Data Protection Insider, Issue 149

26. February 2026  |   by DPI Editorial Team
Data Protection Insider, Issue 149 - Data Protection Insider 4

-CJEU Rules on the Possibility to Challenge EDPB Decisions-

On 10th February, the CJEU ruled in the case of WhatsApp Ireland Ltd v. European Data Protection Board. In terms of the facts, the case essentially concerns an investigation into Whatsapp by the Irish Data Protection Board (DPB) into its transparency obligations and into its provision of information to data subjects. The DPB produced a decision, which was submitted to other national supervisory authorities. This process did not result in consensus, and, accordingly, the decision was submitted to the EDPB for resolution. The EDPB issued a binding decision, according to which the DPB was required to amend aspects of its original decision and the amount of the fine. The DPB accordingly issued a new decision to Whatsapp. Whatsapp then brought an action for annulment of the EDPB’s decision to the General Court. This action was dismissed on the basis that it was not ‘an act open to challenge and that that decision was not of direct concern to WhatsApp’. ‘According to the General Court, the EDPB’s decision was merely an intermediate act and WhatsApp could challenge only the final decision of the Irish supervisory authority before a national court’. ‘WhatsApp then challenged the order of the General Court by bringing an appeal before the Court of Justice’ – the case at hand. In this regard, the Court of Justice ruled ‘the action for annulment…admissible. However, given that the General Court did not consider the merits of the action before it, the determination of which requires a detailed assessment in fact and in law, the state of proceedings does not permit a ruling on the merits of the appellant’s action. Accordingly, the case must be referred back to the General Court’. In reaching its conclusions, the Court highlighted, amongst other things, that ‘it must be held that the General Court erred in law, first…by confusing the requirements resulting from the first and fourth paragraphs of Article 263 TFEU respectively and, second…by formulating an incorrect test, relating to the lack of direct enforceability of the act at issue against WhatsApp, and by classifying the decision at issue as an intermediate measure producing no independent legal effects’. Further, the Court considered that the EDPB’s ‘decision changes WhatsApp’s legal position, since WhatsApp was required, in particular, as a result of the EDPB’s intervention, to change its contractual relationship with the users of the messaging service provided by WhatsApp. It follows that there is a direct link between that decision and its effects on WhatsApp’s situation’. The case is fascinating, and touches on much more than can be dealt with in this brief summary – for example the relationship between the EDPB and national DPAs, and the relationship between possibilities to appeal decisions at national and European levels. It is, however, dense, and focused on the procedural aspects of data protection law. Accordingly – whilst we would thoroughly recommend reading it in full – it will likely most engage those interested with these aspects of law.

-ECtHR Rules on ‘Agents on Cover’ in Bulgaria-

On 17th February, the ECtHR ruled that the legal framework in Bulgaria on the deployment of ‘agents on cover’ breaches the right to correspondence and home under Article 8 ECHR in Green Alliance v Bulgaria. As to the facts of the case, it concerns the examination, in abstracto, of the Bulgarian law on the infiltration of ‘agents on cover’ by the National Security Agency (NSA). More precisely, ‘(t)hose “agents on cover” conceal only that they are working for the Agency, but are not permitted to use covert surveillance techniques or equipment, and are in Bulgaria considered as different from “agents under cover”’. An NGO – Green Alliance – submitted that the Bulgarian legal provisions were in breach of Article 8 ECHR, in particular because of the lack of adequate safeguards in relation to the deployment and operation of such agents. The Court first ruled that the infiltration of such agents constitutes an interference with the right to confidentiality of communications and respect for home of the infiltrated entities because agents on cover could obtain information about the communications of the infiltrated entities and report on these to the NSA, and because they would have access to the respective premises. It ruled that the mere existence of the Bulgarian law could make the applicant NGO a victim to such infiltration. Second, the Court examined whether the interference was justified. It noted that the Bulgarian law was accessible to the public. However, after a detailed analysis, it concluded that the Bulgarian legal framework does not enshrine safeguards against abuse and arbitrariness, because: i) ‘the broadly-defined grounds on which such agents can be deployed and fields in which they can be deployed, coupled with the way in which that deployment is decided, are capable of leading to arbitrariness and abuse’; ii) there are ‘no time-limits circumscribe the use of such agents’; iii) ‘the procedure for deploying such agents does not appear capable of ensuring that they will be used only when “necessary in a democratic society”’; iv) ‘no arrangements exist for effective supervision of the use of such agents, which can lead to arbitrariness and abuse, as well as to corruption or the misuse of power by the “agents on cover” themselves’; and v)  ‘there is no remedy in relation to the unlawful or unjustified use of such agents’. Thus, it concluded that the Bulgarian law does not meet the ‘ “quality of the law”’ requirement and is not ‘”necessary in a democratic society”’, in breach of Article 8 ECHR.

-EDPB Releases New Documents-

In the past two weeks, the EDPB released the following documents:

About

DPI Editorial Team

Dara Hallinan, Editor: Legal academic working at FIZ Karlsruhe. His specific focus is on the interaction between law, new technologies – particularly ICT and biotech – and society. He studied law in the UK and Germany, completed a Master’s in Human Rights and Democracy in Italy and Estonia and wrote his PhD at the Vrije Universiteit Brussel on the better regulation of genetic privacy in biobanks and genomic research through data protection law. He is also programme director for the annual Computers, Privacy and Data Protection conference.

Diana Dimitrova, Editor: Researcher at FIZ Karlsruhe. Focus on privacy and data protection, especially on rights of data subjects in the Area of Freedom, Security and Justice. Completed her PhD at the VUB on the topic of ‘Data Subject Rights: The rights of access and rectification in the AFSJ’. Previously, legal researcher at KU Leuven and trainee at EDPS. Holds LL.M. in European Law from Leiden University.

Leave a Reply

back to overview