CJEU adviser supports WhatsApp challenge to data protection fine

Details: East Africa; 29 March 2025; 264

An adviser to the Court of Justice of the European Union (CJEU) on Thursday backed WhatsApp in its legal battle with the European Data Protection Board (EDPB), suggesting the media company’s challenge against the privacy watchdog should proceed. The opinion could open the door for companies to more directly contest decisions by the EDPB.

Advocate General Tamara Ćapeta issued a non-binding opinion stating that “WhatsApp’s challenge of the EDPB decision is admissible and the case should be referred back to the General Court for a decision on the merit.” Ćapeta rejected the General Court’s view that the EDPB’s decision was merely preparatory and not subject to judicial review. She emphasized that the board’s decision had binding legal effects, particularly on the Irish supervisory authority, which was obligated to modify its draft decision and increase the fine. These legal effects, she argued, were sufficient to qualify the decision as a “challengeable act” under Article 263(1) of the Treaty on the Functioning of the European Union (TFEU).

Ćapeta further reasoned that WhatsApp was “directly concerned” by the EDPB’s decision under Article 263(4) of the TFEU because the Irish authority had no discretion to deviate from the EDPB’s instructions. Ćapeta criticized the lower court for requiring that the EDPB’s act be “enforceable” against WhatsApp or represent the “final step” in the administrative process. She explained that these additional conditions are not found in the treaty and improperly narrow the scope of access to judicial review.

The advocate general also warned against a procedural gap in the EU’s system of judicial remedies. She noted that if WhatsApp were denied standing to challenge the EDPB decision directly, the company could also be prevented from later contesting that decision in national court proceedings due to the EU’s rule against indirect challenges when a direct action would have been possible. In her view, this interpretation would undermine the effectiveness of EU judicial protection.

The case stems from a €225 million fine imposed by Ireland’s Data Protection Commission (DPC) on WhatsApp for breaching multiple provisions of the General Data Protection Regulation (GDPR). In particular, the DPC based its claim on a probe it conducted to investigate whether WhatsApp fulfilled its obligations to provide transparent information under the GDPR. The probe concluded that WhatsApp failed to adequately inform users about data transfers between WhatsApp and its parent company Meta. The European Data Protection Board (EDPB) later intervened and issued a binding decision on WhatsApp to cease its violations of the relevant GDPR provisions within three months.

WhatsApp challenged the EDPB’s involvement, but a lower tribunal dismissed the challenge in 2022. The tribunal found that WhatsApp had no legal standing to sue the EDPB directly, as the Board’s decision did not directly affect the company. However, it noted that WhatsApp could pursue the matter in a national court by challenging the Irish fine. In 2023, WhatsApp appealed to the CJEU, Europe’s highest court. By Ryan Huang, Jurist News