| So many wrong things in this comment, which is generally uncalled for given the article is quite good (which cannot be said of all GDPR related coverage). So, duty calls[1]: > This decision is from the Irish data privacy regulator, DPC. They are "in charge" of this investigation because Facebook's EU subsidiary is in Ireland. They are not a "lead" regulator in any sense of the word. The DPC are officially acting on this case as the "lead supervisory authority" as defined in the GDPR ("Article 56 - Competence of the lead supervisory authority"). > In fact, this decision does not come from the DPC. In fact it actually does come from the DPC. The process is: - DPC issues draft decision, after conducting an investigation, etc. - Other authorities in impacted countries ("concerned supervisory authorities" in the official terms of the GDPR) chime in, provide comments, and possibly disagree with the draft decision (they raise "objections") - The authorities try to aree, and if they don't, they have a dispute that gets resolved at the European Data Protection Board - The EDPB takes a binding decision, which is imposed on the DPC (and the other concerned authorities) - The DPC takes notes of the decision, and issue their sanction accordingly. In the end, it is indeed a decision formally issued by the DPC against WhatsApp. That's why Meta need to appeal against the DPC in Irish Courts - and why Meta cannot appeal direclty in the European General Court against the EDPB. > The DPC's decision was to pussy out and issue a smaller fine, and rubber-stamp several of Facebook's arguments. Their authority to do so was overturned by the regulators for other countries, and by the EDPB (EU-level agency). The EDPB is also requiring the DPC to do more investigations which will probably eventually result in even more fines. > GDPR fines tend to be about specific issues related to specific complaints. [...] There has NOT been a general "is Whatsapp in its entirety compliant with GDPPR" investigation yet.
> The EDPB-mandated investigation is creeping closer to that. Actually, the EDPB's request is also specific: it is asking the DPC to look precisely about the part of the complaint on WhatsApp's use of sensitive data ("special categories" under GDPR Article 9). PS: IAAL [1] Know your classics: https://xkcd.com/386/ |