ECJ: New hope for WhatsApp in dispute over record GDPR fine

WhatsApp could still avoid a fine of 225 million euros for data protection violations. At least Tamara Ćapeta, Advocate General at the European Court of Justice (ECJ), is campaigning for the landmark case to be reopened. She is proposing that the judges there declare Whatsapp's action for annulment admissible. The lower court made mistakes and did not even examine the arguments of the messenger service in the case, the expert believes in her opinion published on Thursday. Whatsapp's case must therefore be heard again under different circumstances.

The dispute has been dragging on for years. In August 2021, the Irish data protection authority, the Data Protection Commission (DPC), imposed the then record fine of 225  million euros on WhatsApp Ireland, a subsidiary of the Facebook group Meta Platforms, based on the General Data Protection Regulation (GDPR). WhatsApp is alleged to have passed on data to Facebook in a non-transparent manner. Whatsapp described the sanction as disproportionate and took legal action against it not only in Ireland, but also before the General Court of the EU (EGC). The judges there rejected this complaint as inadmissible at the end of 2022.

The case is complicated because the draft initially submitted by the DPC with the investigation results and penalty recommendations was controversial among the other national supervisory authorities of the EU member states. The submission therefore went to the European Data Protection Board (EDPB), which adopted a binding decision for all data protection authorities involved in 2021. On this basis, the DPC issued its final decision shortly afterwards. The Irish data protection authority has long been considered a bottleneck in GDPR enforcement. It is often overruled in EDPB conciliation proceedings. The EGC then ruled that the EDPB decision did not constitute an actionable act. Whatsapp was also not directly affected by this, but only by the DPC decision.

EDSA decisions are also controversial in other cases

Whatsapp appealed against the ECJ decision to the ECJ (Ref. C-97/23P). Advocate General Ćapeta is now arguing that the decision of the first instance should be overturned in its entirety. According to her, the EDPB decision constitutes an act that can be challenged before the EU courts. The EGC had inadequately assessed the requirements for actions for annulment: It had focused on the fact that the EDPB decision was not the final one under the consistency mechanism provided for in the GDPR. However, the judges should have examined whether this decision was the final word of the EDPB, which has binding legal effects for the DPC.

The Opinions of Advocates General are not binding on the ECJ. However, the judges often follow the plea. This would have far-reaching consequences here. Whether the EDPB, as the superior body of the Irish data protection authority, is allowed to give the DPC a leg up in enforcing the GDPR also plays a role in the extent to which Meta Platforms has unlawfully exploited users' personal data for advertising purposes without their consent. This is in accordance with Article 6 GDPR. The DPC wanted to nod off Meta's trick of passing off its own data mining as a service for the users concerned. The EDPB got in the way. In January, the EGC also backed the joint body of the supervisory authorities in this case. Persistent differences of opinion within their ranks would have to be settled through the EDPB coordination procedure.

(ds)