WhatsApp received a fine of 225 million euros from the Irish supervisory authority of all places. The 266-page Irish brief by author Helen Dixon is well worth reading and instructive. In addition to a well-founded analysis of processes at WhatsApp, it contains numerous conclusions including a derivation on data protection.
Update 08.09.2025
Whistleblower (former WhatsApp security chief Attaullah Baig) sues Meta for ignoring security vulnerabilities.
Allegations of being the core source:
- Thousands of Meta/WhatsApp employees have access to sensitive user data (profile pictures, locations, contacts)
- Over 100,000 accounts hacked every day without adequate countermeasures
- Refusal of proposed security fixes
- Retaliation and dismissal after warnings to Meta leadership
Baig alleges violations of FTC privacy agreement of 2019 and securities laws. He also notified the FTC and SEC.
Introduction
The following descriptions and excerpts in the form of screenshots refer to the official report of the Irish Data Protection Authority dated 20.08.2021. The motivation for investigating the pleadings what particularly the detail of the submissions. Numerous references and descriptions show impressively how the investigation proceeded. The resulting findings are remarkable. For example, questions arise about
- Duty to provide information,
- the indication of recipients of data,
- the responsibility
- the identifiability of persons,
- the personal reference of data and
- the amount of the fine.
The sins of Meta: https://dr-dsgvo.de/meta
Those who want to know why the Irish data protection authority uses the term piecemeal fashion and what it means, only have to think about how WhatsApp provides information. This quickly leads to "häppchenweise", a word that does not appear in the GDPR and is therefore probably also not permissible if information obligations are to be fulfilled. This serving of obligation information in small pieces seems to have been chosen by Facebook as well as Google as a tactic to avoid laws for as long as possible.
The following statement can be found quite frequently in the study by Helen Dixon, author of the document in which the data protection assessment of WhatsApp what carried out.
It is clear that WhatsApp and I fundamentally disagree …
Frequently used statement by Helen Dixon in her report as head of the Irish Data Protection Authority.
The author writes this when WhatsApp gave an answer to questions from the supervisory authority that did not appear valid to the chief investigator. Facebook is now known as Meta. I have not followed this name change here.
Hash value as personal data?
In general, in the process against WhatsApp, it is being investigated how users who may not use WhatsApp are approached from a data protection law perspective. When a new user registers with WhatsApp, their contacts in their address book are informed about this. This happens after consent, but probably not in conformity with the GDPR. These users in the contact list of a new WhatsApp user are referred to as Non-Users. The notification takes place invisibly through communication with the WhatsApp app and not through a visible notification on the operating system level, as far as I know.
The notification of Non-Users occurs in such a way that a directory is searched to see if these users have already been notified. In order to proceed data-safely, their phone number is not stored in the directory but rather a hash-value. This procedure is called Lossy Hashing. Whoever would like to know how this hash-procedure works will find the following information.
WhatsApp introduces this hash value for phone numbers in order to notify other WhatsApp users via the so-called Contact Feature when a new user joins WhatsApp (Rn. 44h). The reason for the hash approach is also discussed.
With the hash value, it is probably not possible to draw conclusions about a specific user. Instead, it should only be possible to draw conclusions about a group of 16 different users.
In this regard, I would like to note that in a judgment of the OGH (Austria) from 18.02.2021 (Case No. 6 Ob 127/20z), probability statements about preferences of persons were also considered as personal data if there is a person-related connection before the statements are made.
Identifiability of a person
Interesting is the understanding of the Article 29 Working Party cited by Mrs. Dixon, which is even mentioned in Art. 94 GDPR. This group sees it like me: A person is considered identifiable, if they can be distinguished from a group of other persons. This is expressed in the so-called Opinion 4/2007 of the group.
The identifiability as a criterion for the existence of personal data is mentioned in Art. 4 No. 1 GDPR. The reasoning in point 26 mentions further.
It is therefore not necessary that a person could be specifically identified in return, so that for example a "hard" personally identifiable date such as the IP address, name, postal address or vehicle registration number would be available. Rather, it suffices that one person can be recognized as this one person and distinguished from other people.
