WhatsApp and Facebook are to pay 300,000 Euro, because of Public Consent issue

Spain, Madrid, 15 of March 2018: According to press release of AEPD (Spain Data protection Authority), WhatsApp and Facebook are sanctioned with 300,000 euro each because of lack of public consent and agreement of end users to collect and process their personal data.

GDPR is not yet activated, as we know. It will become actual on 25th of May. However, identified by AEPD violation is in contradiction with existing personal data privacy and protection laws of European Union and Spain.

There are two issue identified:

  1. WhatsApp transfers personal data to Facebook without appropriate public consent. In terms of GDPR, this is infringement of data controller regulation.
  2. Facebook processes personal data without end users agreement. This is close to violation of data controller to data processor agreement.

Well, unfortunately I expect to see pipeline of such press releases somewhere in June-July 2018, once GDPR gets its full power starting 25th of May 2018.  The reason of my pessimism is that many of the companies I speak in relation to GDPR, don’t carefully sute their existing public consent to the needs of human rights concept stated in this law.


The difference to the existing public consent principle is in fact that new GDPR world requires accurate control of consents provided by the users, and alignment of this with business operations. As well as special technical and organizational measures to control cyber security barriers to protect personal data storage and processing.