Is Facebook being fined 110 mil eur first victim of GDPR fines?

European Commision fined Facebook with 110 million eur for providing misleading information about WhatsApp merger. Even grounded on EU merger regulation, this fine is a clear message to all those considering GDPR as just another privacy regulation nobody will comply with, as the real essence of the violation is in fact - privacy rights violation.

Fined for misleading about the personal data management

According to EC press release, “When Facebook notified the acquisition of WhatsApp in 2014, it informed the Commission that it would be unable to establish reliable automated matching between Facebook users' accounts and WhatsApp users' accounts. It stated this both in the notification form and in a reply to a request of information from the Commission. However, in August 2016, WhatsApp announced updates to its terms of service and privacy policy, including the possibility of linking WhatsApp users' phone numbers with Facebook users' identities.“

A clear warning

Same source states that “... decision is unrelated to either ongoing national antitrust procedures or privacy, data protection or consumer protection issues, which may arise following the August 2016 update of WhatsApp terms of service and privacy policy.“, leaving the space for further considering other violations, GDPR being one of them.

Can EU fine foreign companies?

Per GDPR regulation, maximum fine is up to 4% of aggregated company’s income or 20 million euros whichever is bigger. This is 4 times more than EU merger regulation whose fines can go up to 1%.

Facing upcoming GDPR in 2018, many stakeholders are asking is it even possible for EU to fine foreign company. Well, here’s the answer. They just did it. 110 million euros. Enough to be a good example.

How will GDPR fine be calculated?

Facebook’s total income is 27 billion, which means this fine is about 0,45% of that amount. It is also about 1 half of maximum fine. If translated to GDPR regulation where maximum fine is 4 times bigger, Facebook could face fine of up to 1 billion dollars in the future. However, we can’t just translate this and conclude that GDPR fine would be one half of maximum fine. There are many circumstances that must be considered.

From the GDPR point of view, organizations are required to choose their privacy protection strategy based on the privacy impact analysis. This means, bigger impact - stricter controls. Having in mind the quantity of personal data Facebook has, privacy impact would without any doubt be very big. It is also important to understand the difference between intentional and unintentional violation of the privacy protection rules, as well as difference between the companies who take good care about personal data security and those who are systematically negligent about it.

Most exposed are companies who build their business models on profiling, target marketing and sales based on personal data. Their privacy protection strategies will (we see it already) be under EC microscope. It’s not only about social networks, but telecoms, banks, insurance companies, health organizations, government...

We can’t be certain how exactly GDRP fine will be calculated, but all this factors will be considered and we can be sure, there will be fines. Big ones.