Language of document : ECLI:EU:T:2022:783

ORDER OF THE GENERAL COURT (Fourth Chamber, Extended Composition)

7 December 2022 (*)

(Action for annulment – Protection of personal data – Draft decision of the lead supervisory authority – Resolution of disputes between supervisory authorities by the European Data Protection Board – Binding decision – Article 60(4) and Article 65(1)(a) of Regulation (EU) 2016/679 – Act not open to challenge – Preparatory act – Lack of individual concern)

In Case T‑709/21,

WhatsApp Ireland Ltd, established in Dublin (Ireland), represented by H.-G. Kamann, F. Louis, A. Vallery, lawyers, P. Nolan, B. Johnston, C. Monaghan, Solicitors, P. Sreenan, D. McGrath, Senior Counsel, C. Geoghegan and E. Egan McGrath, Barristers-at-Law,

applicant,

v

European Data Protection Board, represented by I. Vereecken and G. Le Grand, acting as Agents, and by G. Ryelandt, E. de Lophem and P. Vernet, lawyers,

defendant,

THE GENERAL COURT (Fourth Chamber, Extended Composition),

composed, at the time of deliberation, of S. Gervasoni, President, L. Madise (Rapporteur), P. Nihoul, R. Frendo and J. Martín y Pérez de Nanclares, Judges,

Registrar: E. Coulon,

having regard to the written part of the procedure, namely:

–        the application lodged at the Court Registry on 1 November 2021,

–        the defence lodged at the Court Registry on 1 February 2022,

–        the reply lodged at the Court Registry on 9 May 2022,

–        the rejoinder lodged at the Court Registry on 18 July 2022,

–        the measure of organisation of procedure by which the Court asked the parties, in the reply and the rejoinder, not to omit to define their position on all of the important matters concerning the jurisdiction of the Court and the admissibility of the action,

makes the following

Order

1        By its action under Article 263 TFEU, the applicant, WhatsApp Ireland Ltd (‘WhatsApp’), seeks the annulment of Binding Decision 1/2021 of the European Data Protection Board (‘the EDPB’) of 28 July 2021 on the dispute between the supervisory authorities concerned arising from the draft decision regarding WhatsApp drawn up by the Data Protection Commission (Ireland) (‘the Irish supervisory authority’) (‘the contested decision’).

 Facts prior to and subsequent to the contested decision and procedure

2        Following the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1), the Irish supervisory authority received complaints from users and non-users of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp. The German federal supervisory authority also requested the assistance of the Irish supervisory authority in relation to WhatsApp’s compliance with the obligations of transparency incumbent on controllers of personal data as regards any sharing of such data with other entities in the Facebook group (renamed Meta in September 2021).

3        In December 2018, the Irish supervisory authority initiated of its own volition a general investigation into WhatsApp’s compliance with the obligation of transparency and the obligation to provide information with regard to individuals (as opposed to undertakings) laid down in Articles 12, 13 and 14 of Regulation 2016/679, without prejudice to the action it might take on the individual complaints or requests made to it. The Irish supervisory authority acted in that regard as ‘lead supervisory authority’, as provided for in Article 56(1) of Regulation 2016/679, since WhatsApp had its main establishment in Ireland as the controller for the operations of the ‘WhatsApp’ messaging service in Europe, and the processing carried out by it was of a cross-border nature.

4        After the investigation phase was completed in September 2019 with the submission of a final report by the investigator, the decision-maker of the Irish supervisory authority, following intermediate procedural phases during which WhatsApp provided its observations, submitted a draft decision in December 2020 to all the other supervisory authorities involved in the case, namely all the other supervisory authorities of the Member States, for their opinion, in accordance with the provisions of Article 60(3) of Regulation 2016/679.

5        In January 2021, eight of those supervisory authorities, namely the German federal supervisory authority and the Baden-Württemberg, Hungarian, Netherlands, Polish, French, Italian and Portuguese supervisory authorities, expressed objections to certain aspects of that draft decision. In addition, various supervisory authorities provided comments. The Irish supervisory authority issued a composite response to the other supervisory authorities concerned, proposing compromise positions. Although, following that response, one of those authorities withdrew one of its objections, the Irish supervisory authority found that a consensus had not been reached among the supervisory authorities concerned on its proposals concerning the other aspects objected to and it decided to reject all those objections in order to refer the matter to the EDPB for it to resolve the dispute between the supervisory authorities concerned on those aspects, in accordance with Article 60(4) and Article 65(1)(a) of Regulation 2016/679.

6        In May 2021, after sending it all the documents exchanged in that regard, the Irish supervisory authority received WhatsApp’s written observations on the matters discussed between the supervisory authorities concerned and in turn forwarded those observations to the EDPB so that it could take them into consideration in the dispute resolution procedure, which the Irish supervisory authority launched in June 2021.

7        The EDPB, which, under Article 68(3) of Regulation 2016/679, is composed ‘of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives’, adopted the contested decision on 28 July 2021 by a two-thirds majority, in accordance with Article 65(2) of Regulation 2016/679. The contested decision is a decision addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them, as provided for in that provision, and concerns all the matters which have been the subject of relevant and reasoned objections, as provided for in Article 65(1)(a) of Regulation 2016/679. In that regard, in the contested decision, the EDPB first examined whether each objection raised by a supervisory authority concerned was relevant and reasoned. It took a position on an objection only if it was first deemed to be relevant and reasoned.

8        After the Irish supervisory authority had received the contested decision and was provided with observations from WhatsApp regarding the fines which it ultimately intended to impose on WhatsApp in the light of the contested decision, on 20 August 2021 the decision-maker of that authority adopted, in accordance with Article 65(6) of Regulation 2016/679, a final decision addressed to WhatsApp (‘the final decision’). In the final decision, WhatsApp is found to have infringed the principle and the obligations of transparency laid down in Article 5(1)(a), Article 12(1), Article 13(1)(c), (d), (e) and (f), Article 13(2)(a), (c) and (e) and Article 14 of Regulation 2016/679. Conversely, it is stated therein that WhatsApp complied with the obligations laid down in Article 13(1)(a) and (b) and Article 13(2)(b) and (d) of Regulation 2016/679. By way of corrective measures adopted on the basis of Article 58(2)(b), (d) and (i) of Regulation 2016/679, in the final decision, WhatsApp was issued a reprimand as well as an order to implement a number of actions, listed in an annex, intended to bring it into compliance, within a period of three months, with the provisions of Regulation 2016/679 that were infringed, and four administrative fines in relation to infringements of Article 5(1)(a) and Articles 12, 13 and 14 of Regulation 2016/679, for a total amount of EUR 225 million.

