The DPC also instructed WhatsApp Ireland to bring its data processing operations into compliance within a period of six months.

The DPC began its inquiry following a complaint made almost five years ago by a German data subject about WhatsApp's use of consent. 

The complaint was made before GDPR rules were put into operation. However, WhatsApp Ireland updated its Terms of Service around this time and informed users that if they wished to continue to have access to the WhatsApp service following the introduction of the GDPR, existing and new users were asked to click accept updated Terms of Service.

The services would not be accessible if users declined to do so.

WhatsApp Ireland considered that, on accepting the updated Terms of Service, a contract was entered into between WhatsApp Ireland and the user.

The complainant argued that by making the accessibility of WhatsApp services conditional on users accepting the updated Terms of Service, the company was “forcing” them to consent to the processing of their personal data for service improvement and security.

The complainant argued that this was in breach of the GDPR.

The DPC already imposed a fine of €225m on WhatsApp Ireland for breaches of this and other transparency obligations over the same period of time and did not propose the imposition of any further fine or corrective measures.

The watchdog also held the view that WhatsApp Ireland did not rely on users’ consent to provide a lawful basis for processing personal data. The DPC said that the “forced consent” aspect of the complaints could not be sustained.

The matter was eventually referred to the European Data Protection Board (EDPB) to be resolved.

The EDPB took a different view to the DPC on the legal basis matter, finding that WhatsApp Ireland was not entitled to rely on the contract as providing a lawful basis for its processing of personal data for the purposes of service improvement and security.