DECISION SUMMARY
What happened
On 2 September 2021, the Irish Data Protection Commission issued a final decision imposing an administrative fine of €225 million on WhatsApp Ireland Limited. The decision concluded an own-volition inquiry, opened by the DPC in December 2018, into WhatsApp's compliance with transparency obligations under Articles 12, 13 and 14 GDPR. The inquiry covered the period from 25 May 2018 (the start of GDPR application) to the date of the decision.
The investigation focused on the information WhatsApp provided to users (people who downloaded and registered for the service) and to non-users (people whose phone numbers appeared in users' address books and were processed by WhatsApp for contact-matching). It examined the privacy notice on the WhatsApp website, the in-app information surfaces, and the supplementary materials (FAQ pages, help articles). The DPC catalogued specific deficits across the legal categories that Articles 13 and 14 require controllers to disclose: identity of the controller, purposes of processing, lawful basis, recipients (including third-party processors), international transfers, retention periods, and data subject rights.
As lead supervisory authority under Article 56, the DPC ran the inquiry, circulated a draft decision in December 2020 with a proposed fine of €30-50 million, and processed the Article 60 objections from concerned authorities. Eight concerned authorities raised reasoned objections, including the German federal regulator, the French CNIL, the Italian Garante and the Polish UODO. The objections went principally to the inadequacy of the draft fine: the proposed €30-50 million figure was, in the view of the objecting authorities, insufficiently dissuasive given WhatsApp's scale (approximately 400 million European users) and the multi-year duration of the transparency failures.
The EDPB binding decision
The Article 60 cooperation procedure did not produce consensus and the matter was referred to the European Data Protection Board on 3 June 2021. On 28 July 2021, the EDPB adopted Binding Decision 1/2021. The decision instructed the DPC on several points. First, the EDPB required the DPC to make additional findings of infringement that had been raised by concerned authorities. Second, on the critical question of the fine amount, the EDPB instructed the DPC to recalculate the fine taking into account the global turnover of the entire Meta group (rather than treating WhatsApp Ireland Limited as a stand-alone undertaking for Article 83(5) cap purposes). Third, the EDPB instructed the DPC to apply the gravity and duration factors in Article 83(2) in a way that yielded an effective, proportionate and dissuasive fine consistent with the EDPB's reasoning.
The DPC's final decision implemented the EDPB instruction. The Article 83(5) cap was calculated against Meta group revenue, which placed the ceiling in the multi-billion euro range. Within that cap, the DPC arrived at €225 million, roughly five times the upper end of its original draft. This Article 65 intervention was the first in the EDPB's history and established the mechanism as a structural feature of cross-border enforcement against entities established in Ireland.
What the DPC found
The decision identifies five clusters of transparency failure. First, the information about categories of personal data processed was incomplete; the privacy notice did not adequately enumerate the data WhatsApp processed (including metadata, device-identifier data and inferred attributes). Second, the information about recipients was insufficient; the notice referenced "the Facebook companies" (later Meta companies) without explaining what data was shared with which entity for what purpose. Third, the lawful-basis information was ambiguous; the notice did not pair each processing operation with the specific Article 6 basis on which WhatsApp relied. Fourth, the retention-period information was generic; the notice did not provide specific periods or the criteria for determining periods. Fifth, the Article 14 information to non-users (whose phone numbers appeared in users' address books) was effectively absent.
The Article 14 finding on non-users was particularly significant. When a WhatsApp user uploads their address book to enable contact-matching, WhatsApp processes the phone numbers (and associated names) of every contact, including those who are not WhatsApp users. Article 14 GDPR requires the controller to provide privacy information to those non-users within a reasonable period, normally no later than one month after obtaining the data. WhatsApp could not realistically contact every non-user, but the DPC found that this practical difficulty did not relieve it of the underlying duty: the architecture of the processing meant non-users could not be informed, and an architecture that prevents transparency is itself an infringement of the framework Article 5(1)(a) requires.
Why the case matters
For transparency compliance, the WhatsApp decision is the most-cited single authority. It establishes that Articles 12-14 are not satisfied by generic information or by hyperlinks to long policy pages. Each processing operation must be matched to its specific purpose, lawful basis, recipients, retention period and data subject rights, in language that the data subject can understand. The decision sets a standard of granularity that has reshaped privacy notices across the EU, particularly in messaging, social media, and any service that processes personal data of non-users alongside users.
For the institutional architecture of GDPR enforcement, the WhatsApp decision is the founding precedent for the EDPB Article 65 mechanism. The pattern recurred in Instagram 2022 (€405M), Meta Ireland 2023 contractual-basis (€390M), TikTok 2023 (€345M) and Meta Chapter V 2023 (€1.2B). In each case the EDPB intervention materially raised the fine and added or sharpened findings. The institutional message is that the DPC's lead-authority discretion in cross-border Big Tech inquiries is structurally constrained by the EDPB, and concerned authorities have both the will and the procedural means to escalate.