WhatsApp challenges data watchdog’s role in GDPR fine

Out-Law News | 07 Jan 2022 | 11:13 am | 2 min. read

Messaging service WhatsApp has accused a data protection watchdog of operating beyond the powers given to it in law after its interventions led to a €225 million fine for the company.

The fine was imposed by Ireland’s Data Protection Commission (DPC) in August last year, but only after the European Data Protection Board (EDPB) had directed the DPC to make changes relating to the enforcement action to be taken against WhatsApp under the General Data Protection Regulation (GDPR). WhatsApp has now raised formal legal proceedings challenging the EDPB’s intervention.

Dublin-based data protection law expert Andreas Carney of Pinsent Masons said: “The challenges raised by WhatsApp address points of technical interpretation of the GDPR, as well as fundamental questions as to whether the EDPB applied due process and acted properly in exercising its powers. This is perhaps not unexpected given the impact of the EDPB’s decision on the scope of findings and level of the fine levied against WhatsApp by the DPC. Given that the main role of the EDPB is to ensure the consistent application of the GDPR throughout the European Economic Area, this case will no doubt be watched very closely from various quarters.”

The case, which now stands to be considered by the EU’s General Court, originated with complaints raised by individuals about WhatsApp’s data processing. The complaints spurred the DPC to open an investigation in 2018 into whether WhatsApp complied with transparency obligations under the GDPR.

Following the investigation, the DPC indicated its intention to serve WhatsApp with a fine of between €30m and €50m over breaches it said the company was responsible for under Articles 12, 13 and 14 of the GDPR, which set out requirements around the information organisations must provide data subjects about how they process their data and about their rights. However, because the case concerned not just Irish consumers but those from across Europe too, the DPC was required to consult other data protection authorities in the EU on its proposed actions under the GDPR’s ‘one stop shop’ mechanism.

Some authorities, including those in France, Germany and the Netherlands, raised objections with the DPC’s draft decision and, when a compromise could not be agreed, the matter was referred to the EDPB for a binding decision. The final decision issued by the DPC reflected additional findings of infringement made by the EDPB, which included that WhatsApp breached the principle of transparency under Article 5 of the GDPR – a fact that on its own accounted for €90m of the overall final fine imposed – as well as an updated approach, shaped by the EDPB, on how the level of fine should be calculated.

At the time, WhatsApp said it disagreed with the decision, describing the penalties imposed on it as “entirely disproportionate”. Now the company has lodged legal action seeking annulment of the EDPB’s decision. To support its case, the company has raised seven separate pleas – including that the EDPB “exceeded its competence” under the GDPR.

WhatsApp has also claimed that the EDPB has held it to a higher standard of transparency than the GDPR requires and “excessively” interpreted and applied the definition of ‘personal data’ under the Regulation.

According to WhatsApp, the EDPB also breached the Charter of Fundamental Rights of the EU. Specifically, it has pleaded that the EDPB violated the “presumption of innocence” and “right to good administration”, in the former case by “inappropriately” reversing the burden of proof onto WhatsApp to “demonstrate that its processing environment is such that the risks of re-identification of data subjects is purely speculative”, and in the latter case” by “disregarding WhatsApp’s right to be heard and the EDPB’s obligations to carefully and impartially examine evidence and to adequately state reasons”.

The company has also taken issue with the EDPB approach to determining GDPR fines and further argued that the watchdog “violated the principle of legal certainty by failing to acknowledge that its decision puts forward novel interpretations and applications of several provisions of the GDPR, with the consequence that the infringement was unpredictable”.

The EDPB told Out-Law that it is not issuing a statement in response to the proceedings lodged before the General Court. A date has not yet been fixed for a hearing in the case.