Advocate General sides with WhatsApp in landmark EDPB accountability case

The European Court of Justice may soon establish a significant precedent in data protection enforcement after Advocate General Pikamäe sided with WhatsApp in a case examining whether European Data Protection Board (EDPB) binding decisions can be directly challenged before EU courts. This development, which emerged 59 days ago on January 27, 2025, marks a potential turning point in how companies can contest data protection rulings.

WhatsApp, a company providing internet-based calling and messaging services, changed its privacy policy on May 24, 2018, to accommodate the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018. The policy update presented existing users with two options: accept the changes or stop using the messaging service.

Following this update, the Irish Data Protection Commission (DPC), acting as the lead supervisory authority for WhatsApp in the EU, received numerous complaints from individual data subjects regarding WhatsApp's data processing activities. In December 2018, the Irish DPC initiated an inquiry to assess whether WhatsApp had met its GDPR transparency obligations under Articles 12 to 14, specifically concerning information provided to both users and non-users of its messaging service.

Since WhatsApp's operations involve cross-border processing throughout the European Union, the Irish DPC circulated its draft decision to other concerned national supervisory authorities in line with the GDPR's consistency mechanism.

The Irish DPC's draft decision faced objections from several European data protection authorities. According to court documents, supervisory authorities from Germany (at Federation level), Hungary, the Netherlands, Poland, France, Italy, Portugal, and the German Federal State of Baden-Württemberg filed formal objections to the draft decision.

Additionally, supervisory authorities from Austria, the Netherlands, Denmark, Poland, Belgium, France, and the German Federal State of Hamburg submitted comments on the draft.

As the Irish DPC did not agree with these objections, it referred the matter to the EDPB for resolution, following the procedure outlined in the GDPR's consistency mechanism.

On July 28, 2021, the EDPB adopted its contested decision and notified the Irish DPC and other concerned supervisory authorities. The EDPB's decision instructed the Irish DPC to alter several findings in its draft decision and to increase the proposed fines against WhatsApp.

Specifically, the EDPB required the Irish DPC to find that "lossy hashed data" constitutes personal data under Article 4(1) of the GDPR and that WhatsApp had breached the transparency rules of Article 5(1)(a), Article 13(1)(d) and (2)(e), and Article 14 of the regulation.

The legal challenge: Questioning EDPB decision accountability

The central legal question in this case revolves around which acts in the multi-step GDPR enforcement process can be directly challenged before EU courts. WhatsApp appealed the EDPB's decision, but the General Court ruled that the decision was not an act that could be challenged directly before EU courts.

In the current appeal, WhatsApp contends that the General Court erroneously ruled that the contested decision, adopted under the GDPR consistency mechanism, is not a challengeable act before EU courts.

The GDPR consistency mechanism explained

The GDPR assigns the task of monitoring and enforcing data protection rules to the various supervisory authorities of EU Member States within their respective territories. To prevent fragmentation in implementing these rules across the European Union, the GDPR established a cooperation mechanism between national supervisory authorities.

When data processing has cross-border implications, the lead supervisory authority must circulate its draft decision to concerned supervisory authorities in other Member States. If these authorities agree with the interpretation and enforcement measures proposed, the lead authority can adopt its final decision, which binds the controller or processor in question.

However, if other supervisory authorities express reasoned objections that the lead authority disagrees with or considers irrelevant, the lead authority must refer the matter to the EDPB for a binding decision. The EDPB then adjudicates the dispute between the national authorities and resolves the case.

According to Article 65(2) of the GDPR, the EDPB's decision is addressed to and binds the lead supervisory authority and all concerned supervisory authorities. The decision is published on the EDPB's website, and within prescribed deadlines, the lead supervisory authority must adopt its final decision based on the EDPB's binding decision.

Advocate General's opinion: A significant development

According to information shared by data law expert Peter Craddock, the Advocate General has issued an opinion that sides with WhatsApp in this case. While an Advocate General's opinion is not binding on the Court of Justice, it carries significant weight and is often followed in the final judgment.

The Advocate General's analysis focuses on several key aspects of what constitutes a challengeable act:

1. The intermediary nature of an act does not prevent it from being challengeable if it is "a final and binding act" in itself. The Advocate General stated that the EDPB Binding Decision represents "the EDPB's final position" and "imposed an obligation on someone outside of that body" (in this case, the Irish DPC).
2. The opinion emphasizes that "all acts of the EU institutions and other bodies, notwithstanding their form or name, that are intended to have binding legal effects are challengeable acts."
3. Whether an act brings about "a distinct change" in the legal position of an applicant is relevant to determining "direct concern," not to determining whether an act is challengeable.
4. The Advocate General concludes that since the EDPB decision "is final, and as it produces binding legal effects outside of [the EDPB], that is to say, vis-à-vis the Irish [supervisory authority]," the General Court should have recognized it as a challengeable act.

Requirements for "direct concern"

For a party to challenge an act, they must demonstrate "direct concern," which requires meeting two criteria:

1. The contested measure must directly affect the legal situation of the person.
2. It must leave no discretion to its addressees who implement it, with such implementation being automatic and resulting solely from EU rules without intermediate rules.

The Advocate General notes that "the challenged measure could directly affect the legal situation of the applicant only if the implementing body had no choice as to whether and how to implement that measure."

According to the Advocate General, the enforceability of the EDPB act is irrelevant. What matters is whether the supervisory authority has any discretion in implementing the EDPB's act—and the Advocate General concludes that it does not.

Even if an EDPB act doesn't cover everything, the Advocate General suggests that a challenge before the General Court on the scope of the EDPB act remains possible, alongside a national challenge against the supervisory authority's decision on all other points.

Potential implications for future cases

The Advocate General's opinion, if followed by the Court of Justice, would establish an important precedent allowing companies to challenge EDPB binding decisions directly. This could pave the way for challenges to Article 64 Opinions of the EDPB, as these are also binding upon supervisory authorities.

This development represents a potential shift in how data protection enforcement can be contested in the European Union, potentially providing data controllers and processors with additional legal avenues to challenge decisions directly at the EU level rather than waiting for national implementation.

Legal experts are watching this case closely, as it may significantly impact the accountability mechanisms within the EU's data protection framework. The Court of Justice's final ruling will determine whether the EDPB's decisions can be directly challenged before EU courts, potentially reshaping the landscape of data protection litigation.

Timeline

• May 24, 2018: WhatsApp changes its privacy policy to align with GDPR requirements
• May 25, 2018: GDPR becomes applicable across the EU
• December 2018: Irish DPC initiates inquiry into WhatsApp's GDPR transparency compliance
• July 28, 2021: EDPB adopts its binding decision instructing the Irish DPC to alter findings and increase fines
• Date unspecified: WhatsApp appeals the EDPB decision to the General Court
• Date unspecified: General Court rules the EDPB decision is not directly challengeable
• January 27, 2025: Advocate General sides with WhatsApp, finding the EDPB decision should be directly challengeable
• Pending: European Court of Justice final ruling