Challenging European Data Protection Board decisions: WhatsApp v EDPB

The full text of the judgment can be found here.

By way of background, the EDPB issues binding decisions to resolve disputes between national data protection supervisory authorities, typically in cross-border cases using the 'one-stop-shop mechanism'. The CJEU held that these binding decisions have the necessary legal effect to directly and individually affect a third party applicant. This can include the supervisory authorities and also companies such as WhatsApp.

The judgment is one of a number of court decisions and challenges shaping practitioners' understanding of the remit of the EDPB. The decision strengthens the rights of data controllers to challenge EDPB decisions in the EU courts. Although this decision refers to EDPB binding decisions under Article 65 GDPR, it is reasonable to apply the same logic to challenges to non-binding consistency opinions issued by the EDPB under Article 64 GDPR.

By ensuring that key decisions affecting data privacy and compliance are subject to judicial review, the decision may influence the future conduct of the EDPB. A number of pending actions issued by Meta and related companies seeking to annul EDPB binding opinions will now likely proceed.

Background

The Irish Data Protection Commission (DPC) acts as lead supervisory authority for Meta and their associated companies such as WhatsApp, as their headquarters are located in Dublin, Ireland. Following a number of complaints about the processing of personal data by WhatsApp, the DPC initiated an investigation into WhatsApp’s compliance with transparency obligations under Articles 12 to 14 GDPR.

Following the exchange of draft decisions and objections from other supervisory authorities including the Federal German supervisory authority, the matter was consequently referred to the EDPB under Article 65 GDPR for binding resolution.

The EDPB adopted Binding Decision 1/2021, which addressed a range of substantive issues, including the classification of certain data as personal data, the adequacy of information provided to users and non-users, the principle of transparency, the calculation of administrative fines, and the period for compliance. The EDPB decision required the DPC to amend its draft decision and reassess a proposed fine against WhatsApp, increasing it to a total of €225 million.

In response, WhatsApp brought an action for annulment of the binding decision before the General Court of the EU. The General Court dismissed the action as inadmissible, finding that the EDPB’s decision was a preparatory act with no independent legal effect on WhatsApp, as only the DPC’s final decision produced binding obligations for the company.

The General Court did suggest that the validity of the EDPB’s decision may, however, be challenged before the national court, which would be able to make a request to the CJEU for a preliminary ruling. WhatsApp applied to the CJEU to set aside the General Court's decision.

Submissions

WhatsApp argued that the EDPB’s binding decision was not a preparatory measure, but rather a definitive act producing legal effects for third parties (including WhatsApp). The decision directly altered WhatsApp's legal position by determining key issues (such as the classification of data and the need to increase fines) and that the DPC was bound to implement the EDPB’s findings without discretion.

In response, the EDPB, supported by the Germany Federal supervisory authority, submitted that the binding decision was 'an intermediate act' within a 'composite administrative procedure'. In short, it was the DPC’s final decision that was enforceable, and therefore only that decision was capable of being challenged.

The EDPB submitted that the binding decision was only binding on national supervisory authorities. It argued that the DPC retained a margin of discretion in implementing the EDPB’s findings.

The interpretation of Article 263 TFEU was also debated, specifically the definition of an “act open to challenge”, and the conditions for direct and individual concern. WhatsApp relied on established CJEU case law regarding the ability to challenge definitive acts with binding legal effects, even if not directly enforceable against the applicant, and emphasised the need for effective judicial protection under EU law.

Judgment

The CJEU set aside the decision of the General Court, and referred the case back for determination. The General Court did not consider the merits of the action, ruling only on its admissibility.

The CJEU held that EDPB decisions adopted under Article 65 GDPR are acts open to challenge under Article 263 TFEU. The Court clarified that such decisions are not mere preparatory acts but express the definitive position of the EDPB, producing legal effects for third parties, including data controllers like WhatsApp.

The CJEU rejected the General Court’s view that only the national authority’s final decision could be challenged, explaining that the EDPB’s decision is binding on the DPC and shapes the substance of the national decision.

The CJEU clarified the two cumulative conditions for direct concern: first, the contested act must directly affect the applicant’s legal situation; second, it must leave no discretion to the implementing authority, whose implementation must be purely automatic. The Court found that the EDPB’s decision met both criteria: it definitively determined issues such as the classification of data, the finding of infringements, and the obligation to increase the fine, all of which the DPC was required to implement without discretion. WhatsApp was individually concerned, as the decision specifically addressed issues relating to its data processing and obligations.

The substance and binding nature of the binding decision, not the form or the stage in the procedure were determinative.

Implications of this judgment

Although binding decisions are the EDPB's most powerful mechanism, as we noted above, the basis of the judgment suggests that non-binding consistency opinions issued by the EDPB under Article 64 may also be challenged.

The judgment would also seem to give the green light to progression of a number of outstanding challenges before the CJEU, specifically a wider group of actions involving Meta and the EDPB. The actions seek the annulment of a number of binding decisions resulting in the DPC issuing, among other consequences, significant financial penalties on Meta and their linked companies. We will watch the development of the actions below with great interest:

• Meta Platforms Ireland v EDPB (T-129/23) – Meta is seeking to annul the EDPB Binding Decision 3/2022, alleging among other things, that the EDPB exceeded its competence under Article 65 of the GDPR. That binding decision resulted in the DPC reversing its draft conclusion, and adopting a final decision including the imposition of a fine of EUR390 million on Meta relating to the Facebook and Instagram platforms.

• WhatsApp Ireland v EDPB (T-153/23) – WhatsApp is seeking to annul EDPB Binding Decision 5/2022, alleging among other things, that the EDPB failed to act as an impartial body in violation of Article 41(1) of the Charter of Fundamental Rights of the European Union. The DPC adopted a final decision including a fine of EUR5.5 million.

• Meta Platforms Ireland v EDBP (T-325/23) – Meta is seeking to annul EDPB Binding Decision 1/2023, alleging similar grounds to those set out above. The DPC adopted a final decision ordering Meta to suspend any future transfer of personal data to the US, and issuing a fine of EUR1.2 billion.

• Meta Platforms Ireland v EDPB (T-8/24) – Meta is seeking to annul EDPB Urgent Binding Decision 01/2023, alleging among other things, that the EDPB exceeded its competence. The decision imposed a ban on Meta Ireland Limited processing personal data for behavioural advertising purposes on the basis of contract and legitimate interest.

The outcome of these decisions will be eagerly awaited by practitioners, regulators and companies in the EU.