In a judgment handed down on Tuesday 10 February (case C-97/23), the Court of Justice of the European Union (CJEU) annulled an order of the General Court of the European Union in December 2022 (case T-709/21 - see EUROPE 13079/26), which had deemed inadmissible an appeal by the social network WhatsApp against a decision by the European Data Protection Board (EDPB).
In July 2021, the EDPB issued a binding decision (1/2021) on the provisions of the ‘GDPR’ Regulation governing the protection of personal data (2016/679), at the request of the Irish Data Protection Commission, the lead authority in the EU for the supervision of WhatsApp’s activities. Having found an infringement of the provisions of the ‘GDPR’ Regulation, the EDPB obliged the Irish authority to amend the planned corrective measures, including the amount of the fine imposed, which ultimately amounted to €225 million (see EUROPE 12782/11).
In its judgment, the CJEU upheld WhatsApp’s appeal. It considers that the EDPB’s decision is an act open to challenge, insofar as it emanates from an EU body and is binding on the Irish authority and all the national supervisory authorities concerned. In addition, this decision definitively determines the position of the Irish authority and deals exhaustively with all the issues which that body is required to resolve.
In addition, the European Court found that the social network was directly affected by the EDPB’s decision, which distinctly changed its legal position without leaving any discretion to national supervisory authorities as to whether it had infringed certain provisions of the GDPR Regulation.
The Court is referring the case back to the General Court for a ruling on the merits of the case, including the question of whether WhatsApp has infringed the relevant provisions of the European Regulation.
See the judgment of the Court of Justice: https://aeur.eu/f/knm (Original version in French by Mathieu Bion)