9        In the final decision, the decision-maker of the Irish supervisory authority identified the aspects in respect of which the contested decision required it to review the assessment set out in the draft decision referred to in paragraph 4 above. In relation to those aspects, it decided to reproduce, in shaded boxes, the reasons given by the EDPB in the contested decision as they stood and simply to draw the appropriate conclusions in each case in a concluding paragraph. It stated that, in the final decision, it did not refer to and did not take a position on the objections which the EDPB had deemed not to be relevant and reasoned, and which the EDPB had therefore declined to assess on the merits, or the objections which the EDPB had found not to require any change of the assessment set out in the draft decision.

10      In accordance with Article 65(6) of Regulation 2016/679, the contested decision was attached to the final decision of the Irish supervisory authority.

11      In that regard, it is apparent that, in the contested decision, the EDPB successively took a position solely on the following aspects, which, in its view, had been the subject of relevant and reasoned objections:

–        whether WhatsApp had failed to comply with the obligations to provide information laid down in Article 13(1)(d) of Regulation 2016/679, relating to certain information to be provided to data subjects where personal data have been collected from them. Such a failure to comply had not been established by the Irish supervisory authority in its draft decision. The EDPB took the view, on the contrary, that WhatsApp had failed to comply with that provision;

–        the classification as personal data of the material resulting from the ‘lossy hashing procedure’, applied to the data concerning the ‘contacts’ who are non-users of WhatsApp contained in the address books on the devices of WhatsApp users. The Irish supervisory authority had not classified that material as such in its draft decision. The EDPB considered, on the contrary, that it still constitutes personal data. According to the contested decision, that aspect had a potential impact on the possible finding of an infringement by WhatsApp of Article 5(1)(c) and Article 6(1) of Regulation 2016/679 and an impact on the extent of WhatsApp’s infringement of Article 14 of Regulation 2016/679, as well as on the level of the fine incurred on those grounds;

–        whether WhatsApp infringed the principle of transparency laid down in Article 5(1)(a) of Regulation 2016/679, which the Irish supervisory authority had not established in its draft decision. The EDPB took the view, on the contrary, that that principle had been infringed by WhatsApp;

–        the finding of an infringement by WhatsApp of Article 13(2)(e) of Regulation 2016/679, relating to certain information to be provided to data subjects where personal data have been collected from them, which the Irish supervisory authority had not considered itself able to make, since the investigator had not taken a position on the issue during the investigation, and in respect of which it had considered itself able only to issue a recommendation. The EDPB considered, on the contrary, that the investigation covered all the provisions of Article 13 of Regulation 2016/679 and that an infringement of that provision had to be established;

–        whether WhatsApp had infringed Article 6(1) of Regulation 2016/679, concerning the conditions for lawful processing of personal data, on which the Irish supervisory authority had not ruled. The EDPB took the view that, for procedural reasons, it was not possible to rule on the matter or to find that there had been such an infringement;

–        the extension of the grounds for WhatsApp’s failure to comply with the obligations to provide information laid down in Article 14 of Regulation 2016/679, on the information to be provided where personal data have not been obtained from the data subject, as a result of the analysis relating to the second indent above. The EDPB confirmed the impact that such extension would have on the behavioural corrective measures and the fine imposed on WhatsApp;

–        whether WhatsApp infringed the principle, laid down in Article 5(1)(c) of Regulation 2016/679, of collecting only data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, on which the Irish supervisory authority did not rule. The EDPB took the view that such an infringement had not been demonstrated on the basis of the file, in particular in view of the scope of the investigation with regard to WhatsApp;

–        the period, set at six months by the Irish supervisory authority, within which, by way of corrective measures, WhatsApp was required to bring its processing into compliance with those requirements of Regulation 2016/679 with which it had failed to comply. The EDPB reduced that period to three months;

–        as regards corrective measures, the methods of providing information to non-users of WhatsApp regarding the processing of their personal data by WhatsApp. The EDPB confirmed the assessment made by the Irish supervisory authority in that regard in its draft decision;

–        as regards corrective measures, the statement of the additional grounds for WhatsApp’s failure to comply with the obligations laid down in Article 14 of Regulation 2016/679 (see the second indent above). The EDPB stated that that statement was necessary to ensure that WhatsApp adopts appropriate corrective actions in that regard;

–        the criteria for the quantum of the fines to be imposed on WhatsApp, in the light of Article 83 of Regulation 2016/679, relating to the ‘general conditions for imposing administrative fines’. The EDPB took the view that the Irish supervisory authority had misinterpreted the criterion relating to the worldwide annual turnover of the undertaking concerned; that it had correctly interpreted the concept of ‘preceding financial year’; that it had misinterpreted the rule that, if several provisions of Regulation 2016/679 are infringed in the context of the same or linked processing operations, the total amount of the administrative fine cannot exceed the amount specified for the gravest infringement; and that it had correctly interpreted certain criteria set out in Article 83(1) and (2) of Regulation 2016/679 for determining the fine (intentional or negligent character of the infringements, gravity of the infringements), but had misinterpreted other of those criteria (taking into account turnover in order to quantify the penalty independently of the calculation of its upper limit and, more generally, the need for the penalty to be effective, proportionate and dissuasive);

–        the level of the fines. The EDPB considered that, in the light of the Irish supervisory authority’s misinterpretation of certain criteria relating to the quantum of the fine (see the eleventh indent above) and the necessary finding of additional failures by WhatsApp to comply with its obligations (see the first, third, fourth and sixth indents above), the amounts of the fines envisaged by the Irish supervisory authority at a total level of between EUR 30 and EUR 50 million had to be increased.

12      WhatsApp, in parallel, challenged the final decision before an Irish court and requested that the Court annul the contested decision.

13      In the present proceedings, the Computer & Communication Industry Association applied for leave to intervene in support of the applicant, while the Republic of Finland, the European Commission and the European Data Protection Supervisor applied for leave to intervene in support of the EDPB. With a view to their interventions, the main parties requested that certain material in the file not be disclosed to certain interveners, on account of its confidential nature. At this stage, no decision has been taken on those applications.

14      The measure of organisation of procedure adopted following the lodging of the defence, asking the main parties, in the reply and the rejoinder, not to omit to define their position on all of the important matters concerning the jurisdiction of the Court and the admissibility of the action, referred in that regard to the classification of the contested decision as an act of a body of the European Union, the classification of the contested decision as an act open to challenge, the applicant’s standing to bring proceedings and its legal interest in bringing proceedings.

 Forms of order sought

15      WhatsApp claims that the Court should annul the contested decision in its entirety or, in the alternative, annul the relevant parts of that decision, and order the EDPB to pay the costs.

