Product reviews, deals and the latest tech news

WhatsApp’s appeal of the EU court’s dismissal of its $267 million GDPR penalties was successful.

The European Data Protection Board (EDPB) issued a binding decision on Meta’s WhatsApp messaging app last summer under the bloc’s General Data Protection Regulation (GDPR), which was used as part of a final decision (and hefty fine) issued by WhatsApp’s lead EU data protection supervisor, Ireland’s Data Protection Commission (DPC), just over a year ago.

Under Irish law, where the DPC published its final verdict on this probe in September of last year, Meta still has a current appeal against the WhatsApp GDPR enforcement in Ireland.

The General Court of the European Union, however, ruled today that WhatsApp Ireland’s annulment case was inadmissible.

In the WhatsApp case, the EDPB issued a binding decision that resulted in a €225 million fine for the company’s failure to comply with its GDPR transparency obligations, a sum that was significantly higher than the €30M to €50M proposed by the DPC in its draught decision. This case exemplifies the Board’s ability to significantly alter proposed decisions.

To comply with the GDPR’s “one-stop-shop” approach, inquiries from regulators about data processors with users in various EU Member States must be directed to the lead supervisor in the EU nation of primary establishment (in Meta’s instance, Ireland). However, the other EU DPAs must evaluate any proposed decisions before they are finalised, and if any objections are raised, a dispute resolution procedure will kick in, which might lead to a binding ruling from the EDPB if the DPAs cannot come to an agreement.

As a result, the Board’s work is essential in preventing the bloc’s main data protection policy from being mired in inter-regulatory squabbling.

For instance, the EDPB revealed only yesterday that it had stepped in to make three additional binding judgements against Meta-owned firms in connection with various GDPR concerns against Facebook, Instagram, and WhatsApp. The DPC in Ireland is expected to issue final rulings on the ‘legal foundation’ cases in the first few months of 2019, and after today’s rebuke, any appeal by Meta against the Board’s participation in those rulings seems unlikely to succeed.

The EDPB also intervened last summer, when DPAs could not reach an agreement on many topics related to the WhatsApp transparency inquiry, to issue a binding ruling. Since the Board found more infractions than the DPC and found flaws in how the Irish regulator had calculated the size of the proposed punishment, it demanded that the DPC impose a greater financial penalties in its final judgement, adding more anguish to WhatsApp’s already dire situation.

As a result of the Board’s involvement, WhatsApp had just three months instead of the six months recommended by the DPC to carry out the corrections mandated by the enforcement. So, once again, it may play a crucial part in deciding complicated, contentious GDPR issues.

Despite the Board’s importance in maintaining a steady stream of GDPR enforcement, the lead data protection authority is still responsible for making the final judgement in cases they lead, with the caveat that they must integrate a binding EDPB decision, if there is one, into their final decision.

Attempts by Meta to have the EU Court overturn the Board’s binding decision were ultimately unsuccessful, and it seems that this distinction between a partial and final judgement was an important factor in the Court’s decision. To add insult to injury, the Court finds no basis under EU procedural rules for admitting the lawsuit.

Given that Meta is appealing the WhatsApp enforcement in Ireland by challenging the DPC’s final decision, the Court notes that allowing the action to be heard would create a situation in which two judicial proceedings (“with significant overlap”) would be running in parallel. The Court also notes that an Irish court can make a reference to the EU’s Court of Justice if it has doubts as to the validity of the EDPB’s decision. It’s thus possible that this case might be brought before a (higher) EU court again in the future.

Whatsapp provided us with the following short comment after today’s dismissal of their EU legal action:

This case concerns a privacy policy from four years ago that has since been updated multiple times and clearly details the industry-leading privacy protections WhatsApp provides. We still strongly disagree with the EDPB decision and will consider all available options.