Ireland's Data Protection Commission hit chat app WhatsApp with a €225 million ($267 million USD) privacy fine for breaching the European Union’s data privacy law - the General Data Protection Regulation - on Thursday, a move that could hold parent company Facebook's feet closer to the fire when it comes to taking the privacy of its users seriously.

The fine, the second largest under the GDPR, has been a long time coming.

Ireland's DPC has been investigating WhatsApp since 2018 following complaints from users that the service wasn't transparent enough about how it handles user information between WhatsApp and other Facebook-owned companies, like Facebook itself and Instagram.

The decision is a lengthy one, 266 pages in total but in it, the commission argues WhatsApp "discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s service." It claims the company violated parts of articles 5(1)(a); 12, 13 and 14 of the law.

Those articles stipulate that any processing of personal data should be lawful, fair, and transparent. "It should be clear and transparent to individuals that personal data concerning them are collected, used, consulted or otherwise processed, and to what extent the personal data are, or will be, processed," the DPC says in an explainer on its website.

The DPC, the Irish supervisory authority for the GDPR, was actually forced to go back to the drawing board with the fine earlier this summer. It said because of a binding decision by the European Data Protection Board (EDPB) in July, it was asked to "reassess and increase its proposed fine" on WhatsApp. It initially only wanted to fine the company €50 million but other EU regulators objected. The DPC came back to the table with the €225 million fine this week.

In addition to the fine, the DPC is also asking the company to take a number of steps to bring it into compliance, all of them with a deadline of three months.

WhatsApp, as is to be expected, disagreed with the fine and said it was going to appeal the decision on Thursday, a move that could precede a lengthy court battle.

"We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so,” the company said in a statement circulated to reporters, “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate."

While much was made of the GDPR and its rules, which allow for fines of up to 4% of a violating company's global turnover, many have called out the lack of enforcement of the law via DPAs in the EU.

While this is a fair argument, it could also be argued that bureaucracy has slowed down the process. The DPC began its investigation around complaints in December 2018 before submitting it for the EDPB's approval in December 2020. After a series of back and forths, the fine finally surfaced this week, almost 9 months later.

While it’s too early to know how the case will play out, for now the fine joins others levied by data protection organizations over the years, including the Luxembourg National Commission for Data Protection (CNDP), which fined Amazon €746 million ($888 million) earlier this summer, Google, which was one of the first companies to be fined, €50m in 2019, and H&M, the clothing company, which was fined (€35.3 million) by German authorities in 2020.

For frame of reference, before the WhatsApp fine, the Amazon fine made up 70% of all GDPR fines and was double the amount of every other GDPR fine combined.