Court of Justice rules companies can directly challenge European Data Protection Board binding decisions, overturning lower court and potentially reshaping GDPR enforcement across the bloc.
The Court of Justice of the European Union this week delivered a landmark ruling that fundamentally alters how companies can contest data protection enforcement decisions across Europe. The Grand Chamber ruled that WhatsApp Ireland can directly challenge binding decisions from the European Data Protection Board before EU courts, setting aside a lower court order that had dismissed the messaging service's legal action as inadmissible.
The February 10 judgment addresses a critical gap in accountability mechanisms within the General Data Protection Regulation enforcement framework. WhatsApp had sought to annul a July 28, 2021 EDPB binding decision that required Ireland's Data Protection Commission to find additional GDPR violations and impose substantially higher fines than the Irish regulator had initially proposed.
According to the 121-paragraph judgment, the CJEU determined that EDPB binding decisions constitute "acts open to challenge" under Article 263 of the Treaty on the Functioning of the European Union. The court rejected the General Court's December 2022 finding that such decisions represent merely intermediate or preparatory acts in a multi-stage enforcement procedure.
"The decision at issue constitutes an act of an EU body intended to produce legal effects vis-à-vis third parties and expressing the definitive position of that body on the points to be decided by it," the CJEU stated in paragraph 76 of its ruling. The judgment establishes that companies need not wait until national supervisory authorities issue final decisions before seeking judicial review at the EU level.
The case traces back to December 2018, when Ireland's Data Protection Commission initiated an investigation into WhatsApp's compliance with GDPR transparency obligations under Articles 12 through 14. The inquiry examined whether the messaging service provided adequate information to both users and non-users about personal data processing activities, particularly regarding data sharing with other entities in the Meta corporate family.
After completing its investigation in September 2019, the Irish DPC circulated a draft decision to other concerned supervisory authorities across the European Union in December 2020, following the cooperation procedures established in Article 60 of the GDPR. The draft decision proposed finding certain transparency violations but stopped short of establishing infringements that eight other European data protection authorities believed WhatsApp had committed.
Supervisory authorities from Germany at both federal and state levels, Hungary, the Netherlands, Poland, France, Italy, Portugal, Austria, Denmark, and Belgium raised formal objections to the Irish DPC's draft decision. When the Irish authority declined to follow these objections, it referred the dispute to the EDPB for resolution through the consistency mechanism designed to prevent fragmentation in GDPR enforcement across member states.
The EDPB's July 2021 binding decision required Ireland's regulator to find that WhatsApp had failed to comply with Article 13(1)(d) regarding information about legitimate interests, violated the transparency principle in Article 5(1)(a), and infringed Article 13(2)(e) concerning data retention information. Perhaps most significantly, the EDPB determined that "lossy hashed data" derived from non-user contact information still constituted personal data under GDPR definitions.
On fines, the EDPB concluded that the Irish authority had misinterpreted several criteria for calculating administrative penalties under Article 83. The Board found Ireland's proposed fine range of €30 million to €50 million inadequate given the nature and scope of violations. Ireland's DPC ultimately imposed four separate administrative fines totaling €225 million in its August 20, 2021 final decision, alongside orders requiring WhatsApp to bring its processing into compliance within three months.
The CJEU's analysis focused heavily on whether WhatsApp satisfied the conditions for bringing an annulment action under the fourth paragraph of Article 263 TFEU. That provision allows natural or legal persons to challenge acts that are of direct and individual concern to them, even when not directly addressed to the challenging party.
The General Court had ruled in December 2022 that WhatsApp failed to meet the "direct concern" requirement. It found that the EDPB binding decision was not enforceable against WhatsApp without further procedural steps and left discretion to the Irish supervisory authority regarding the final decision's content.
The CJEU rejected this reasoning as legally erroneous. According to the judgment, two cumulative conditions must be satisfied for direct concern: the contested measure must directly affect the applicant's legal situation, and it must leave no discretion to the addressees entrusted with implementing it. The court determined WhatsApp satisfied both requirements.
"WhatsApp was required, in particular, as a result of the EDPB's intervention, to change its contractual relationship with the users of the messaging service," the CJEU explained in paragraph 98. The decision changed WhatsApp's legal position by establishing additional compliance obligations regarding transparency and information provision.
On discretion, the court emphasized that Ireland's DPC and other concerned supervisory authorities "cannot depart from the position adopted by the EDPB" in the binding decision. The EDPB's determinations on GDPR infringements, the classification of lossy hashed data as personal data, and the obligation to increase fines bound the Irish authority unconditionally.
The fact that Ireland's final decision addressed aspects beyond the EDPB binding decision's scope proved irrelevant to the direct concern analysis. National supervisory authorities retain responsibility for matters not subject to relevant and reasoned objections, such as determining precise fine amounts. However, on issues the EDPB decided, implementing authorities face binding obligations that cannot be altered.
The ruling arrives amid persistent criticism of GDPR enforcement mechanisms, particularly regarding coordination between national data protection authorities. Ireland's DPC has faced scrutiny as lead regulator for major technology companies with European headquarters in Dublin, with enforcement actions often taking years to complete.
Privacy advocacy organizations have documented substantial procedural delays in cross-border cases. According to Max Schrems, chairman of noyb, a complaint filed on May 25, 2018 - the day GDPR took effect - against Meta's data processing practices remained unresolved through multiple enforcement cycles and court proceedings extending into 2025.
The CJEU judgment acknowledges potential parallel proceedings before EU courts and national judicial systems but finds this creates no insurmountable obstacles. When national court cases depend on EDPB binding decision validity, the obligation of sincere cooperation requires national courts to stay proceedings pending EU judicial resolution or make preliminary ruling references to the Court of Justice.
The decision also addresses concerns about the EDPB's role in the enforcement framework. Germany, intervening in support of the EDPB's position, had argued that consistency mechanisms serve purely internal coordination functions between supervisory authorities. The CJEU rejected this characterization, emphasizing that EDPB binding decisions produce legal effects extending beyond their formal addressees.
Recital 143 of the GDPR explicitly contemplates that EDPB decisions may be of direct and individual concern to controllers, processors, or complainants, the court noted. This legislative recognition confirms that binding decisions can have external legal effects warranting direct judicial review possibilities.
Legal experts observing the case identified implications extending beyond the immediate WhatsApp dispute. The CJEU's reasoning potentially opens Article 64 GDPR opinions to direct challenges, as those opinions bind supervisory authorities when addressing questions about GDPR interpretation or data protection implications of draft decisions.
"This paves the way for challenges to Art. 64 Opinions of the EDPB, as they are by definition binding upon SAs," noted Peter Craddock, a data protection lawyer, in analysis shared February 14. The judgment's emphasis on binding legal effects as the determinative factor suggests any EDPB act imposing obligations on supervisory authorities could face similar scrutiny.
The ruling also raises questions about guidelines and recommendations the EDPB issues under Article 70 GDPR. While these instruments lack the formal binding character of Article 65 decisions, they exert significant practical influence over data protection enforcement across member states. Whether controllers could challenge guidelines that effectively determine compliance requirements remains an open question requiring future litigation to resolve.
For marketing technology providers and advertising platforms, the decision creates new strategic options when facing coordinated enforcement actions across multiple European jurisdictions. Companies can now contest EDPB positions directly rather than waiting for individual supervisory authorities to issue final decisions, potentially accelerating resolution of fundamental legal questions.
However, the practical impact depends heavily on how the General Court addresses WhatsApp's substantive arguments when the case returns for merits consideration. The CJEU set aside the inadmissibility finding but referred the case back to the General Court for examination of whether the EDPB binding decision actually violated EU law in the ways WhatsApp contends.
The EDPB has faced growing scrutiny over its enforcement approaches, particularly regarding behavioral advertising and consent requirements. In October 2023, the Board issued an urgent binding decision ordering Meta to cease processing personal data for behavioral advertising based on contract and legitimate interest grounds across the entire European Economic Area.
Statistics from the EDPB's 2023 evaluation report revealed significant disparities in enforcement patterns across European jurisdictions. Only 1.3% of GDPR cases resulted in monetary penalties between 2018 and 2023, with fine rates ranging from Slovakia's 6.84% to the Netherlands' 0.03%. Ireland averaged €475.9 million in annual fines largely due to its role as lead authority for major technology platforms.
The WhatsApp case centered partly on technical questions about when hashed data retains personal data characteristics under GDPR definitions. The Irish DPC's draft decision had not classified output from WhatsApp's "lossy hashing procedure" applied to non-user contact information as personal data. The EDPB disagreed, determining such material remained subject to GDPR protections.
This classification carried significant implications for potential Article 5(1)(c) and Article 6(1) violations regarding data minimization and lawful processing bases. It also extended the scope of WhatsApp's Article 14 obligations concerning information provision for data not obtained directly from data subjects.
The EDPB's position aligned with emerging judicial interpretations that examine whether recipients possess means reasonably likely to identify individuals from processed data. In September 2025, the CJEU addressed pseudonymization questions in EDPS v. SRB, establishing that data protection obligations should reflect actual rather than theoretical identification risks from the perspective of different processing parties.
WhatsApp challenged both the substantive determinations about lossy hashed data and procedural aspects of how the EDPB reached its conclusions. The company argued the Board exceeded its authority by making findings on matters the Irish DPC's investigation had not covered and by requiring fine increases based on misinterpretations of Article 83 criteria.
These merits arguments will now receive examination from the General Court following the CJEU's admissibility determination. The lower court must assess whether the EDPB properly exercised its dispute resolution authority and correctly interpreted relevant GDPR provisions when issuing its binding decision.
The WhatsApp ruling emerges against a backdrop of intensifying data protection enforcement across Europe. TikTok faces a €530 million fine from Ireland's DPC for alleged unauthorized data transfers to China, with the company securing Irish High Court permission to challenge the penalties as unconstitutionally excessive.
LinkedIn Ireland received a €310 million fine in October 2024 for violations regarding behavioral analysis and targeted advertising of members' personal data. Meta platforms have accumulated billions in GDPR penalties since 2018, with enforcement actions addressing consent practices, data transfer mechanisms, and transparency obligations.
