The European Union’s data protection enforcement apparatus issued its largest single fine against a social media company in two years on Friday morning, ordering Meta to pay 800 million euros for violations of the General Data Protection Regulation related to how WhatsApp data was shared between the messaging application and Meta’s broader family of services including Facebook and Instagram. The fine, issued by the Irish Data Protection Commission acting as the EU’s lead supervisory authority for Meta’s European operations, also comes with a binding order requiring Meta to make fundamental changes to how it processes and shares WhatsApp user data across its platforms within 90 days – or face additional daily fines that could accumulate to an additional 100,000 euros per day until compliance is achieved.

The case has been proceeding through the EU’s regulatory process for more than three years, involving multiple rounds of investigation, Meta’s responses and legal challenges, and cooperation procedures among data protection authorities from across the EU member states. The core finding is that Meta violated GDPR’s requirements around lawful basis for data processing and its requirements for transparency with users about how their data is used when it combined data from WhatsApp accounts – which users typically associate with private messaging – with the broader data profiles that Meta maintains across its advertising ecosystem. Meta had argued that users gave valid consent to this data sharing and that the combination serves legitimate interests related to security, service improvement and spam prevention. The regulators disagreed.

What Meta Was Found to Have Done

• Sharing WhatsApp user data including phone numbers, message metadata, device information and usage patterns with Facebook’s advertising targeting systems without a valid lawful basis under GDPR Article 6.
• Failing to provide sufficiently clear, specific and accessible information to WhatsApp users about how their data would be used outside the messaging service itself.
• Using contract performance as a claimed lawful basis for data processing that regulators found did not meet the standard required by GDPR when the data use is not directly necessary for providing the contracted messaging service.
• Maintaining data retention practices for WhatsApp message metadata that exceeded the period reasonably necessary for the purposes claimed.
• Failing to implement adequate technical measures to separate WhatsApp data from other Meta systems in ways that would prevent it from flowing into advertising-related processing.

Meta’s Response

Meta announced immediately after the fine’s publication that it will appeal the decision, calling the regulatory finding ‘deeply flawed’ and arguing that the data sharing practices at issue serve genuine safety and service quality purposes that GDPR permits under its legitimate interests provisions. The company’s legal team has consistently argued throughout the proceedings that EU regulators are applying GDPR in a way that will make it impossible for multi-service platforms to provide the integrated experiences that users expect and benefit from – a position that has some support among technology policy commentators who believe the EU’s data protection framework has been applied in ways that go beyond what its text requires.

The appeal will be filed in Irish courts, and from there could proceed to the EU’s Court of Justice if Meta chooses to continue challenging the ruling at the European level. Appeals of major GDPR decisions have a mixed track record – Meta’s previous 1.2 billion euro fine for transferring European user data to US servers was upheld on appeal, but other major enforcement actions have been partially overturned or significantly reduced in the appeal process. The 90-day compliance order is potentially the most practically significant aspect of the decision for Meta’s business, since the changes required in how WhatsApp data flows within Meta’s systems could affect the advertising targeting capabilities that underpin the company’s European revenue.

The Broader Picture of EU Tech Enforcement

Friday’s fine against Meta is the latest in a sustained period of EU regulatory action against major technology companies that has made the European Union the world’s most active jurisdiction for large-scale technology enforcement. Since GDPR came into force in 2018, EU authorities have issued billions of euros in fines against companies including Google, Amazon, Apple, Meta and TikTok for violations ranging from data protection failures to anti-competitive conduct under the Digital Markets Act.

The pattern of enforcement has triggered an ongoing debate about whether the EU’s regulatory approach is producing genuine improvements in consumer privacy and market competition or primarily generating regulatory costs and legal uncertainty for technology businesses without commensurate benefits for European users. Technology industry representatives argue consistently that the EU’s approach is making Europe a less attractive market for technology investment and innovation. EU regulators and privacy advocates counter that enforcement is producing real changes in how companies handle data, that deterrence only works if fines are genuinely significant relative to company revenues, and that the alternative – allowing large platforms to continue operating without meaningful accountability – produces harms that dwarf the costs of enforcement.

For WhatsApp users in Europe, the immediate practical implications of Friday’s fine are limited. Meta is unlikely to change its services materially during the appeal process, and the 90-day compliance order will be stayed pending the appeal’s outcome. What the decision does change is the ongoing conversation about the long-term trajectory of data privacy in Europe – and the increasingly clear message that the EU intends to enforce GDPR with fines that are large enough to be felt by even the world’s most valuable companies.

How WhatsApp Data Sharing Actually Works

Understanding the technical reality of how WhatsApp data has flowed within Meta’s systems requires engaging with the specifics of what data is and is not shared, because the popular characterisation of the enforcement action as being about ‘reading your messages’ is inaccurate in important ways. WhatsApp messages themselves – the actual content of conversations – are end-to-end encrypted in a way that Meta’s own servers cannot decrypt, and the enforcement action does not involve message content. What the regulators found problematic is the metadata associated with WhatsApp usage: information including which phone numbers are registered on WhatsApp, how frequently users communicate with each other, the device identifiers of WhatsApp users’ phones, location data associated with message sending, and usage patterns including when WhatsApp is opened and how long sessions last.

This metadata, while not the content of conversations, is commercially valuable in ways that are not immediately obvious to most users. Phone number graphs – the mapping of which numbers communicate with each other and how frequently – can be used to infer social networks and relationships. Device identifiers can be cross-referenced with data from Meta’s other platforms to link the behaviour of a WhatsApp user with their Facebook and Instagram activity even if they use different accounts on different platforms. Usage timing and frequency data can inform inferences about daily schedules, lifestyle patterns and interests. Individually, each data point is relatively innocuous; in combination, they contribute to the detailed behavioural profile that makes Meta’s advertising targeting as powerful as it is. It is this combination – the flowing of data associated with a private messaging service into an advertising-driven behavioural profiling system – that the regulators found violated GDPR’s requirements for transparency and valid consent.

The Compliance Order: What Meta Must Change

The 90-day compliance order accompanying the fine is, in practical terms, more disruptive to Meta’s European business than the fine itself. The order requires Meta to implement technical barriers that prevent WhatsApp user data from flowing into its advertising-related processing systems without a clear lawful basis and proper user notification. What this means in practice is that Meta must either obtain explicit, informed, granular consent from European WhatsApp users for each category of data sharing with other Meta services – a consent requirement that most privacy researchers believe will result in the vast majority of users declining – or it must fundamentally restructure its data architecture in Europe to create genuine separation between the WhatsApp data environment and the broader Meta advertising data ecosystem.

Neither option is trivial to implement, and Meta’s legal team will argue in its appeal that the compliance order’s requirements are technically and commercially disproportionate to the violations identified. The appeal process will stay the compliance order while it proceeds, meaning that Meta will not be required to make the mandated changes until the appeal is resolved. Given the complexity of the technical and legal questions involved, and the established pattern of GDPR appeal proceedings taking two to four years to reach final resolution, Meta faces a multi-year period of regulatory uncertainty about its European data practices even as it continues to operate under the existing arrangements pending the appeal’s outcome.