16      The EDPB contends that the Court should dismiss the action as inadmissible or, in the alternative, dismiss the action as unfounded or, in the further alternative, annul only the relevant parts of the contested decision. The EDPB also contends that the Court should order the applicant to pay the costs.

 Law

17      Under Article 129 of the Rules of Procedure of the General Court, on a proposal from the Judge-Rapporteur, the Court may at any time of its own motion, after hearing the main parties, decide to rule by reasoned order on whether there exists any absolute bar to proceeding with a case.

18      In the present case, the Court considers that it has sufficient information from the documents in the file and has decided, pursuant to that article, to rule on the admissibility of the action without taking further steps in the proceedings.

19      The verification of the Court’s jurisdiction and that of an applicant’s standing are matters of public policy, like the verification of other elements relating to the admissibility of an action, and, in the present case, the main parties were put in a position to submit their observations in that regard following the measure of organisation of procedure referred to in paragraph 14 above, after the EDPB itself raised the inadmissibility of the action in the defence.

20      In the present case, it is appropriate, as a preliminary point, to recall the institutional legal framework of which the contested decision forms part.

 The institutional legal framework

21      Chapter VI of Regulation 2016/679 is entitled ‘Independent supervisory authorities’. Within that chapter, Article 51 provides that each Member State ‘shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation’, that each of those authorities ‘shall contribute to the consistent application of this Regulation throughout the Union’ and that, to that end, ‘the supervisory authorities shall cooperate with each other and the Commission in accordance with Chapter VII’.

22      Article 55 provides that each supervisory authority is to be competent for the performance of the tasks assigned to and the exercise of the powers conferred on it in accordance with Regulation 2016/679 on the territory of its own Member State, and Article 56 states that, without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the controller or processor is to be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor in accordance with the procedure provided in Article 60. As stated in paragraph 3 above, in the present case, the Irish supervisory authority acted as the lead authority with regard to WhatsApp.

23      Article 58(2) of Regulation 2016/679 provides that each supervisory authority is to have the power to adopt corrective measures with regard to a controller or processor, and, in particular, in points (b), (d) and (i) thereof, to issue reprimands to them where processing operations have infringed the provisions of Regulation 2016/679, to order them to bring their processing operations into compliance with the provisions of Regulation 2016/679, where appropriate, in a specified manner and within a specified period, and to impose an administrative fine on them.

24      Chapter VII of Regulation 2016/679, which follows the provisions referred to in paragraphs 21 to 23 above, is entitled ‘Cooperation and consistency’.

25      In the ‘Cooperation’ section of that chapter, Article 60, entitled ‘Cooperation between the lead supervisory authority and the other supervisory authorities concerned’, provides, inter alia:

‘1.      The lead supervisory authority shall cooperate with the other supervisory authorities concerned in accordance with this Article in an endeavour to reach consensus. The lead supervisory authority and the supervisory authorities concerned shall exchange all relevant information with each other.

3.      The lead supervisory authority shall, without delay, communicate the relevant information on the matter to the other supervisory authorities concerned. It shall without delay submit a draft decision to the other supervisory authorities concerned for their opinion and take due account of their views.

4.      Where any of the other supervisory authorities concerned within a period of four weeks after having been consulted in accordance with paragraph 3 of this Article, expresses a relevant and reasoned objection to the draft decision, the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism referred to in Article 63.

5.      Where the lead supervisory authority intends to follow the relevant and reasoned objection made, it shall submit to the other supervisory authorities concerned a revised draft decision for their opinion. That revised draft decision shall be subject to the procedure referred to in paragraph 4 within a period of two weeks.

6.      Where none of the other supervisory authorities concerned has objected to the draft decision submitted by the lead supervisory authority within the period referred to in paragraphs 4 and 5, the lead supervisory authority and the supervisory authorities concerned shall be deemed to be in agreement with that draft decision and shall be bound by it.

7.      The lead supervisory authority shall adopt and notify the decision to the main establishment or single establishment of the controller or processor, as the case may be and inform the other supervisory authorities concerned and the Board of the decision in question, including a summary of the relevant facts and grounds. The supervisory authority with which a complaint has been lodged shall inform the complainant on the decision.

10.      After being notified of the decision of the lead supervisory authority … the controller or processor shall take the necessary measures to ensure compliance with the decision as regards processing activities in the context of all its establishments in the Union. The controller or processor shall notify the measures taken for complying with the decision to the lead supervisory authority, which shall inform the other supervisory authorities concerned.’

26      In the ‘Consistency’ section of Chapter VII of Regulation 2016/679, Article 63, entitled ‘Consistency mechanism’, provides:

‘In order to contribute to the consistent application of this Regulation throughout the Union, the supervisory authorities shall cooperate with each other and, where relevant, with the Commission, through the consistency mechanism as set out in this Section.’

27      The EDPB is involved in that mechanism. The Statute of the EDPB is laid down in the third and last section of Chapter VII of Regulation 2016/679, entitled ‘European data protection board’.

28      In that section, Article 68 states:

‘1.      The European Data Protection Board (the “Board”) is hereby established as a body of the Union and shall have legal personality.

3.      The Board shall be composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.

…’

29      In the same section, Article 70, entitled ‘Tasks of the Board’, provides:

‘1.      The Board shall ensure the consistent application of this Regulation. To that end, the Board shall, on its own initiative or, where relevant, at the request of the Commission, in particular:

(a)      monitor and ensure the correct application of this Regulation in the cases provided for in Articles 64 and 65 without prejudice to the tasks of national supervisory authorities;

…’

30      That Article 70 also lists in detail the other tasks of the EDPB, which are essentially advisory tasks which it must perform by means of opinions, guidelines, recommendations and ‘best practices’.

31      In the ‘Consistency’ section, referred to in paragraph 26 above, after Article 64, which lists the cases in which the EDPB is to issue an opinion, Article 65, entitled ‘Dispute resolution by the Board’, provides inter alia:

‘1.      In order to ensure the correct and consistent application of this Regulation in individual cases, the Board shall adopt a binding decision in the following cases:

(a)      where, in a case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has not followed the objection or has rejected such an objection as being not relevant or reasoned. The binding decision shall concern all the matters which are the subject of the relevant and reasoned objection, in particular whether there is an infringement of this Regulation;

2.      The decision referred to in paragraph 1 shall be adopted … by a two-thirds majority of the members of the Board. The decision referred to in paragraph 1 shall be reasoned and addressed to the lead supervisory authority and all the supervisory authorities concerned and binding on them.

