The European Court of Justice (ECJ) has sided with WhatsApp Ireland in its legal challenge over a €225 million fine imposed by Ireland’s Data Protection Commission (DPC), a decision that could have far-reaching implications for EU data protection enforcement.
The fine originated from complaints raised by WhatsApp users about how the messaging service handled personal data. In 2018, the Irish DPC launched an investigation to determine whether WhatsApp was fully complying with transparency requirements under the European Union’s General Data Protection Regulation (GDPR).
By December 2020, the DPC concluded that WhatsApp had breached certain GDPR provisions. As Ireland hosts WhatsApp’s European headquarters in Dublin, the DPC acted as the lead regulator and shared its findings with the other 26 EU national data protection authorities. When no consensus was reached on specific points, the case was referred to the European Data Protection Board (EDPB).
In 2021, the EDPB issued a binding decision affirming that WhatsApp had violated aspects of the GDPR and instructed the Irish regulator to impose a fine of €225 million. WhatsApp challenged this ruling before the General Court of the ECJ, seeking to annul the EDPB’s decision.
In December 2022, the General Court rejected WhatsApp’s challenge, ruling that the EDPB’s decision was an intermediate act and not directly applicable to the company, meaning WhatsApp could only contest the final decision of the Irish regulator in Irish courts.
WhatsApp then appealed to the ECJ. In its ruling, the ECJ overturned the earlier decision, concluding that the EDPB’s binding decision was indeed open to judicial review. The court emphasized that the EDPB’s ruling definitively determined the position of the board and addressed all matters referred to it, making it more than an intermediate act.
The ECJ also found that the EDPB’s decision had a direct impact on WhatsApp, changing the company’s legal position. By binding the Irish DPC and other national data protection authorities, the EDPB’s ruling effectively established an obligation on WhatsApp, leaving no room for alteration by the national regulators.
As a result, the ECJ deemed WhatsApp’s appeal admissible and referred the case back to the General Court to examine the merits of the dispute, including whether WhatsApp had indeed breached GDPR rules.
The ruling highlights the ECJ’s role in clarifying the legal avenues available for companies to challenge EU-level regulatory decisions and may influence how tech firms approach compliance disputes with EU data protection authorities in the future.
