WhatsApp Ireland v European Data Protection Board

In a major Judgement delivered on 10 February 2026, the Court of Justice of the European Union (‘CJEU') held that binding decisions of the European Data Protection Board (‘EDPB') can be challenged directly before the Courts of the European Union.

The EDPB, the EU body responsible for ensuring the consistent application of the General Data Protection Regulation (‘GDPR'), has the power to issue binding decisions directed at national data protection supervisory authorities, under the GDPR's dispute resolution mechanism. Until now, companies could only challenge the national supervisory authorities' decisions, which were based on the EDPB's decisions, before the national courts. On Tuesday, the CJEU opened the door for companies to contest the EDPB binding decisions directly and in EU courts, marking a significant development in the enforcement of data protection law.

Background

The judgement in C-97/23 P | WhatsApp Ireland v European Data Protection Board forms part of an ongoing matter that first arose in 2018. The Irish Data Protection Commission (the ‘Irish DPC'), acting as lead supervisory authority, first initiated an ex officio general investigation into WhatsApp in December of 2018, following a series of complaints regarding WhatsApp's compliance with its data protection obligations.

After completing its investigation, the Irish DPC circulated a draft decision to all other national supervisory authorities involved in the case in December of 2020, for their opinion. As disagreement persisted between them, the matter was ultimately referred to the EDPB for resolution.

In July of 2021, the EDPB adopted Decision 1/2021,  which was binding on all national supervisory authorities concerned. In that decision, the EDPB concluded that WhatsApp had infringed certain provisions of the GDPR, and that the amounts of the fines envisaged by the Irish DPC had to be increased. On that basis, the Irish DPC proceeded to impose a fine of €225 million on WhatsApp.

The General Court

In response, WhatsApp brought an action for annulment of the EDPB's Decision before the General Court. Dismissing the action as inadmissible, the General Court found that the EDPB's Decision was not an act open to challenge. In its view, the EDPB's decision was not enforceable in a way that would allow it, without further procedural steps, to be a source of obligations for WhatsApp, and accordingly, it did not directly produce legal effects on WhatsApp's position. Therefore, WhatsApp was not to be considered directly concerned and could only challenge the decision of the Irish DPC before a national court.

The CJEU

On 10 February 2026, the CJEU set aside the General Court's order. In the CJEU's view, by determining that WhatsApp failed to comply with its GDPR obligations, the EDPB's decision altered WhatsApp's legal position, since, as a result of that decision, WhatsApp had to change its contractual relationship with its users. The EPDB's decision determined the Irish DPC's position definitively, and it was binding on all supervisory authorities concerned, which had no discretion to depart from it. Therefore, the CJEU found that the decision was of direct concern to WhatsApp, and thus the CJEU referred the case back to the General Court to rule on the merits.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.