CJEU - T-709/21 - WhatsApp Ireland v European Data Protection Board: Difference between revisions
No edit summary |
|||
| Line 47: | Line 47: | ||
}} | }} | ||
The CJEU dismissed WhatsApp's application for annulment of a binding decision of the EDPB as inadmissible because it was not directed against an act that is open to challenge under Article 263 TFEU and that WhatsApp was not directly concerned by the contested decision. | |||
==English Summary== | ==English Summary== | ||
=== Facts === | === Facts === | ||
Following the entry into force of the GDPR, the Irish DPA received complaints from users and non-users (the data subjects) of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp Ireland Ltd (the controller). The Irish DPA, in its capacity as lead supervisory authority, started an investigation into the controller’s compliance with the obligation of transparency and the obligation to provide information with regard to individuals. | |||
Following that investigation, the Irish DPA submitted a draft decision to all the other supervisory authorities of the Member States concerned. Since no consensus was reached on that draft, the Irish DPA referred the matter to the European Data Protection Board (EDPB). | |||
On 28 July 2021, the EDPB adopted a binding decision, in which it ruled on the matters which, in its view, had been the subject of relevant and reasoned objections by some of those authorities. After receiving that decision, the Irish DPA adopted a final decision on 20 August 2021, in which it found that the controller had infringed certain provisions of the GDPR. The Irish DPA imposed corrective measures on the controller, in particular administrative fines for a cumulative amount of €225 million. | |||
The controller, in parallel, challenged the final decision before an Irish court and requested that the Court annul the binding decision 1/2021 of the EDPB of 28 July 2021 (contested decision). | |||
=== Holding === | |||
As a preliminary point, the Court noted that, in order for an act to be open to challenge by an applicant other than the ‘privileged’ applicants (Article 263(2) TFEU), that act must have binding legal effects capable of affecting the interests of the applicant by bringing about a distinct change in his legal position. That condition overlaps with the need for the applicant to be directly and individually concerned by that act in order to have standing to bring proceedings, where an applicant is not the addressee of the challenged individual act. | |||
In | In that regard, the Court considered that the contested decision did not in itself change the controller’s legal position. Unlike the final decision of the Irish DPA, the contested decision was not directly enforceable against the controller. It constituted a preparatory act in a procedure which must be closed by the adoption of a final decision of a national supervisory authority addressed to that undertaking. | ||
Moreover, the Court held that the contested decision had no legal effect against the controller that was independent of the final decision of the Irish DPA. All the assessments made in the binding decision were repeated in the final one, and the binding decision had no effect that was independent of the content of the final decision. Thus, the fact that an intermediate act expressed the definitive position of an authority that would have to be taken up in the final decision, did not necessarily mean that that intermediate act itself changed the applicant’s legal position. | |||
Next, the Court observed that the controller was not directly concerned by the contested decision. The Court noted that a measure was of direct concern to an applicant who is not an addressee, if it (1) directly affected that applicant’s legal situation and, (2) left no discretion to its addressees, who were entrusted with the task of implementing it. Such implementation being automatic and resulting from EU rules without the application of other intermediate rules. Regarding the first condition, the Court recalled that the contested decision was not enforceable against the controller in a way that would impose obligations on the controller without further procedural steps. The Court held that, the contested decision was not the final step of the full procedure provided for by the GDPR. With regard to the second condition, the Court found that it left a measure of discretion to the Irish DPA as to the content of the final decision, in particular to establish the amount of the administrative fines. | |||
Lastly, the Court noted that the inadmissibility of the controller’s action was consistent with the logic of the system of judicial remedies established by the TEU and the TFEU. The Court stated that the TFEU established a complete system of legal remedies designed to ensure judicial review of the legality of acts of the European Union, in which the national courts also participate. In particular, the possibility of bringing a direct action for annulment before the CJEU, or of making a request for a preliminary ruling. Individuals can challenge the validity of such an act before the national court. The national court, in turn, was able to make a request to the Court of Justice for a preliminary ruling. Individuals can however not, by reason of the conditions for admissibility, directly challenge EU acts before the Courts of the European Union. | |||
The Court stated that the logic of that system was that the judicial action of the Court of Justice of the European Union and that of the national courts complement each other effectively. The Courts of the European Union and the national courts should not be required to rule concurrently, in parallel proceedings, on the validity of the same EU act. | |||
In conclusion, the Court, for the first time, ruled on an application for annulment of a binding decision of the EDPB. The Court dismissed the action brought by the controller as inadmissible, because (1) it was not directed against an act that is open to challenge under Article 263 TFEU and (2) the controller was not directly concerned by the contested decision, within the meaning of the criteria for locus standi laid down in that article. The validity of the contested decision may be examined by a national court hearing an action against the subsequent final decision that closes the procedure and is adopted at national level. | |||
== Comment == | == Comment == | ||
Revision as of 13:13, 14 December 2022
| CJEU - T-709/21 WhatsApp Ireland v Comité européen de la protection des données | |
|---|---|
 | |
| Court: | CJEU |
| Jurisdiction: | European Union |
| Relevant Law: | Article 4(1) GDPR Article 12(1) GDPR Article 13(1)(d) GDPR Article 65 GDPR Article 65(1)(a) GDPR Article 83 GDPR Article 41 CFR Article 48 CFR |
| Decided: | |
| Parties: | EDPB |
| Case Number/Name: | T-709/21 WhatsApp Ireland v Comité européen de la protection des données |
| European Case Law Identifier: | |
| Reference from: | |
| Language: | 24 EU Languages |
| Original Source: | Judgement |
| Initial Contributor: | n/a |
The CJEU dismissed WhatsApp's application for annulment of a binding decision of the EDPB as inadmissible because it was not directed against an act that is open to challenge under Article 263 TFEU and that WhatsApp was not directly concerned by the contested decision.
