Irish privacy regulator DPC fined WhatsApp €225 million on Thursday for a “serious violation” of the European privacy law AVG. The Facebook subsidiary does not adequately inform users about what personal data is collected and shared with other Facebook companies. This includes phone numbers of non-users, which WhatsApp collects through access to WhatsApp users’ address books. That’s in a binding decision of the European Data Protection Board (EDPB), an independent European body that monitors compliance with the GDPR.

DPC is allowed to fine WhatsApp on behalf of the European Union because the European headquarters of parent company Facebook is located in the Irish capital Dublin. DPC chairman Helen Dixon initially wanted to fine WhatsApp between 30 million euros and 50 million euros. Eight other European privacy regulators disagreed, leading to a dispute with the EDPB. Last month, the board ordered Dixon to increase the fine, writes the Irish newspaper The Irish Times. In addition to the fine, WhatsApp is ordered to comply with the data protection law when processing data from now on by taking a series of corrective measures.

WhatsApp disagrees with the fine it will be fined and states in a response to the Irish newspaper that it has been transparent about what happens to users’ data since 2018. The company calls the amount of the fine “completely disproportionate” and says it will object.

According to the well-known Austrian privacy advocate Max Schrems, the fine of 225 million euros comes down to “only 0.08 percent” of the turnover of the Facebook group. “The GDPR provides for fines of up to 4 percent of turnover. This shows how the DPC is still functioning very badly.” according to Schrems, which has filed multiple lawsuits against Facebook and also has a number of pending cases with the Irish privacy regulator. According to the Austrian, an appeal from WhatsApp will mean that it will take years before the fine is actually paid.