That is also the concept of Web Tracking. It's less interesting for Google & Co to know exactly who is behind the user visiting a website at the moment. Rather, Google or an advertiser wants to know if this user is User 4711 or someone else, so that their User Profile can be used. Since it is known about User 4711 that she is female, listens to Heavy Metal music and likes to buy Greek specialties online.
Even if it cannot be directly concluded that a specific person is intended in a group of persons, identifiability of the person may exist. This is how the Article 29 Working Party puts it.
In concrete terms, this means, according to my understanding, that even additional information that is not available must be considered, but could be obtained or will soon be available. This is analogous to the ECJ ruling on IP addresses.
In Rn. 60 and 61 it is further stated what the CJEU has already established, namely that data are to be valued as personal in accordance with Article 4 No.1 GDPR, even if they cannot be directly closed and not by the responsible person on the person.
Reasoning 26 contains a risk-based approach for assessing whether data is personal (Recital 79). This is also seen in the Breyer judgment of the CJEU regarding IP addresses (Recital 85). In the Breyer judgment, it is stated that a personal link should be assumed as such (provided an identifier such as an IP address or something else is used), if the risk of identification can indeed not be disregarded de facto (Recital 46).
Recital 26 states, among other things:
To determine whether a natural person is identifiable, account should be taken of all the means likely to be used by the controller or another person to identify the natural person directly or indirectly, such as singling out.
Extract from Recital 26 of the GDPR.
Further it is stated there that the technology available at the time of processing and technological developments should be taken into account. In this context, WhatsApp is alleged to have been able to search the internet or social media using a known telephone number of a Non-User in order to determine their identity (Rn. 83 c).
A comparison is drawn between the WhatsApp hash value of Non-Users and the ECJ ruling on IP addresses (Rn. 70 and 95). Mrs Dixon finds that the hash value for a Non-User together with their phone number, which only exists in storage for very short periods of time, constitutes personal data (Rn. 66 and 110). The phone number is also considered personal data by her even after it has been converted into a hash value.
Very interesting is the approach to assume that the phone number of a Non-User does not represent personal data (Rn.89). The consequence would be that this phone number could be processed without restriction. This seems absurd and therefore cannot be assumed, which confirms the person-relatedness (Rn. 90f). Another approach to this insight leads through Art. 33 GDPR. There is a duty mentioned to report the violation of protection of personal data to an authority. Such a notification would not be possible if the data in question were not personal (Rn. 94). It is also noted that WhatsApp has control over the design of the application itself and could establish secure mechanisms accordingly. Here I mention Art. 25 GDPR as a reference.
It is sufficient that there are possibilities for identification of persons, and it is not important whether a responsible person can or wants to use these possibilities (Rn. 95). The probability of an identification plays no role.
The processing of a telephone number of an Non-User takes place in the following steps (Rn. 103):
- Access to the number through WhatsApp
- Transfer of the number to WhatsApp servers
- Formation of a Lossy-Hash Value from the Number
- Irretrievable deletion of the number
Despite the irreversible deletion of the number after a very short time, it is considered personal. The collection as retention of the number with possible knowledge is highlighted as an important form of data processing (to collect = erheben, Rn. 103). Whether WhatsApp actually deletes the number or only claims to do so is another question.
The existence of data processing is not dependent on time restrictions. Even data that is only available for an extremely short period of time is de facto processed.
According to para. 104 ibid.
Furthermore, it is carried out that a Non-User is initially an unidentified person from a group of many. The goal is however to address the individual Non-User and make him into a User, which assumes a previous identification (Rn. 92).
Mrs. Dixon accepts that the WhatsApp function to identify which contacts in her address book are also WhatsApp users is useful. Conversely, she also finds that WhatsApp itself profits from it (Rn. 93). This gives rise to a responsibility.
It becomes complicated then, which is why I will only briefly go into this here. Due to presumably new statements from WhatsApp, a matching of users takes place via a new hash value, the Notification Hash, and not via the previously discussed Lossy Hash. Ireland and the European Data Protection Board were then at odds over the question of attributing a Non-User telephone number to a person after hashing. The Board ordered Ireland according to Article 65 (6) GDPR to correct its opinion and assume personal reference (Rn. 106ff).