Germany has emerged as a testing ground for algorithmic accountability through cases deploying the Digital Services Act, GDPR, and AI Act in combination. Courts in Leipzig and Berlin have awarded compensation to individual users for Meta Business Tools violations, establishing precedents for private enforcement mechanisms alongside regulatory proceedings.
The European Commission proposed major GDPR amendments in November 2025 addressing AI development and individual privacy rights. Privacy organizations criticized the draft changes as narrowing personal data definitions and expanding grounds for refusing data subject access requests, raising concerns about weakening protections under the guise of simplification.
The CJEU addressed preliminary questions about whether WhatsApp's November 1, 2021 action was filed within the two-month deadline established in the sixth paragraph of Article 263 TFEU. The EDPB had argued the limitation period began when WhatsApp acquired knowledge of the binding decision on August 13, 2021, making the November filing untimely.
The court rejected this position, emphasizing that publication date determines the starting point for challenges to acts not directly notified to applicants. Article 65(5) GDPR requires EDPB binding decisions to be published on the Board's website. The September 2, 2021 publication date gave WhatsApp until November 2 to file its annulment action, making the November 1 submission timely.
With the admissibility question resolved, the General Court must now examine WhatsApp's substantive claims that the EDPB binding decision violated EU law. These arguments encompass both procedural irregularities in how the Board reached its determinations and substantive errors in interpreting GDPR provisions regarding transparency, data classification, and fine calculation methodology.
The timeline for General Court proceedings remains uncertain. Complex data protection cases involving multiple parties and extensive factual records typically require 18 to 36 months for resolution at first instance, with possibilities for further appeals creating additional delays. WhatsApp's parallel challenge to Ireland's final decision before Irish courts adds complexity to the overall enforcement picture.
Legal experts anticipate the General Court will carefully examine the boundaries of EDPB authority when issuing binding decisions. Questions include whether the Board can make findings on matters not addressed in supervisory authority draft decisions, how it should interpret Article 83 fine calculation criteria, and what deference implementing authorities owe to EDPB legal interpretations.
The ruling also establishes that companies facing GDPR enforcement actions retain options for contesting both EDPB binding decisions and subsequent national supervisory authority final decisions through separate judicial proceedings. However, the CJEU noted that sincere cooperation obligations may require coordination between parallel cases to avoid conflicting outcomes.
Privacy lawyers welcomed the judgment as clarifying accountability mechanisms while expressing concerns about potential strategic litigation delaying enforcement. The decision addresses longstanding questions about whether the GDPR's complex multi-tier enforcement structure provides adequate procedural protections for affected companies.
"A step towards EDPB accountability," commented one legal practitioner analyzing the ruling. "The EDPB is unelected, not a legislator and not a court - yet its positions have had a significant impact on data protection over the past 8 years."
Others questioned whether enabling direct challenges to EDPB decisions might undermine the consistency mechanism's effectiveness. The Board was established precisely to prevent fragmentation in GDPR enforcement across 27 member states with differing regulatory traditions and enforcement priorities. Allowing companies to contest binding decisions could prolong disputes the consistency mechanism aims to resolve efficiently.
The European Data Protection Board and European Data Protection Supervisor have jointly criticized proposed GDPR simplification measures that they argue would weaken privacy protections. Their February 10, 2026 joint opinion rejected Commission proposals to narrow personal data definitions and expand circumstances for refusing data subject access requests.
Marketing professionals monitoring European privacy enforcement recognize the CJEU ruling creates new variables in compliance planning. Companies operating across multiple European jurisdictions must now account for possibilities that EDPB positions could face direct legal challenges, potentially creating uncertainty about enforcement priorities during litigation periods.
The judgment arrives as research demonstrates GDPR's significant impact on European technology investment patterns. A June 2025 National Bureau of Economic Research study found the regulation fundamentally altered venture capital flows, with data-related companies experiencing disproportionate effects from compliance cost increases.
Who: The Court of Justice of the European Union Grand Chamber issued a judgment in WhatsApp Ireland's appeal against the European Data Protection Board, with Germany intervening in support of the EDPB's position.
What: The court ruled that EDPB binding decisions under Article 65 GDPR constitute acts open to challenge before EU courts and are of direct concern to affected companies, overturning the General Court's December 2022 inadmissibility finding and establishing that controllers can directly contest such decisions rather than waiting for national supervisory authority implementation.
When: The judgment was delivered on February 10, 2026, addressing WhatsApp's November 1, 2021 challenge to the EDPB's July 28, 2021 binding decision that had required Ireland's Data Protection Commission to find additional violations and impose substantially higher fines.
Where: The ruling applies throughout the European Union and establishes binding precedent for how companies can challenge EDPB decisions across all member states, fundamentally altering the judicial review possibilities within GDPR's multi-tier enforcement framework.
Why: The court determined that EDPB binding decisions definitively express the Board's position on disputed matters, bind implementing supervisory authorities without leaving discretion, and directly affect controllers' legal positions by establishing compliance obligations - making such decisions challengeable acts that warrant direct judicial review to ensure accountability and procedural protections within the GDPR enforcement system.
