Facebook-owned WhatsApp has been fined €225 million ($267 million) for breaking the European Union’s data privacy rules. Ireland’s Data Protection Commission (DPC) announced the decision in an 89-page summary (PDF), noting that WhatsApp did not properly inform EU citizens how it handles their personal data, including how it shares that information with its parent company.
WhatsApp has been ordered to make updates to its already lengthy privacy policy and change how it notifies users about sharing their data. This will bring it into compliance with Europe’s General Data Protection Regulation (GDPR) which governs how tech companies gather and use data in the EU. GDPR came into effect in May of 2018, and WhatsApp was one of the first companies to be hit with privacy lawsuits under the regulation.
A WhatsApp spokesperson said in an email to The Verge that the company will appeal the decision.
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” the spokesperson said. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”
The decision by the DPC began with an investigation in 2018 and is the second-largest fine levied under GDPR regulations. In July this year, Amazon was fined a record $887 million for breaching the EU privacy laws.