The Court of Justice of the European Union (CJEU) today, , delivered a significant ruling clarifying the rights of companies facing substantial fines under the General Data Protection Regulation (GDPR). The court determined that Meta, the parent company of WhatsApp, can continue to challenge a decision by the European Data Protection Board (EDPB) regarding a €225 million fine levied against WhatsApp for transparency issues related to data processing.
The case stems from a fine initially issued by the Irish Data Protection Commission (DPC), WhatsApp’s lead supervisory authority within the EU. The DPC originally proposed a penalty in the range of €30 to €50 million, citing concerns over how WhatsApp informed users about its data practices. However, other European data protection authorities disagreed with the DPC’s assessment of the fine’s appropriate level, triggering an Article 65 dispute resolution procedure. This process ultimately resulted in the DPC increasing the fine to €225 million, a figure confirmed by a binding decision from the EDPB.
WhatsApp appealed the EDPB’s decision, arguing that the board had overstepped its authority in raising the fine. The core of the legal challenge centered on whether the EDPB’s decision was an “intermediate act” – meaning it wasn’t directly enforceable and therefore not subject to challenge – or a binding decision that could be directly litigated. The CJEU’s ruling definitively sides with WhatsApp, establishing that the EDPB’s binding decisions are open to challenge in court.
This distinction is crucial. The CJEU found that the EDPB’s decision “cannot be regarded as an intermediate act not open to challenge” because it “emanates from an EU body and which is binding vis-à-vis third parties.” The court emphasized that the EDPB’s order brought about a “distinct change in the legal position of that undertaking [WhatsApp],” leaving no room for discretion by the DPC.
The implications of this ruling extend far beyond WhatsApp, and Meta. The CJEU’s decision effectively lowers the bar for companies seeking to challenge GDPR fines. Previously, the legal pathway for challenging EDPB decisions was unclear, potentially discouraging companies from pursuing appeals. Now, with a clear precedent established, companies facing significant penalties are more likely to litigate, potentially leading to a wave of challenges to existing and future GDPR fines.
As a spokesperson for WhatsApp stated, the ruling “upholds our argument that those businesses and people should be able to challenge decisions the EDPB makes against them, so that it can be held fully accountable by the EU courts.” This sentiment highlights a broader concern about the power and accountability of the EDPB, an unelected body with the authority to impose substantial financial penalties on companies operating within the EU.
The EDPB plays a critical role in harmonizing GDPR enforcement across the EU’s 27 member states. National data protection authorities often have differing interpretations of the regulation, and the EDPB serves as a coordinating body to ensure consistent application. Its decisions are binding on those national authorities, meaning they are legally obligated to implement the EDPB’s rulings. However, this ruling introduces a new layer of judicial oversight, allowing companies to directly challenge those binding decisions.
The case has already seen a complex legal history. The initial challenge by WhatsApp was dismissed by the EU’s General Court, but today’s CJEU ruling overturns that decision. This demonstrates the high stakes involved and the importance of the legal questions at hand. The ruling is the final judgment in this particular case, but its impact will be felt across the EU’s data protection landscape for years to come.
Experts anticipate that this decision will unblock a backlog of appeals where the EDPB has overruled national regulators. The ruling essentially validates the argument that companies deserve a robust opportunity to contest decisions that can have a material financial impact. While the EDPB maintains its authority to enforce GDPR, its decisions will now be subject to greater scrutiny, potentially leading to more nuanced and carefully considered enforcement actions in the future.
The ruling doesn’t necessarily mean WhatsApp will ultimately succeed in overturning the €225 million fine. However, it does guarantee the company a full and fair opportunity to present its case to the courts, and it sets a precedent that will empower other companies facing similar challenges under the GDPR.