5.      The Chair of the Board shall notify, without undue delay, the decision referred to in paragraph 1 to the supervisory authorities concerned. It shall inform the Commission thereof. The decision shall be published on the website of the Board without delay after the supervisory authority has notified the final decision referred to in paragraph 6.

6.      The lead supervisory authority or, as the case may be, the supervisory authority with which the complaint has been lodged shall adopt its final decision on the basis of the decision referred to in paragraph 1 of this Article, without undue delay and at the latest by one month after the Board has notified its decision. … The final decision shall refer to the decision referred to in paragraph 1 of this Article and shall specify that the decision referred to in that paragraph will be published on the website of the Board in accordance with paragraph 5 of this Article. The final decision shall attach the decision referred to in paragraph 1 of this Article.’

32      Chapter VIII of Regulation 2016/679, entitled ‘Remedies, liability and penalties’, addresses the ‘right to an effective judicial remedy against a supervisory authority’ in Article 78 and the ‘right to an effective judicial remedy against a controller or processor’ in Article 79. It does not contain any provisions concerning possible legal remedies against binding decisions of the EDPB adopted on the basis of Article 65(1). Article 78(4) provides, however, that ‘where proceedings are brought against a decision of a supervisory authority which was preceded by … a decision of the Board in the consistency mechanism, the supervisory authority shall forward that … decision to the court’.

33      In the grounds of Regulation 2016/679, recital 143 states:

‘Any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU. As addressees of such decisions, the supervisory authorities concerned which wish to challenge them have to bring action within two months of being notified of them, in accordance with Article 263 TFEU. Where decisions of the Board are of direct and individual concern to a controller, processor or complainant, the latter may bring an action for annulment against those decisions within two months of their publication on the website of the Board, in accordance with Article 263 TFEU. Without prejudice to this right under Article 263 TFEU, each natural or legal person should have an effective judicial remedy before the competent national court against a decision of a supervisory authority which produces legal effects concerning that person. Such a decision concerns in particular the exercise of investigative, corrective and authorisation powers by the supervisory authority or the dismissal or rejection of complaints. However, the right to an effective judicial remedy does not encompass measures taken by supervisory authorities which are not legally binding, such as opinions issued by or advice provided by the supervisory authority. Proceedings against a supervisory authority should be brought before the courts of the Member State where the supervisory authority is established and should be conducted in accordance with that Member State’s procedural law. Those courts should exercise full jurisdiction, which should include jurisdiction to examine all questions of fact and law relevant to the dispute before them.

Where a complaint has been rejected or dismissed by a supervisory authority, the complainant may bring proceedings before the courts in the same Member State. In the context of judicial remedies relating to the application of this Regulation, national courts which consider a decision on the question necessary to enable them to give judgment, may, or in the case provided for in Article 267 TFEU, must, request the Court of Justice to give a preliminary ruling on the interpretation of Union law, including this Regulation. Furthermore, where a decision of a supervisory authority implementing a decision of the Board is challenged before a national court and the validity of the decision of the Board is at issue, that national court does not have the power to declare the Board's decision invalid but must refer the question of validity to the Court of Justice in accordance with Article 267 TFEU as interpreted by the Court of Justice, where it considers the decision invalid. However, a national court may not refer a question on the validity of the decision of the Board at the request of a natural or legal person which had the opportunity to bring an action for annulment of that decision, in particular if it was directly and individually concerned by that decision, but had not done so within the period laid down in Article 263 TFEU.’

 Admissibility of the action

34      Article 263 TFEU, the first, second, fourth and fifth paragraphs of which are reproduced below, provides:

‘The Court of Justice of the European Union shall review the legality of legislative acts, of acts of the Council, of the Commission and of the European Central Bank, other than recommendations and opinions, and of acts of the European Parliament and of the European Council intended to produce legal effects vis-à-vis third parties. It shall also review the legality of acts of bodies, offices or agencies of the Union intended to produce legal effects vis-à-vis third parties.

It shall for this purpose have jurisdiction in actions brought by a Member State, the European Parliament, the Council or the Commission on grounds of lack of competence, infringement of an essential procedural requirement, infringement of the Treaties or of any rule of law relating to their application, or misuse of powers.

Any natural or legal person may, under the conditions laid down in the first and second paragraphs, institute proceedings against an act addressed to that person or which is of direct and individual concern to them, and against a regulatory act which is of direct concern to them and does not entail implementing measures.

Acts setting up bodies, offices and agencies of the Union may lay down specific conditions and arrangements concerning actions brought by natural or legal persons against acts of these bodies, offices or agencies intended to produce legal effects in relation to them.

…’

35      It is apparent from the first paragraph of Article 263 TFEU that the Courts of the European Union have jurisdiction to review the legality of an act of a body of the Union intended to produce legal effects vis-à-vis third parties. It is also apparent from the fourth paragraph of that article that, in order to be entitled to bring an action against an individual measure of a body of the Union which is not addressed to it, a legal person must in principle be directly and individually concerned by that measure. In the present case, as stated in paragraph 32 above, no provision corresponding to the provision in the fifth paragraph of Article 263 TFEU appears in Regulation 2016/679, with the result that, in the present case, WhatsApp is in fact subject to the conditions, laid down in the fourth paragraph of that article, that it be directly and individually concerned by the contested decision in order for its action against that decision to be admissible.

36      First of all, it must be noted that the contested decision, adopted by the EDPB, is indeed an act of a body of the Union. Admittedly, the institutional mechanism provided for by Regulation 2016/679, set out in paragraphs 21 to 31 above, in particular the exclusive competence of the national supervisory authorities to adopt corrective measures with regard to controllers and processors, and the mechanisms for cooperation and consistency between those authorities, including within the EDPB which essentially brings together such authorities, might suggest that the latter is only a body for coordination between national authorities. However, under Article 68(1) of Regulation 2016/679, the EDPB was established as a body of the Union and has legal personality. In that capacity, it is also empowered to adopt, on the basis of Articles 64 and 65 of Regulation 2016/679, opinions and, in the context of disputes between national supervisory authorities, decisions such as the contested decision, which are binding on the supervisory authorities concerned, and those opinions and decisions are thus acts of a body of the Union.

37      Next, it must be stated that the contested decision is intended to produce legal effects vis-à-vis third parties, since it is a ‘binding decision’ vis-à-vis the supervisory authorities concerned, adopted on the basis of Article 65 of Regulation 2016/679.

38      Nevertheless, where an applicant is not one of the ‘privileged’ applicants expressly set out in the second paragraph of Article 263 TFEU, the Court has consistently held that, in order to constitute an act open to challenge by that applicant, that act must have binding legal effects capable of affecting the interests of the applicant by bringing about a distinct change in his legal position (judgment of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 9; see also judgment of 18 November 2010, NDSHT v Commission, C‑322/09 P, EU:C:2010:701, paragraph 45 and the case-law cited).

39      The Court has also held that, where such an applicant is not the addressee of the act which it is challenging, the condition that the act must bring about a distinct change in the applicant’s legal position overlaps with the conditions laid down in the fourth paragraph of Article 263 TFEU, that is to say, when the contested act is not a regulatory act that does not entail implementing measures, with the need for the applicant to be directly and individually concerned by that act (see, to that effect, judgment of 13 October 2011, Deutsche Post and Germany v Commission, C‑463/10 P and C‑475/10 P, EU:C:2011:656, paragraph 38).

40      In the present case, it may be observed at the outset, in the light of the nature of the contested act, which is an individual act, that WhatsApp is individually concerned by the contested decision, since that decision relates to certain aspects of a draft final decision of the Irish supervisory authority concerning it specifically. Contrary to what is argued by the EDPB in the rejoinder, the contested decision is not limited to setting out principles or the interpretation of certain provisions of Regulation 2016/679 that might concern any controller. In the contested decision, as set out in paragraph 11 above, the EDPB rules on WhatsApp’s compliance with some of its obligations under Regulation 2016/679, classifies as personal data material resulting from the ‘lossy hashing procedure’, which is a form of processing carried out solely by WhatsApp, and rules on certain corrective measures to be imposed on WhatsApp, in particular on certain aspects of the determination of the administrative fines to be imposed on it. The contested decision is thus specific to WhatsApp, even though it includes, as is very common in individual acts, a statement or reiteration of principles and interpretations of a general nature.

41      The Court must next examine whether the contested decision has legal effects bringing about a distinct change in WhatsApp’s legal position and whether it is of direct concern to WhatsApp within the meaning of the fourth paragraph of Article 263 TFEU.

42      From that perspective, it must be observed, as the EDPB rightly points out, that the contested decision does not in itself change WhatsApp’s legal position. Unlike the final decision of the Irish supervisory authority, the contested decision is not directly enforceable against WhatsApp and constitutes, in relation to it, a preparatory, or intermediate, act in a procedure which, in accordance with the provisions of Article 58(2) and Articles 60, 63 and 65 of Regulation 2016/679, cited in paragraphs 23 to 26 and paragraph 31 above, must be closed precisely by the adoption of a final decision of a national supervisory authority addressed to that undertaking (see, to that effect and by analogy, judgment of 24 June 1986, AKZO Chemie and AKZO Chemie UK v Commission, 53/85, EU:C:1986:256, paragraph 19).

43      In that regard, it has been held on several occasions that, in procedures which culminate in the drawing up of acts in several stages, intermediate acts whose purpose is to prepare for the final decision do not in principle constitute acts open to challenge (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 10, and of 26 January 2010, Internationaler Hilfsfonds v Commission, C‑362/08 P, EU:C:2010:40, paragraph 52 and the case-law cited).

44      The exceptions to the principle set out in paragraph 43 above concern cases where the intermediate act produces independent legal effects in respect of which sufficient judicial protection cannot be ensured in the context of an action against the decision terminating the procedure (see, to that effect, judgments of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraphs 11 and 12, and of 13 October 2011, Deutsche Post and Germany v Commission, C‑463/10 P and C‑475/10 P, EU:C:2011:656, paragraphs 53 and 54). By way of example, such exceptions were identified in a procedure for reviewing compliance with the competition rules applicable to undertakings (see, to that effect, judgment of 24 June 1986, AKZO Chemie and AKZO Chemie UK v Commission, 53/85, EU:C:1986:256, paragraph 20), in a procedure for reviewing compliance with the rules on State aid (see, to that effect, judgment of 9 October 2001, Italy v Commission, C‑400/99, EU:C:2001:528, paragraphs 55 to 63) and, in the case of an ancillary or precautionary measure preceding a final decision, when suspending an official who is the subject of disciplinary proceedings (see, to that effect, judgment of 5 May 1966, Gutmann v Commission, 18/65 and 35/65, EU:C:1966:24, p. 168).

45      In the present case, on the contrary, WhatsApp is afforded effective judicial protection in respect of the contested decision by means of the remedy available to it before the national court against the final decision of the Irish supervisory authority, which makes it possible to assess the validity of the contested decision. As provided for in Article 78(1) of Regulation 2016/679, which states that the right to an effective judicial remedy must be guaranteed to each person in every Member State against a legally binding decision of a supervisory authority concerning that person, WhatsApp challenged before an Irish court the final decision issued by the Irish supervisory authority and may, in that action, claim that the binding assessments contained in the contested decision, set out again in the final decision, are unlawful. It must be borne in mind in that regard that Article 267 TFEU allows the invalidity of acts of the institutions, bodies, offices and agencies of the European Union to be raised before the national court, providing that, where the national court considers that a decision on the question is necessary to enable it to give judgment, it may or must refer a question to the Court of Justice of the European Union for a preliminary ruling on validity. If the Court of Justice finds, at the end of the preliminary ruling procedure, that such an act, if it is preparatory to a decision emanating from an authority of a Member State, is invalid, the national court must draw the consequences as to the legality of that decision, which adversely affects the person concerned (see, to that effect, judgments of 30 October 1975, Rey Soda and Others, 23/75, EU:C:1975:142, paragraph 51, and of 20 March 2018, Šroubárna Ždánice v Council, T‑442/16, not published, EU:T:2018:159, paragraph 34).

46      Moreover, the contested decision has no legal effect vis-à-vis WhatsApp that is independent of the final decision of the Irish supervisory authority: all the assessments made in the former are repeated in the latter and the former has no effect that is independent of the content of the latter, unlike in the situations that gave rise to the judgments of 5 May 1966, Gutmann v Commission (18/65 and 35/65, EU:C:1966:24); of 24 June 1986, AKZO Chemie and AKZO Chemie UK v Commission (53/85, EU:C:1986:256); and of 9 October 2001, Italy v Commission (C‑400/99, EU:C:2001:528), referred to in paragraph 44 above.

47      In that regard, although the principles referred to in paragraphs 43 and 44 above were identified in relation to procedures falling, for the final decision, within the competence of institutions or other entities of the European Union, there is no reason why it should be otherwise where, as in the present case, EU legislation entrusts the monitoring of the application of particular EU rules to specific national authorities in procedures involving several stages and where an intermediate act adopted by a body of the Union in the course of such a procedure, which is closed by a decision of a national authority, is at issue.

48      WhatsApp argues, admittedly, that the contested decision consists of a final position of the EDPB, which was to be followed by the Irish supervisory authority in the final decision. That argument is to be understood as meaning that the contested decision is therefore necessarily an act open to challenge and that it is different from intermediate measures expressing only a provisional opinion, which alone are acts not open to challenge.

49      Nevertheless, as noted in paragraph 38 above, in order for an act to be open to challenge by an applicant other than the ‘privileged’ applicants referred to in the second paragraph of Article 263 TFEU, that act must, inter alia, bring about a distinct change in that applicant’s legal position. The fact that an intermediate act expresses the definitive position of an authority that will have to be taken up in the final decision closing the procedure at issue – as in the present case, since the contested decision contains a definitive analysis of certain aspects of the final decision – does not necessarily mean that that intermediate act itself brings about a distinct change in the applicant’s legal position, as shown in the present case in paragraphs 42 to 47 above. In so far as, as noted in paragraph 39 above, that condition overlaps with the conditions laid down in the fourth paragraph of Article 263 TFEU, that is to say, inter alia with the need for the applicant to be directly concerned by that act, it may be ascertained in the present case whether that condition is met by examining whether WhatsApp is directly concerned by the contested decision.

50      As the EDPB rightly submits, WhatsApp is not directly concerned by the contested decision.

51      It has consistently been held that, in order to be of direct concern to an applicant who is not an addressee of a measure, that measure must, first, directly affect that applicant’s legal situation and, second, leave no discretion to its addressees, who are entrusted with the task of implementing it, such implementation being automatic and resulting from EU rules without the application of other intermediate rules (judgments of 13 May 1971, International Fruit Company and Others v Commission, 41/70 to 44/70, EU:C:1971:53, paragraphs 23 to 28; of 5 May 1998, Dreyfus v Commission, C‑386/96 P, EU:C:1998:193, paragraph 43; and of 17 September 2009, Commission v Koninklijke FrieslandCampina, C‑519/07 P, EU:C:2009:556, paragraph 48).

52      As regards the first of those conditions, as already stated in paragraph 42 above, the contested decision is not enforceable against WhatsApp in a way that would allow it, without further procedural steps, to be a source of obligations for WhatsApp or, as the case may be, rights for other individuals. It thus differs, for example, from the acts which were the subject of the judgment of 23 April 1986, Les Verts v Parliament (294/83, EU:C:1986:166), in respect of which it was observed, in paragraph 31 of that judgment, in order to conclude that they were of direct concern to the applicant association, that ‘they [constituted] a complete set of rules which [were] sufficient in themselves and which [required] no implementing provisions’. In the present case, the contested decision is not the final step of the full procedure provided for in Articles 58, 60 and 65 of Regulation 2016/679.

53      With regard to the second of those conditions, relating to the discretion of the authority responsible for implementing the act in question, it must be noted that, even though the contested decision was binding on the Irish supervisory authority as regards the aspects to which it related, it left a measure of discretion to that authority as to the content of the final decision.

54      As is clear from comparing the content of the contested decision set out in paragraph 11 above, addressing instructions to the supervisory authorities concerned, and the content of the final decision addressed to WhatsApp, set out in paragraph 8 above, the content of the contested decision is partial in comparison with the final decision.

55      Thus, the two decisions share the finding that WhatsApp failed to comply with the principle of transparency set out in Article 5(1)(a) and the obligations set out in Article 13(1)(d) and Article 13(2)(e) of Regulation 2016/679, the classification as personal data of the material resulting from the ‘lossy hashing procedure’ applied to data concerning the ‘contacts’ who are non-users of WhatsApp contained in the address books on the devices of WhatsApp users, the finding that WhatsApp failed to comply with the obligations set out in Article 14 of Regulation 2016/679 as a result of that classification, the three-month period granted to WhatsApp to bring its processing into compliance with the requirements set out in Regulation 2016/679, certain aspects of the corrective measures, namely those relating to the personal data of non-users of WhatsApp and the obligation to provide WhatsApp users with the information set out in Article 13(2)(e) of Regulation 2016/679, the interpretation of the criteria for the quantum of the administrative fines imposed on WhatsApp and the increase in the amount of those fines, in comparison with the total level of EUR 30 to 50 million envisaged in the Irish supervisory authority’s draft decision.

56      By contrast, as regards the following aspects, the final decision results from the assessment of the Irish supervisory authority without the EDPB having expressed a position in that regard in the contested decision: the finding that WhatsApp failed to comply with obligations set out in Article 12(1), Article 13(1)(c), (e) and (f) and Article 13(2)(a) and (c) of Regulation 2016/679; the finding that WhatsApp complied with the obligations set out in Article 13(1)(a) and (b) and Article 13(2)(b) and (d) of Regulation 2016/679; WhatsApp’s status when processing the personal data of non-users of its messaging service; the main content of the corrective measures imposed on WhatsApp, namely those aimed at ensuring compliance with the obligations referred to in Article 12(1), Article 13(1)(c), (d), (e) and (f) and Article 13(2)(a) and (c) of Regulation 2016/679; the specific determination of the level of the administrative fines imposed on WhatsApp, giving a total of EUR 225 million.

57      It must be observed, in particular, that the Irish supervisory authority exercised its discretion to draw the conclusions from the instructions given in the contested decision with regard to the classification as personal data of the material resulting from the ‘lossy hashing procedure’ and with regard to the administrative fines.

58      On the first aspect, that is, the issue of the processing of the personal data of non-users of WhatsApp, in particular of the material resulting from the ‘lossy hashing procedure’, as is apparent from paragraph 111 of the final decision, the following stage of the analysis to determine whether WhatsApp had failed to comply, with regard to those persons, with the obligations laid down in Article 14 of Regulation 2016/679 was whether, as regards the processing of the personal data in question, WhatsApp acted as a controller or merely as a processor acting on behalf of a user of its messaging service who had activated the ‘Contacts’ feature. That stage of the analysis, concluded by accepting the first hypothesis, results from an assessment by the Irish supervisory authority without the EDPB having expressed a position in that regard in the contested decision.

59      With regard to the determination of the administrative fines, although the contested decision contains instructions as regards the interpretation of the criteria for the quantum of the administrative fines imposed under Regulation 2016/679 and as regards the increase in the total amount of the fines to be imposed in this case on WhatsApp in comparison with what was envisaged in the Irish supervisory authority’s draft decision, that authority retained its discretion in setting the actual amount of the fines to be imposed on WhatsApp. Moreover, as stated in paragraph 8 above, before adopting the final decision, the Irish supervisory authority requested that WhatsApp provide observations on the new administrative fines which it intended to impose on WhatsApp, which is consistent with the finding that that authority retained discretion in that regard. In the present case, it may be observed that, in the final decision, the lower end of the range of new fines envisaged by the Irish supervisory authority was ultimately used.

