ARTICLE
2 March 2026

A Decision Of The EDPB Is Now Challengeable Before The General Court Of The European Union

DA
Delsol Avocats

Contributor

Delsol Avocats logo
DELSOL Avocats is an entrepreneurial firm dedicated to entrepreneurs and businesses. Attentive to the needs of economic players, we provide a genuine business strategy beyond legal and judicial advice. Our cross-practice and sector-specific expertise allow us to deliver tailored assistance for transactions in France, Belgium and abroad.
Explore Firm Details
In its decision of 10 February 2026, WhatsApp Ireland Ltd v European Data Protection Board (Case C-97/23 P) [1], the Court of Justice of the European Union ("CJEU") held that a decision...
France Privacy
Jeanne Bossi Malafosse
Your Author LinkedIn Connections
Jeanne Bossi Malafosse’s articles from Delsol Avocats are most popular:
  • within Privacy topic(s)
Delsol Avocats are most popular:
  • within Privacy, Tax and Intellectual Property topic(s)

In its decision of 10 February 2026, WhatsApp Ireland Ltd v European Data Protection Board (Case C-97/23 P) 1, the Court of Justice of the European Union ("CJEU") held that a decision of the European Data Protection Board ("EDPB") constitutes an act that may be challenged before the EU courts.

In this case, following complaints relating to data processing carried out by WhatsApp, the Irish supervisory authority had referred the matter to the EDPB under the dispute resolution mechanism provided for by the GDPR. In its decision of 28 July 2021, the EDPB found several infringements of the GDPR and imposed cumulative fines amounting to €225 million.

The General Court of the European Union had initially declared WhatsApp's action inadmissible, considering that the EDPB's decision was not a challengeable act and merely constituted an intermediate measure, with only the final decision of the Irish supervisory authority being open to challenge before national courts.

The CJEU rejected this analysis and set aside the order of the General Court on the grounds that the EDPB's decision :

  • is an act emanating from a body of the Union ;
  • has binding effects regarding third parties, in this case the supervisory authorities ;
  • definitively sets out the EDPB's position and exhausts the issues that the body is called upon to decide.

In conclusion, such a decision cannot be regarded as an intermediate measure not open to judicial review, in particular because it alters the legal situation of the company without leaving any margin of discretion to its addressees. Indeed, the decision "binds the lead supervisory authority and all the supervisory authorities concerned", which must adopt their final decision in compliance with the latter, to which they must refer.

Accordingly, WhatsApp's action is held to be admissible, the order of the General Court is annulled, and the case is referred back to it for a ruling on the merits regarding the existence of GDPR infringements.

More broadly, this judgment invites reflection on the growing normative weight of the EDPB. While its guidelines already constitute the main interpretative reference for data protection authorities and organisations subject to the GDPR, the ruling confirms that the EDPB also has the power to adopt decisions that are fully binding on supervisory authorities and that are now open to challenge before the General Court of the European Union.

Footnote

1. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62023CJ0097

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Jeanne Bossi Malafosse
Jeanne Bossi Malafosse
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More