Irish privacy regulator to take European Union body to court over unlawful interference
The Republic of Ireland’s privacy regulator announced on Thursday that it would be taking the European Union’s data protection board to court to challenge what it says is unlawful interference.
Ireland’s Data Protection Commissioner (DPC) made its complaint about the European Data Protection Board (EDPB) alongside an announcement that it had concluded a five-year investigation into WhatsApp.
At the end of that investigation, WhatsApp was fined €5.5 million (about $6 million) for breaches of the European Union’s General Data Protection Regulation (GDPR). The breaches did not relate to users’ privacy but to the contractual terms that users agree to when using the platform.
A spokesperson for WhatsApp said: “We rely upon contractual necessity for service improvement and security purposes because we believe helping keep people safe and offering an innovative product is a fundamental responsibility in operating our service. We disagree with the decision and we intend to appeal.”
Alongside announcing the fine, the DPC complained about the EDPB attempting to interfere with its regulatory duties by instructing the national regulator to conduct a new investigation into WhatsApp.
The DPC feared the precedent the instruction would set. It argued that under the terms by which the EDPB was founded, it is not a supervisory body that has any powers at all to control the investigations of sovereign national regulators.
“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation,” said the DPC’s statement.
“The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR,” the statement added.
The case regarding the instruction to investigate WhatsApp is the third-such issue which the Data Protection Commissioner has raised in respect to the EDPB’s attempted interference. Two previous instructions were issued regarding investigations into Facebook and Instagram in December.
“To the extent that the direction may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the European Union in order to seek the setting aside of the EDPB’s direction,” the Irish commissioner announced.