Site navigation

DPC Issues Draft Decision in Facebook-WhatsApp Data Sharing Case

Michael Behr



The draft will be considered by other European data protection watchdogs before a final decision is made.

Ireland’s Data Protection Commission (DPC) has made a draft decision on an EU investigation into the transparency of data-sharing between WhatsApp and its parent company Facebook.

The case dates back to 2018 when GDPR was first introduced. The DPC has been investigating how WhatsApp shares data with Facebook and the app’s compliance with GDPR transparency clauses. These cover how groups inform their users about how their personal data is being utilised and shared so they can exercise their rights.

“The DPC has provisionally concluded this investigation and we sent a draft decision to our fellow EU Data Protection Authorities on December 24, 2020 (in accordance with Article 60 of the GDPR in order to commence the co-decision-making process) and we are waiting to receive their comments on this draft decision,” the DPC said.

“When the process is completed and a final decision issued, it will make clear the standard of transparency to which WhatsApp is expected to adhere as articulated by EU Data Protection Authorities,”

Facebook’s lead EU data supervisor’s proposed settlement will need majority backing before a final decision can be made according to GDPR.

The draft decision is the Irish DPA’s second draft issued in a cross-border GDPR case. It previously fined Twitter 450,000 euros over a data breach the company failed to properly document and provide notification on.

According to the Irish Times, WhatsApp’s Irish subsidiary has set aside 77.5 million euros to cover possible fees linked to the DPC’s investigation.

This is not the only case involving the DPC and Facebook. An ongoing investigation instigated by privacy rights activist Max Schrems and his group NOYB into how Facebook transfers data from the EU to the US was responsible for the Court of Justice of the EU’s (CJEU’s) landmark Schrems I and II decisions.

These saw the invalidation of the legal frameworks used to simplify data transfers from the EU and the US, along with additional requirements added to the existing framework for transfers outside the EU, Standard Contractual Clauses (SCCs).

With the Schrems investigation still ongoing, and its original target being SCCs, the DPC’s decision could have ramifications for EU data legislation.


WhatsApp and Facebook have been in the spotlight recently over a planned update that would see WhatsApp users having to share their data sharing their data with Facebook. While the contents of WhatsApp messages are end-to-end encrypted, metadata, such as contact details, location and financial transactions would be sent to Facebook.

The move sparked a backlash against WhatsApp, which resulted in a rise in downloads for alternative, more privacy-focused messaging apps. The likes of Signal and Telegram saw their downloads surge after the new WhatsApp privacy policy was announced.

As a result, WhatsApp recently pushed back the deadline on the new privacy policy, along with clarifying some of the details of the move.

With privacy-focused search engine DuckDuckGo breaking a record for daily search queries recently, the DPC decision comes at a time when privacy issues and the use of personal data have risen on many people’s agendas.

Michael Behr

Senior Staff Writer

Latest News

Cybersecurity Data Protection
Editor's Picks Recruitment Trending Articles
Cybersecurity Featured Skills
%d bloggers like this: