Answer given by Mr Reynders on behalf of the European Commission
3.3.2021
Under the General Data Protection Regulation (GDPR)[1], the national supervisory authorities are responsible for monitoring compliance with the GDPR (Article 51(1) GDPR). In cases of cross-border data processing, the supervisory authority of the Member State where the controller has its main establishment acts as the lead supervisory authority, cooperating with the other supervisory authorities concerned in the consistency mechanism[2].
Neither the European Data Protection Board (EDPB) nor the Commission have enforcement powers under the GDPR vis-à-vis controllers — these are reserved to the national supervisory authorities.
As the main establishment of WhatsApp in the EU is located in Ireland, the Irish Data Protection Commission is the lead supervisory authority under the GDPR. The Irish Data Protection Commission is investigating the matter and keeps the EDPB, including the Commission, informed.
Due to this institutional setup and in full respect of the independence of the supervisory authorities, the Commission is not in a position to comment on the compliance of WhatsApp privacy terms with the GDPR. Similarly, should a breach of GDPR be established, enforcement action would be for the Irish Data Protection Commission to take.
As a general remark, the Commission refers to the proposals complementing the regulatory framework for digital services that were presented on 15 December 2020. Both the Digital Services Act, as well as the Digital Markets Act should provide additional transparency and safeguards around practices of cross-service data sharing and consumer profiling.