce consistent data protection standards across member states. The regulator said it would publish more details about the fine and the aspects of WhatsApp’s disclosures that were found non-compliant.
WhatsApp said it disagrees with the regulator’s conclusions and plans to appeal the decision. The company said it strives to be transparent with users and that it regularly reviews its privacy practices. It added that its global privacy policies already provide information about data processing and sharing within the Meta group, but that it will engage with authorities through the appeal process.
The decision by the Irish Data Protection Commission follows other GDPR enforcement actions against major technology companies for what regulators describe as insufficiently clear privacy notices. GDPR requires that data controllers offer “transparent” information in language that is accessible to ordinary users, and that they maintain records showing compliance with transparency obligations.
Privacy advocates welcomed the regulator’s action, saying that clarity about data sharing is fundamental to user control over personal information. They noted that messaging services with large user bases have a heightened obligation to communicate how data flows between services, especially when such data can be used for profiling or personalised features.
The outcome may influence how other technology companies tailor their privacy communications in the EU. GDPR enforcement actions often prompt revisions to online privacy notices as firms seek to align their disclosures with regulators’ expectations and avoid future sanctions. Regulators in other member states monitor such decisions to promote harmonised application of the law across the bloc.