60      The final decision constitutes a whole from which the parts corresponding to the instructions in the contested decision cannot be separated by making a final ‘sub-decision’ in respect of which the supervisory authority did not have any discretion. The investigation and the final decision of the Irish supervisory authority concerned WhatsApp’s compliance with the principle of transparency and all the specific obligations associated therewith set out in Regulation 2016/679. It is therefore WhatsApp’s overall practice in that regard that was analysed in the final decision and the same aspect of that practice was examined in the light of several relevant provisions of Regulation 2016/679, for example in the light of Article 5(1)(a), Article 12(1) and the multiple provisions of Article 13 of Regulation 2016/679, while the contested decision concerns only an analysis in the light of some of those provisions. It would make no sense to separate from the overall analysis carried out in the final decision certain particular aspects when the procedure initiated against WhatsApp, on the initiative and under the responsibility of the Irish supervisory authority as lead supervisory authority, concerned the general assessment of WhatsApp’s compliance with the principle of transparency. In particular, as regards the determination of the financial penalties, it is in the light of all the infringements found, of Article 5(1)(a) and Articles 12, 13 and 14 of Regulation 2016/679, respectively, that the amount of each of the four administrative fines was set by the Irish supervisory authority.

61      Consequently, neither of the two conditions referred to in paragraph 51 above, which would, if met, make it possible to consider that WhatsApp is directly concerned by the contested decision, is satisfied.

62      It follows from the foregoing that WhatsApp’s action is inadmissible.

63      The outcome of that analysis is consistent with what has been held in relation to other procedures in which a binding act of the European Union concerning undertakings is addressed to a Member State.

64      Thus, in the matter of State aid review, it has been held that, where the Commission adopts a decision declaring aid already granted to be unlawful and incompatible with the internal market and orders the Member State concerned to recover the aid paid out, the beneficiaries of the aid paid out are directly and individually concerned by that decision (see, to that effect, judgment of 19 October 2000, Italy and Sardegna Lines v Commission, C‑15/98 and C‑105/99, EU:C:2000:570, paragraphs 33 to 36). In that regard, it has been observed that, as from the time of the adoption of a decision of that nature, those beneficiaries are exposed to the recovery of the advantages which they have received, and thus find their legal position affected (judgment of 9 June 2011, Comitato ‘Venezia vuole vivere’ and Others v Commission, C‑71/09 P, C‑73/09 P and C‑76/09 P, EU:C:2011:368, paragraph 56). That is because the review procedure has been completed at that stage, because no further substantive assessment is to be made, since the amounts to be recovered are automatically determined on the basis of the Commission decision and the aid previously granted to the undertakings concerned, because the Member State is required itself to initiate and complete the recovery of that aid except in highly exceptional circumstances (see, to that effect, judgments of 7 June 1988, Commission v Greece, 63/87, EU:C:1988:285; of 20 September 1990, Commission v Germany, C‑5/89, EU:C:1990:320, paragraphs 15 and 16; and of 20 March 1997, Alcan Deutschland, C‑24/95, EU:C:1997:163) and because third parties may take action on the basis of the Commission’s decision before the administration concerned or before the national court in order to have the aid in question repaid, without themselves having to bear the burden of proving that it was granted unlawfully (see, by analogy, judgment of 12 February 2008, CELF and ministre de la Culture et de la Communication, C‑199/06, EU:C:2008:79, paragraphs 23 and 39 to 41). In the present case, the contested decision is not at an analogous stage, since the review procedure had not been completed with its adoption, further assessments concerning WhatsApp’s compliance with the provisions of Regulation 2016/679 and the penalty incurred had yet to be confirmed or made by the lead supervisory authority and the contested decision could not itself serve as a legally binding basis for imposing obligations on WhatsApp.

65      It has also been held that a Commission decision addressed to a Member State, informing it that EU financing for an undertaking was reduced by comparison with what had been provided for, on account of certain expenditure submitted by that undertaking being ineligible for that financing, was of direct and individual concern to the latter, inasmuch as the decision at issue deprived it of part of the financial assistance which had originally been granted to it, without the Member State having any discretion in that respect (judgment of 4 June 1992, Infortec v Commission, C‑157/90, EU:C:1992:243, paragraph 17). However, in the present case, unlike the Commission decision which gave rise to that assessment, the contested decision is not, as stated in paragraph 52 above, the final step of the full procedure at issue and, as stated in paragraphs 56 and 57 above, it left the Irish supervisory authority a measure of discretion.

66      More generally, the inadmissibility of WhatsApp’s action before the Court against the contested decision is consistent with the logic of the system of judicial remedies established by the TEU and the TFEU.

67      As Article 2 TEU states, the Union is founded, inter alia, on respect for the rule of law. Article 6(1) TEU provides that the Union recognises the rights, freedoms and principles set out in the Charter of Fundamental Rights of the European Union, Article 47 of which guarantees the right to an effective remedy and to a fair trial. Article 19 TEU states that the Court of Justice of the European Union is to ensure that in the interpretation and application of the Treaties the law is observed, and, in particular, that it is, in accordance with the Treaties, to rule on actions brought by a Member State, an institution or a natural or legal person, give preliminary rulings, at the request of national courts, on the interpretation of Union law or the validity of acts adopted by the institutions, and rule in other cases provided for in the Treaties. That article provides that Member States are to provide remedies sufficient to ensure effective legal protection in the fields covered by Union law.

68      More specifically, the TFEU, in particular Article 263 thereof, concerning direct actions before the Court of Justice of the European Union, and Article 267 thereof, relating to cases in which the Court of Justice is to give a preliminary ruling, in particular on the validity and interpretation of acts of the institutions, bodies, offices or agencies of the Union, has established a complete system of legal remedies designed to ensure judicial review of the legality of acts of the European Union (see, to that effect, judgment of 25 July 2002, Unión de Pequeños Agricultores v Council, C‑50/00 P, EU:C:2002:462, paragraph 40). Both the Court of Justice of the European Union, of which the General Court is part, and the national courts participate in that system. Under that system, where persons cannot, by reason of the conditions for admissibility laid down in Article 263 TFEU, directly challenge EU acts before the Court of Justice of the European Union, they are able to plead, by way of a plea of illegality, the invalidity of such an act before the national court by bringing an action against the national measures implementing that act. In that situation, it is for the national court, if it considers that a decision on the question is necessary to enable it to give judgment and has doubts as to the validity of that act, to make a request to the Court of Justice of the European Union for a preliminary ruling (see again, to that effect and by analogy, judgment of 25 July 2002, Unión de Pequeños Agricultores v Council, C‑50/00 P, EU:C:2002:462, paragraph 40).

