Extra bad news for Meta in Europe: The tech large has misplaced an try and annul a binding determination on its messaging app, WhatsApp, taken by the European Knowledge Safety Board (EDPB) final summer time — underneath the bloc’s Normal Knowledge Safety Regulation (GDPR) — which factored right into a ultimate determination (and hefty nice) issued by WhatsApp’s lead EU information safety supervisor, Eire’s Knowledge Safety Fee (DPC), simply over a 12 months in the past.
Meta nonetheless has a stay attraction in opposition to the WhatsApp GDPR enforcement in Eire, underneath Irish regulation — the place the DPC issued its ultimate determination on this enquiry in September last year — so the tech large’s authorized problem nonetheless has highway to run.
However in a judgement revealed right this moment, the European Union’s Normal Courtroom discovered WhatsApp Eire’s motion for annulment to be inadmissible.
The EDPB’s binding determination led to WhatsApp being issued with a €225 million nice for breaching GDPR transparency obligations — a monetary sanction that was considerably bigger than the €30M to €50M initially proposed by the DPC in its draft determination, underlining how vital the Board’s interventions may be.
Below the GDPR’s one-stop-shop mechanism, regulatory enquiries into information processors which have customers throughout a number of EU Member States are sometimes funnelled via a lead supervisor within the nation of principal institution within the EU (in Meta’s case that’s Eire). However any draft determination they produce have to be submitted to different EU information safety authorities for overview — and if objections are lodged a dispute decision mechanism kicks in that may culminate within the EDPB taking a binding determination if no consensus is reached between the DPAs.
So the Board performs an important function in guaranteeing that enforcement of the bloc’s flagship information safety regulation doesn’t stall in perpetual inter-regulatory bickering.
Simply yesterday, for instance, the EDPB confirmed it’s stepped in to take three extra binding selections on Meta-owned firms in relation to completely different GDPR complaints — in opposition to Fb, Instagram and WhatsApp. Ultimate selections on these ‘authorized foundation’ circumstances are due from Eire’s DPC early subsequent 12 months.
The EDPB additionally stepped in final summer time to problem a binding determination on the aforementioned WhatsApp transparency enquiry after DPAs did not agree on a lot of points. Its intervention resulted in additional woe for WhatsApp — after the Board discovered extra violations than the DPC and recognized issues with how the Irish regulator had calculated the extent of the proposed nice, resulting in it to require the DPC problem a bigger monetary sanction in its ultimate determination.
The Board’s intervention additionally lowered the time frame WhatsApp was given to implement the corrective measures ordered underneath the enforcement — slicing it in half, down to 3 months from the six urged by the DPC. So, once more, its function may be vital in shaping ultimate selections, particularly in additional complicated, contested GDPR circumstances.
However whereas the Board is crucial to protecting GDPR enforcement flowing, it’s nonetheless the lead information safety authority that’s, finally, liable for taking the ultimate determination on circumstances they lead — simply with a stipulation that their ultimate determination should incorporate an EDPB binding determination, if there may be one.
And that nuance — over the distinction between a partial vs ultimate determination — appears to be a part of the explanation why Meta’s try and annul the Board’s binding determination foundered within the EU Courtroom. In addition to there not being a cause to confess the motion underneath EU procedural regulation, within the Courtroom’s view.
The Courtroom additionally factors out that permitting the motion to be heard would create a state of affairs of two judicial proceedings (“with vital overlap”) operating in parallel — given Meta is interesting the WhatsApp enforcement in Eire by difficult the DPC’s ultimate determination — and additional notes the power of an Irish courtroom to make a reference to the EU’s Courtroom of Justice if it has doubts as to the validity of the EDPB’s determination. So there may be nonetheless an avenue for this problem to return to an (increased) EU courtroom down the road.
Responding to its EU authorized motion being tossed right this moment, a WhatsApp spokesperson despatched us this temporary assertion:
This case considerations a privateness coverage from 4 years in the past that has since been up to date a number of occasions and clearly particulars the industry-leading privateness protections WhatsApp offers. We nonetheless strongly disagree with the EDPB determination and can think about all out there choices.