What is a responsible person ("controller")?
A responsibility arises from factual circumstances and not from formal circumstances (Rn. 119f). The concept of the responsible person is therefore a functional concept. To determine the employed means, both organisational and technical questions are to be asked, as postulated by Opinion 1/2010. Whoever determines the purposes is factually responsible (Rn. 121). This also applies, for example, to determining the data storage period or access possibilities.
Who is responsible can also be determined by who initiated a process or why the process is taking place (para. 122 c).
To determine whether responsibility exists, a test can be carried out on various criteria. This is what Helen Dixon suggests.
Primarily, the concept of the role of a responsible person is characterized by assigning responsibility (Rn. 116). Reference is also made here to Opinion 1/2010 of the Article 29 Group (Rn. 118). According to this, liability arises when an entity has decided to process data for its own purposes.
Important questions for determining responsibility are (para. 141):
- Which data should be processed?
- How long will the data be stored?
- Who should have access to the data?
These questions are to be answered from the perspective of those affected, an extended view on liability is appropriate here (Rn. 139).
Determine a position, which personal data are supposed to be processed, increases the chance that this position is responsible (cf. Rn. 145 c).
If a body does not specify or does not specify exactly how long data will be stored, this increases the chance that the body is the controller (see recital 145 d), because the data subject then has no significant influence on this and therefore no responsibility for it.
Whoever determines who has access to the data is responsible for it or increases the chance of being responsible for the data processing (see recital 145 e).
The same applies to the determination of the means (para. 145 f).
After all that and more, Helen Dixon sees WhatsApp as responsible and not as a data processor (Rn. 154).
Information obligations of those responsible
Due to the complementarity of Art. 13 GDPR and Art. 14 GDPR, Mrs. Dixon sees a special significance for the information obligation of data subjects by responsible parties (Rn. 173). She even makes it clearer and sees the information obligations, also due to Art. 15 Abs. 1 and 2 GDPR, as the foundation ("bedrock"), on which the other rights of data subjects rest (Rn. 174). For only then can a data subject understand whether and how their data have been or are to be processed.
The data processing obligations provided by WhatsApp were taken into account in terms of their scope (Rn. 195). Even the approximate scope in DIN A4 pages what determined. Also, the share of each individual document (terms of use, privacy notices etc.) what determined as a percentage value of the total scope.
It what found that a link to an important document with a link text like "Learn More" does not appear sufficient enough (Rn. 196f). The format of individual documents what critically evaluated (Rn. 198f) and compared with Art. 12 Abs. 1 GDPR. Similarly, the need for scrolling through a longer text what critically examined (approximately Rn. 204). WhatsApp even admitted to needing improvement in providing mandatory information upon investigation (Rn. 215f).
In Rn. 224 it is noted that market conditions or specific behaviors regarding the GDPR for certain market segments are irrelevant. The argument "everyone does it" does not apply. This pseudo-argument met me last in a defense letter from an applicant opponent. The procedure, in which I what able to support as an expert in court, is still ongoing.
An excessive provision of general and insufficient provision of specific information appears adverse to the GDPR (Recital 226).
Starting with Rn. 329, Mrs. Dixon explains which information WhatsApp provides in what form and also considers links to further documents. From Rn. 332 onwards, the documents are criticized for their structure and manner of provision. It is also highlighted that there are content duplications and on the other hand, examples are missing at some points or the language is unclear. As a result, a risk of confusion and lack of transparency is seen (Rn. 336).
The whole thing is summarized as follows:
The user should not have to work hard to access the prescribed information; nor should he/she be left wondering if he/she has exhausted all available sources of information and nor should he/she have to try to reconcile discrepancies between the various pieces of information set out in different locations.
Rn. 337 ebd.
This approach can also be applied to the confusing many and opaque Google documents that come into play when using Google tools such as Google reCAPTCHA, Google Maps or the Google Tag Manager. I'm looking forward to the next major fine, which hopefully will be imposed on Google. A reason for this could be the Chrome Browser. ([1]) ([2]) ([3]) ([4])
It has been noted in Ab Rn. 345 that unfortunately, WhatsApp has not sufficiently valued the categories of processed data.
