EDPB adopts Art. 65 decision regarding WhatsApp Ireland


During its latest plenary session, the EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish (IE) SA as lead supervisory authority (LSA) regarding WhatsApp Ireland Ltd. (WhatsApp IE) and the subsequent objections expressed by a number of concerned supervisory authorities (CSAs).


The LSA issued the draft decision following an own-volition inquiry into WhatsApp IE, concerning whether WhatsApp IE complied with its transparency obligations pursuant to Art. 12, 13 & 14 GDPR. On 24 December 2020, the LSA shared its draft decision with the CSAs in accordance with Art. 60 (3) GDPR.


The CSAs issued objections pursuant to Art. 60 (4) GDPR concerning, among others, the identified infringements of the GDPR, whether specific data at stake were to be considered personal data and the consequences thereof, and the appropriateness of the envisaged corrective measures.


The IE SA was unable to reach consensus, having considered the objections of the CSAs, and consequently indicated to the Board it would not follow the objections. Accordingly, the IE SA referred them to the EDPB for determination pursuant to Art. 65 (1) (a) GDPR, thereby initiating the dispute resolution procedure.


The EDPB adopted its binding decision. The decision addresses the merits of the objections found to be “relevant and reasoned” in line with the requirements of Art. 4 (24) GDPR. The EDPB will shortly notify its decision formally to the concerned supervisory authorities.


The IE SA shall adopt its final decision, addressed to the controller, on the basis of the EDPB decision, without undue delay and at the latest one month after the EDPB has notified its decision. The EDPB will publish its decision on its website without undue delay after the IE SA has notified their national decision to the controller.


The Article 65 of the GDPR empowers the European Union to better tackle Union-wide data protection concerns especially when Member State authorities can not agree on the same response by letting the EDPB to issue a binding decision. ECOPNET (European Cooperation and Partnership Network) notes that the reform on GDPR now enables the EU to strongly address the data protections concerns created by the tech giants.

Source: EDPB News