GDPR Decision on WhatsApp Delayed Over Company's Concerns
November 20 2019 - 3:01PM
Dow Jones News
By Catherine Stupp
BRUSSELS -- A decision in Ireland's privacy investigation into
Facebook Inc.'s WhatsApp has been delayed because the company's
lawyers raised concerns about how the regulator will share
potentially sensitive commercial data with authorities in other
European countries.
Ireland's Data Protection Commission will need a few weeks to
respond to WhatsApp's questions, the regulator's head, Helen Dixon,
told WSJ Pro Cybersecurity on Wednesday on the sidelines of a
privacy conference. As a result, Ms. Dixon said a decision would
likely come in early 2020 instead of the end of this year, as she
had previously flagged.
"We want any issues with the process and the fair procedures
aired out now. We do not want to end up in court where it's not the
substance of our decision or the merits of our decision that's
being appealed or challenged, it's the procedures we followed,"
said Ms. Dixon, the commissioner for data protection. Fortune
reported about the delay Tuesday.
A WhatsApp spokeswoman declined to comment.
Ms. Dixon's office is investigating Facebook, Twitter Inc. and
other technology companies for possible violations of the European
Union's 18-month-old privacy law, the General Data Protection
Regulation. The companies fall under her office's jurisdiction
because their European headquarters are in Ireland. Other EU
regulators can object to the Irish regulator's decisions.
The WhatsApp probe is considering whether the messaging platform
informed its users sufficiently about how it shares their data with
other companies. Failure to do so could violate the GDPR. Companies
that break the law can face fines of up to 4% of global revenue or
EUR20 million (about $22 million), whichever is higher.
The case marks the first time a regulator will require input
from counterparts in all other EU countries before finalizing a
decision, Ms. Dixon said during a panel discussion at the
conference. When a case concerns privacy rights of residents of
more than one EU country, one regulator leads the investigation but
others can weigh in and object to a final decision.
"Companies are naturally nervous and entitled to information
about how that's going to work," she said.
Under the GDPR, regulators must follow a special process for
cases affecting people in various European countries. WhatsApp
inquired about that process and whether the Irish regulator would
share information with other authorities including commercial data.
The company also asked for an explanation of the potential
infringement and information about any fine.
The Irish regulator instructed WhatsApp to identify information
it considers confidential or commercially sensitive, Ms. Dixon told
WSJ Pro Cybersecurity, adding she would determine whether the
information is too sensitive to share with other authorities.
The WhatsApp case will be a test of whether Ms. Dixon's office
makes any changes to how it communicates with companies it
investigates, she said. "We're going to learn from the first few
cases," she said.
Ms. Dixon has faced criticism for the length of her office's
GDPR investigations.
In other European countries, regulators have already issued
large penalties related to the data-protection law. This summer,
the U.K. privacy authority proposed fines of GBP99 million ($128
million) against Marriott International Inc. and of GBP183 million
($236 million) against British Airways' parent company,
International Consolidated Airlines Group SA, over cybersecurity
gaps that led to major data breaches.
"Speed is not the only angle when it comes to enforcement," said
Marie-Laure Denis, president of the CNIL, France's data-protection
regulator, speaking on the same panel as Ms. Dixon. European
authorities undertake a huge amount of work that they don't make
public, Ms. Denis said, such as requiring companies to change their
practices to comply with the GDPR.
CNIL fined Alphabet Inc.'s Google EUR50 million ($55 million) in
January, saying the search-engine company didn't go far enough
getting valid user consent to gather data for targeted advertising.
The French regulator will soon publicize more decisions about
corporate probes, Ms. Denis said.
Write to Catherine Stupp at Catherine.Stupp@wsj.com
(END) Dow Jones Newswires
November 20, 2019 14:46 ET (19:46 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Aug 2024 to Sep 2024
Meta Platforms (NASDAQ:META)
Historical Stock Chart
From Sep 2023 to Sep 2024