In its first major ruling against social media giant Facebook, Irish authorities fined the company’s WhatsApp messaging service almost $270 million (225 million euros) under the General Data Protection Regulation (GDPR). Those authorities stated that WhatsApp was not transparent about how data collected by those using the app is shared with other Facebook properties, including Instagram. WhatsApp said it would appeal the decision. Since established three years ago, the GDPR has not resulted in any major fines or penalties for Facebook until now.

The New York Times reports that, “under the law, companies must be regulated by the countries where they have their European headquarters … [and] the European offices of Facebook, Google, Twitter, Apple and scores of other companies are based in Ireland because of its low corporate tax rates and other benefits.”

Ireland’s parliament previously criticized the Irish Data Protection Commission (DPC) for failing to “adequately protect the fundamental rights of citizens” by not enforcing the regulation. “GDPR enforcement against Big Tech has been paralyzed by Ireland’s failure to deliver,” said Irish Council for Civil Liberties senior fellow Johnny Ryan. In December, Ireland fined Twitter 450,000 euros for a data breach.

The Irish decision against WhatsApp requires it to “update its privacy policy and make other changes to make people more aware of how data will be used.” The 27-nation European Union has debated “the appropriate level of enforcement under the region’s data protection rules,” with some countries pushing Ireland to raise the WhatsApp fine to 225 million euros from an initial proposed fine of 50 million euros.

The GDPR allows fines up to 4 percent of global revenue; Austrian lawyer Max Schrems, who runs privacy advocacy group European Center for Digital Rights (NOYB), said the fine was still too small. “This shows how the DPC is still extremely dysfunctional,” he said. WhatsApp spokesman Joshua Breckman countered that, “we disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate.”

CNBC reports that, “in an FAQ on its website, WhatsApp states that it shares phone numbers, transaction data, business interactions, mobile device information, IP addresses and other information with Facebook … [but not] personal conversations, location data or call logs.”

Since the GDPR began to be enforced in 2018, “Luxembourg’s data regulator fined Amazon 746 million euros for breaching GDPR rules around the use of consumer data in advertising … [and] Google was fined 50 million euros by France’s privacy regulator, CNIL, in 2019 for GDPR ad violations.”