English Summary
Facts
Following the entry into force of the GDPR, the Irish DPA received complaints from users and non-users (the data subjects) of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp Ireland Ltd (the controller). The Irish DPA, in its capacity as lead supervisory authority, started an investigation into the controller’s compliance with the obligation of transparency and the obligation to provide information with regard to individuals.
Following that investigation, the Irish DPA submitted a draft decision to all the other supervisory authorities of the Member States concerned. Since no consensus was reached on that draft, the Irish DPA referred the matter to the European Data Protection Board (EDPB).
On 28 July 2021, the EDPB adopted a binding decision, in which it ruled on the matters which, in its view, had been the subject of relevant and reasoned objections by some of those authorities. After receiving that decision, the Irish DPA adopted a final decision on 20 August 2021, in which it found that the controller had infringed certain provisions of the GDPR. The Irish DPA imposed corrective measures on the controller, in particular administrative fines for a cumulative amount of €225 million.
The controller, in parallel, challenged the final decision before an Irish court and requested that the Court annul the binding decision 1/2021 of the EDPB of 28 July 2021 (contested decision).
Holding
As a preliminary point, the Court noted that, in order for an act to be open to challenge by an applicant other than the ‘privileged’ applicants (Article 263(2) TFEU), that act must have binding legal effects capable of affecting the interests of the applicant by bringing about a distinct change in his legal position. That condition overlaps with the need for the applicant to be directly and individually concerned by that act in order to have standing to bring proceedings, where an applicant is not the addressee of the challenged individual act.
In that regard, the Court considered that the contested decision did not in itself change the controller’s legal position. Unlike the final decision of the Irish DPA, the contested decision was not directly enforceable against the controller. It constituted a preparatory act in a procedure which must be closed by the adoption of a final decision of a national supervisory authority addressed to that undertaking.
Moreover, the Court held that the contested decision had no legal effect against the controller that was independent of the final decision of the Irish DPA. All the assessments made in the binding decision were repeated in the final one, and the binding decision had no effect that was independent of the content of the final decision. Thus, the fact that an intermediate act expressed the definitive position of an authority that would have to be taken up in the final decision, did not necessarily mean that that intermediate act itself changed the applicant’s legal position.
Next, the Court observed that the controller was not directly concerned by the contested decision. The Court noted that a measure was of direct concern to an applicant who is not an addressee, if it (1) directly affected that applicant’s legal situation and, (2) left no discretion to its addressees, who were entrusted with the task of implementing it. Such implementation being automatic and resulting from EU rules without the application of other intermediate rules. Regarding the first condition, the Court recalled that the contested decision was not enforceable against the controller in a way that would impose obligations on the controller without further procedural steps. The Court held that, the contested decision was not the final step of the full procedure provided for by the GDPR. With regard to the second condition, the Court found that it left a measure of discretion to the Irish DPA as to the content of the final decision, in particular to establish the amount of the administrative fines.
Lastly, the Court noted that the inadmissibility of the controller’s action was consistent with the logic of the system of judicial remedies established by the TEU and the TFEU. The Court stated that the TFEU established a complete system of legal remedies designed to ensure judicial review of the legality of acts of the European Union, in which the national courts also participate. In particular, the possibility of bringing a direct action for annulment before the CJEU, or of making a request for a preliminary ruling. Individuals can challenge the validity of such an act before the national court. The national court, in turn, was able to make a request to the Court of Justice for a preliminary ruling. Individuals can however not, by reason of the conditions for admissibility, directly challenge EU acts before the Courts of the European Union.
The Court stated that the logic of that system was that the judicial action of the Court of Justice of the European Union and that of the national courts complement each other effectively. The Courts of the European Union and the national courts should not be required to rule concurrently, in parallel proceedings, on the validity of the same EU act.
In conclusion, the Court, for the first time, ruled on an application for annulment of a binding decision of the EDPB. The Court dismissed the action brought by the controller as inadmissible, because (1) it was not directed against an act that is open to challenge under Article 263 TFEU and (2) the controller was not directly concerned by the contested decision, within the meaning of the criteria for locus standi laid down in that article. The validity of the contested decision may be examined by a national court hearing an action against the subsequent final decision that closes the procedure and is adopted at national level.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