In Rn. 355 the word "Cliffhanger" used at the top of my contribution is used:
The information has been furnished in a piecemeal fashion that requires the user to link in and out of various different sections of the Privacy Policy as well as the Terms of Service and a comprehensive FAQ entitled “How we work with the Facebook Companies” […].
para. 355 ibid.
It is pointed out that the WhatsApp privacy notices are presented in such a way that no red thread is recognizable, let alone a single overall text (Rn. 356), to which also applies "The user should not have to work hard to access the prescribed information". I would like to bring this accusation to Google. It will probably be easier due to the Irish subsidiary location, but rather to proceed against responsible persons from Germany who cannot do otherwise than unreflectively use services of Google, or ideally understand Google's statements and within a month explain to me (Art. 12 Abs. 3 GDPR).
In all her reviews of WhatsApp statements, Helen Dixon regularly notes that WhatsApp and she "fundamentally disagree". After all, this is worth a fine to her, albeit not a painful one for Facebook.
Details of the recipients
According to Art. 13 Abs. 1 e GDPR and Art. 14 Abs. 1 e GDPR, recipients or categories of data recipients are to be named in order to fulfill information obligations according to Art. 12 GDPR. The Article 29 Group is cited by Mrs. Dixon here (Rn. 426).
The Group writes that the names of recipients should usually be mentioned because this is usually the most meaningful information to which a data subject is entitled. The person should be able to know who has received or should receive their data.
If categories of recipients are named, this should be done as precisely as possible. This also includes naming the activities of each category of recipient.
Personally, I believe that at least with a request for information pursuant to Article 15(1) c GDPR, the concrete recipients must be named. This is especially true when the affected person explicitly wishes it. These recipients must be known to the responsible party in any case. A concrete request for information can only be opposed by valid reasons that justify not naming individual recipients. Apart from a confidentiality agreement, etc., I can hardly imagine many possibilities here. In the article linked above [15], I have cited some sources that support my opinion.
Specification of the storage period
According to Article 5, paragraph 1 c and e of the GDPR, the principles of Data Minimization and Storage Limitation apply. In this context, information obligations must be fulfilled (Article 13, paragraph 2 a GDPR). Specifically, for the assessment of whether a legitimate interest exists, the storage duration of data is an important piece of information. The Article 29 Working Party is quoted as follows:
It is not sufficient for the data controller to generically state that personal data will be kept as long as necessary for the legitimate purposes of the processing. Where relevant, the different storage periods should be stipulated for different categories of personal data and/or different processing purposes, including where appropriate, archiving periods.
Excerpt from para. 468.
Accordingly, storage duration statements must be as precise as possible. In Rn. 469 it is pointed out that these statements must contain meaningful information ("meaningful information") with which the reader can do something.
In Rn. 482 it is at least confirmed that WhatsApp has succeeded in fulfilling the requirements of Art. 13 GDPR, namely in explaining the right to information. However, something negative is again found when less easily enforceable regulations, such as the conditions for consent, are concerned (Rn. 496).
An automated decision-making process according to Article 13 Section 2 f does not take place at WhatsApp, as per Rn. 524.
Data exchange with other Facebook companies
Part 3 of the document looks at the issue of transparency in the sharing of user data between WhatsApp and the other Facebook companies. Individual text passages from WhatsApp's privacy policy are meticulously examined for compliance with the GDPR. The citation of these passages is one of the reasons for the length of Ms. Dixon's overall document, although numerous discussions contribute to its length.
Ms. Dixon notes that the Facebook companies with which WhatsApp shares data are not sufficiently named (para. 577). WhatsApp thinks this is OK because the GDPR would not require this (para. 581) or it would be sufficient if this information could be found somewhere else in any publicly available sources.
In Rn. 591f it is officially established that WhatsApp has failed to adequately demonstrate data exchange with other Facebook companies. Additionally, Ms. Dixon encourages WhatsApp to strip questionable privacy notices, provided WhatsApp does not intend to exchange data with other Facebook firms.