69      The logic of that system, which explains in particular the interpretation of the conditions for the admissibility of direct actions set out in Article 263 TFEU, which was recalled in the analysis set out in paragraphs 35 to 62 above, is that the judicial action of the Court of Justice of the European Union and that of the national courts complement each other effectively and that the Courts of the European Union and the national courts are not required to rule concurrently, in parallel proceedings, on the validity of the same EU act, either directly or, in the case of the national court if it has doubts as to the validity of the act in question, following a question referred for a preliminary ruling. That logic could, in particular, justify a finding that an applicant who could undoubtedly have challenged an EU decision directly before the Court of Justice of the European Union can no longer subsequently call into question the validity of that decision, in particular in subsequent proceedings before the national court (see, to that effect, judgment of 9 March 1994, TWD Textilwerke Deggendorf, C‑188/92, EU:C:1994:90, paragraph 17; see also, to that effect, judgment of 9 June 2011, Comitato ‘Venezia vuole vivere’ and Others v Commission, C‑71/09 P, C‑73/09 P and C‑76/09 P, EU:C:2011:368, paragraph 58 and the case-law cited). Conversely, it has consistently been held that the illegality of an EU act which is not open to challenge and which serves as the basis for another act may be relied on in an action brought against the second act (judgment of 11 November 1981, IBM v Commission, 60/81, EU:C:1981:264, paragraph 12 and a contrario the preceding references to case-law).

70      In the present case, accepting that WhatsApp’s action against the contested decision is admissible would mean that two parallel judicial proceedings would continue, with significant overlap, one before the Court challenging the contested decision and the other before an Irish court challenging the final decision, part of the grounds of which are based on the contested decision. WhatsApp also put forward, in order to obtain a time limit for lodging the reply before the Court, the parallel workload required of it for the proceedings before the Irish court hearing the matter. Unless one or other of the courts hearing the matter suspends the proceedings brought before it, which could lead to an extension of the time necessary to obtain a definitive solution concerning the legality of the final decision, those parallel proceedings could even lead to a situation in which, simultaneously, the Court of Justice, by way of a preliminary ruling, and the General Court, by way of WhatsApp’s direct action, would be asked to rule on the validity of the contested decision. Having regard to the system of legal remedies referred to in paragraphs 68 and 69 above and having regard to the provisions of Article 78 of Regulation 2016/679 concerning the right to an effective judicial remedy against a supervisory authority, it will be, where appropriate, for the Irish court hearing the matter, which alone has jurisdiction in that regard, to review the legality of the final decision that is enforceable against WhatsApp by referring a question for a preliminary ruling on validity to the Court of Justice of the European Union with regard to the contested decision, if it considers this necessary in order to rule on the dispute between WhatsApp and the Irish supervisory authority. The Irish court hearing the matter could, in that regard, either settle the dispute before it by dismissing the plea of illegality which could be raised against the contested decision without referring the matter to the Court of Justice, if it has no doubts as to the validity of that decision, or, on the contrary, refer the matter to the Court of Justice if it entertains such doubts, or resolve the dispute independently of the question of the validity of the contested decision in the light of the pleas raised before it. That solution is consistent with the interests of the sound administration of justice, given the risks created by the parallel court proceedings referred to at the beginning of this paragraph.

71      Lastly, it should be noted, with regard to recital 143 of Regulation 2016/679, cited in paragraph 33 above, which may suggest that an action such as that brought by WhatsApp before the Court is admissible, that whilst a recital of a regulation may cast light on the interpretation to be given to a legal rule, it cannot in itself constitute such a rule and that the preamble to an EU act has no binding legal force (see judgment of 26 October 2017, Marine Harvest v Commission, T‑704/14, EU:T:2017:753, paragraph 150 and the case-law cited; see also, to that effect, judgment of 24 November 2005, Deutsches Milch-Kontor, C‑136/04, EU:C:2005:716, paragraph 32 and the case-law cited). In the present case, that recital does not underpin any provision of Regulation 2016/679, as noted in paragraphs 32 and 35 above. In addition, an explanation contained in the grounds of a regulation cannot take precedence over the applicable rules of primary law contained in the Treaties, in this case those of the first and fourth paragraphs of Article 263 TFEU, the substance of which is moreover set out in part in the recital in question with the indication, in the first sentence, that ‘any natural or legal person has the right to bring an action for annulment of decisions of the Board before the Court of Justice under the conditions provided for in Article 263 TFEU’.

72      It follows from all the foregoing that the action must be dismissed as inadmissible.

 The applications to intervene

73      In accordance with Article 142(2) of the Rules of Procedure, the intervention is ancillary to the main proceedings and becomes devoid of purpose, inter alia, when the application is declared inadmissible.

74      Consequently, there is no longer any need to adjudicate on the applications to intervene or on the requests for protection of the confidentiality of material in the file to which they have given rise.

 Costs

75      Under Article 134(1) of the Rules of Procedure, the unsuccessful party is to be ordered to pay the costs if they have been applied for in the successful party’s pleadings. Since WhatsApp has been unsuccessful, it must be ordered to pay the costs, in accordance with the form of order sought by the EDPB, subject to what is stated in paragraph 76 below.

76      Furthermore, under Article 144(10) of the Rules of Procedure, if the proceedings in the main case are concluded before an application to intervene has been decided upon, the applicant for leave to intervene and the main parties must each bear their own costs relating to the application to intervene. In the present case, WhatsApp, the EDPB, the Republic of Finland, the Commission, the European Data Protection Supervisor and the Computer & Communication Industry Association must each bear their own costs relating to the applications to intervene.

On those grounds,

THE GENERAL COURT (Fourth Chamber, Extended Composition)

hereby orders:

1.      The action is dismissed as inadmissible.

2.      There is no longer any need to adjudicate on the applications to intervene made by the Republic of Finland, the European Commission, the European Data Protection Supervisor and the Computer & Communication Industry Association, or on the requests for confidential treatment to which they have given rise.

3.      WhatsApp Ireland Ltd shall bear its own costs and pay the costs incurred by the European Data Protection Board, with the exception of the latter’s costs relating to the applications to intervene.

4.      The European Data Protection Board, the Republic of Finland, the Commission, the European Data Protection Supervisor and the Computer & Communication Industry Association shall each bear their own costs relating to the applications to intervene.

Luxembourg, 7 December 2022.

E. Coulon

 

S. Gervasoni

Registrar

 

President

*      Language of the case: English.