In 2018 and 2019, the Irish Data Protection Commission investigated WhatsApp's compliance with EU rules on data protection. Due to the cross-border nature of the violations, several other national data protection authorities were involved, with the Irish authority acting as the lead supervisory authority. After its investigations, the Irish Data Protection Commission issued a draft decision in 2020. Due to the many objections expressed by the other authorities, the matter was referred to the European Data Protection Board (“EDPB") to resolve the disagreement.
The EDPB issued a binding decision (n° 01/2021) in which it resolved the issues that it deemed relevant and reasoned. The Irish authority made its final decision in 2021 in line with the EDPB binding decision, imposing a fine of €225 million on WhatsApp IE.
WhatsApp chose to attack both the EDPB's binding decision before the EU General Court as well as the Irish Data Protection Commission's subsequent decision before the Irish Court in parallel. Regarding the former, the General Court ruled that WhatsApp's request for annulment of the EDPB's decision is inadmissible because WhatsApp lacks standing. Natural or legal persons can only attack the validity of an EU act (such as the EDPB decision) in three situations, two of which are (potentially) relevant here:
- The person is explicitly addressed by the act;
- The act is of direct and individual concern to the person.
The first option was declared inapplicable as the addressee of the EDPB decision is not WhatsApp, but rather the supervisory authorities involved. Regarding the second option, the General Court ruled that WhatsApp is concerned by the contested decision individually, but not directly, as the EDPB decision as such has no legal effect vis-à-vis WhatsApp, but only indirectly through its binding nature to the supervisory authorities. The General Court's ruling is consistent with the CJEU's high threshold for standing for natural and legal persons, which in turn is subject to critique in legal doctrine.
The request for annulment was thus declared inadmissible. If the General Court allowed for a validity check of the EDPB's decision, there would be a risk of inconsistency with the Irish Court's decision on the validity of the Irish Data Protection Commission's decision based on the EDPB decision. This way, consistency is ensured without affecting the rule of law and the principle of a complete system of legal remedies.