Transparency of processing
In Part 4 of the document, questions regarding transparency in data processing are discussed (Rn. 593ff). This mainly concerned the transparency concept referred to by Mrs Dixon from Art. 5 Abs. 1 GDPR and the information obligations under Articles 12, 13 and 14 GDPR.
The EDPB does not see this transparency concept defined in the GDPR, but still given (Rn. 188). Ireland what overruled by Europe and had to take WhatsApp to task for a breach of Article 5(1) GDPR.
Determination of the fine
I omit details from Part 5, which deals with the possibility of imposing a fine, here in detail. It extends surprisingly over many pages. At the end, the EDPB demands that the Irish authority impose a higher penalty than intended (Rn. 807).
The Irish data protection authority initially only wanted to impose a fine of €50 million. A complaint by other European national authorities, including those from Germany, led to an increase to €225 million. The €50 million fine may have been imposed on Ireland because the French data protection authority CNIL imposed a similar fine on Google for its French search engine google.fr (Rn. 809ff).
If you want to know how much revenue Facebook (USA) and WhatsApp (Ireland) generated, you can find the answer here:
After all, the turnover what so high that the fine what not higher than 2 or 4 % of this sum. Here is a (more recent) statistic that helps to estimate the turnover:
The sum of the fine is made up of several partial sums, which were justified as follows.
Art. 5 Abs. 1 a GDPR requires the processing of personal data "on a lawful basis, in good faith and in a manner that is transparent to the individual concerned". It seems WhatsApp has not managed to do this.
Art. 12 GDPR contains provisions on the obligations to provide transparent information to data subjects, which appear to have been criminally violated by WhatsApp.
Art. 13 GDPR concerns information for the processing of data that has been processed at the data subject. There were also gaps here at WhatsApp.
Art. 14 GDPR is analogous to Art. 13 GDPR, except that it concerns data that has not been processed by the affected person. Notably, the process of notifying Non-Users must be mentioned here, which what implemented with an apparently non-data protection compliant hash procedure. ([1])
The height of the fine has been criticized multiple times, as Facebook likely considers the amount quite low. I suspect that the economic benefit for Facebook from the data processing marked by the established violations what much higher. After all, it's marketing-wise almost priceless when registering a new user allows all users in their address book to be exploited practically.
Final remarks
The derivations and justifications given in Helen Dixon's document are certainly worth reading. They lead to interesting insights and findings. At the very least, however, they show how an official investigation can proceed. For example, investigations by the authorities themselves are listed, to which WhatsApp responded. This then led to the conclusions of an employee ("decision maker"), which in turn were analyzed by the chief investigator herself, who also took WhatsApp's responses into account.
Helen Dixon's argument is based on what I think is a coherent derivation. Whether the respective assessment is specifically good or bad, right or wrong, appropriate or biased is another question.
In any case, the argumentation is very much based on relevant guidelines and opinions, such as those of the Article 29 Working Group, the predecessor of the EDPB.
I agree with Helen Dixon on one important point: A person is considered identifiable if they can be distinguished from other people. This is the opinion of the Article 29 Group.
Also interesting
- Norwegian data protection authority against Grindr. The letter from the Norwegians explaining their decision to impose a fine of millions has 68 pages. The writing style and structure are completely different from the WhatsApp document.
Key messages of this article
WhatsApp what fined 225 million euros for violating data protection regulations, particularly when sharing user data with other companies.
Even if a hash value does not directly identify a person, it can still be considered personal data if it is used to identify a person within a group of people.
Even if a telephone number is not directly linked to a person, it can still be considered personal data because it is possible to identify someone with it.
WhatsApp processes phone numbers, even if they are to be deleted, in order to identify users and show them advertising.
Whoever processes data and determines who has access to it is responsible for compliance with the General Data Protection Regulation (GDPR).
The privacy policies of WhatsApp and Google are confusing and difficult for users to understand.
WhatsApp needs to be more transparent about what data it passes on to whom and how long it is stored.
WhatsApp what fined 225 million euros for a lack of transparency in the use and transfer of data to other Facebook companies.
The data protection supervisory authority criticizes Facebook (WhatsApp) for non-compliant data protection practices when notifying non-users and considers the fine to be too low.
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
