WhatsApp challenge to decision that led to $267M GDPR fine tossed by EU court

More bad news for Meta in Europe: The tech giant has lost an attempt to annul a binding decision on its messaging app, WhatsApp, taken by the European Data Protection Board (EDPB) last summer — under the bloc’s General Data Protection Regulation (GDPR) — which factored into a final decision (and hefty fine) issued by WhatsApp’s lead EU data protection supervisor, Ireland’s Data Protection Commission (DPC), just over a year ago.

Meta still has a live appeal against the WhatsApp GDPR enforcement in Ireland, under Irish law — where the DPC issued its final decision on this enquiry in September last year — so the tech giant’s legal challenge still has road to run.

But in a judgement published today, the European Union’s General Court found WhatsApp Ireland’s action for annulment to be inadmissible.

The EDPB’s binding decision led to WhatsApp being issued with a €225 million fine for breaching GDPR transparency obligations — a financial sanction that was substantially larger than the €30M to €50M originally proposed by the DPC in its draft decision, underlining how significant the Board’s interventions can be. 

Under the GDPR’s one-stop-shop mechanism, regulatory enquiries into data processors that have users across multiple EU Member States are typically funnelled through a lead supervisor in the country of main establishment in the EU (in Meta’s case that’s Ireland). But any draft decision they produce must be submitted to other EU data protection authorities for review — and if objections are lodged a dispute resolution mechanism kicks in that can culminate in the EDPB taking a binding decision if no consensus is reached between the DPAs.

So the Board plays a crucial role in ensuring that enforcement of the bloc’s flagship data protection regulation does not stall in perpetual inter-regulatory bickering.

Just yesterday, for example, the EDPB confirmed it’s stepped in to take three more binding decisions on Meta-owned companies in relation to different GDPR complaints — against Facebook, Instagram and WhatsApp. Final decisions on those ‘legal basis’ cases are due from Ireland’s DPC early next year.

The EDPB also stepped in last summer to issue a binding decision on the aforementioned WhatsApp transparency enquiry after DPAs failed to agree on a number of issues. Its intervention resulted in extra woe for WhatsApp — after the Board found more violations than the DPC and identified problems with how the Irish regulator had calculated the level of the proposed fine, leading to it to require the DPC issue a larger financial sanction in its final decision.


The Board’s intervention also reduced the period of time WhatsApp was given to implement the corrective measures ordered under the enforcement — cutting it in half, down to three months from the six suggested by the DPC. So, again, its role can be significant in shaping final decisions, especially in more complex, contested GDPR cases.

But while the Board is critical to keeping GDPR enforcement flowing, it’s still the lead data protection authority that is, ultimately, responsible for taking the final decision on cases they lead — just with a stipulation that their final decision must incorporate an EDPB binding decision, if there is one.

And that nuance — over the difference between a partial vs final decision — looks to be part of the reason why Meta’s attempt to annul the Board’s binding decision foundered in the EU Court. As well as there not being a reason to admit the action under EU procedural law, in the Court’s view.

The Court also points out that allowing the action to be heard would create a situation of two judicial proceedings (“with significant overlap”) running in parallel — given Meta is appealing the WhatsApp enforcement in Ireland by challenging the DPC’s final decision — and further notes the ability of an Irish court to make a reference to the EU’s Court of Justice if it has doubts as to the validity of the EDPB’s decision. So there is still an avenue for this issue to return to an (higher) EU court down the line.

Responding to its EU legal action being tossed today, a WhatsApp spokesperson sent us this brief statement:

This case concerns a privacy policy from four years ago that has since been updated multiple times and clearly details the industry-leading privacy protections WhatsApp provides. We still strongly disagree with the EDPB decision and will consider all available options.

WhatsApp challenge to decision that led to $267M GDPR fine tossed by EU court by Natasha Lomas originally published on TechCrunch

  Read More 

Notify of
Inline Feedbacks
View all comments