Right of action
against the
EDPB.
Right of action
against the
EDPB.
from
An EU authority makes far-reaching decisions on data protection violations and fines in the millions. Is the company concerned not allowed to defend itself against this? WhatsApp did not accept this and took the case to the highest court. What does the ruling mean for the legal protection of companies under European data protection law?
What is it all about?
The Irish data protection authority has imposed a fine of 225 million euros on WhatsApp because the messenger service did not adequately inform its users about the use of their data. The basis for this is a binding decision by the European Data Protection Board (EDPB). The EDPB had overruled the Irish authority on several points. It found additional violations and demanded higher fines. WhatsApp is appealing against this decision. The EU General Court (EGC) dismisses the action as inadmissible, as the EDPB decision is only an intermediate step and therefore cannot be challenged in isolation.
The ECJ now had to decide whether a company can challenge an EDPB decision directly before the ECJ courts, even though this decision is formally only addressed to the national data protection authorities.
The case
WhatsApp Ireland Ltd. operates the messenger service “WhatsApp” in Europe and is based in Ireland. After the General Data Protection Regulation (GDPR) came into force, the Irish Data Protection Commission (DPC) received complaints from users and non-users about WhatsApp’s handling of personal data. The German data protection authority also intervened. At the end of 2018, the DPC began a formal investigation into whether WhatsApp provides its users with sufficient information about what data it collects and what happens to it.
As WhatsApp is based in Ireland, the Irish authority was the lead authority. It prepared a draft decision and submitted it to the other European data protection authorities involved at the end of 2020. Eight of them did not agree with parts of the draft. As no agreement could be reached, the Irish authority referred the disputed points to the EDPB – the body that acts as an arbitration board in such cases.
In July 2021, the EDPB ruled and overruled the Irish authority on several key points: It found additional data protection violations, classified certain encrypted data (so-called “lossy hashed data”) as personal data, shortened the deadline for WhatsApp to change its practices from six to three months and ordered significantly higher fines. The Irish authority implemented these requirements and imposed fines totaling 225 million euros on WhatsApp in August 2021.
WhatsApp fought back in two ways: The company took legal action against the Irish authority’s final decision before an Irish court. It took legal action against the EDPB decision itself before the General Court of the EU (EGC) in Luxembourg. However, the CFI dismissed this second action without examining its content. The EDPB decision was only an interim decision that could not be challenged independently. WhatsApp appealed against this decision to the ECJ.
The ECJ’s decision
The ECJ (Judgment of 10.02.2026 – Ref. C-97/23 P ) ruled in favor of WhatsApp and overturned the decision of the EGC. Its reasoning is based on three key points.
The EDPB decision is an independently contestable legal act
The EGC had argued that the EDPB decision was only an intermediate step in a multi-stage procedure. Only the final decision of the national data protection authority concludes the procedure – and only this can be contested.
The ECJ takes a fundamentally different view: whether a legal act can be challenged before the ECJ courts depends on whether it has binding legal effects. This is the case with the EDPB decision: it is binding on the national data protection authorities and conclusively and definitively establishes the position of the EDPB. The national authority must make its final decision on its basis. The fact that the decision is not the very last stage of the procedure does not make it a mere interim measure. And whether it is directly enforceable against WhatsApp is irrelevant to this question.
This decision constitutes a legal act of an EU institution intended to produce legal effects vis-à-vis third parties and expresses the final position of that institution on the points it has to decide. (…) Thus, this decision (…) constitutes a contestable legal act, without it being necessary to examine at this stage whether this decision has brought about a significant change in WhatsApp’s legal position.
WhatsApp is directly affected
In order to be able to bring an action before the EU courts, a company must be directly and individually affected by the challenged legal act. The EGC denied that the company was directly affected: the EDPB decision was not directly enforceable against WhatsApp and the Irish authority still had its own leeway when implementing it.
The ECJ also disagrees here. Firstly, the EDPB decision has changed WhatsApp’s legal position: The company had to adjust its contractual relationships with users as a result of the findings. Secondly, the Irish authority had no leeway on the key points: it could not deviate from the EDPB’s findings – neither on the question of which data protection violations had occurred, nor on the classification of certain data as personal data, nor on the obligation to increase the fines. The fact that the Irish authority was also able to make its own findings, which were not covered by the EDPB decision, does not change this.
Parallel processes are not an obstacle
If WhatsApp can challenge the EDPB decision in Luxembourg and the national decision in Ireland, parallel court proceedings will arise. However, the ECJ does not see this as a problem. It refers to tried and tested coordination mechanisms, namely that the Irish court must suspend its proceedings if the validity of the EDPB decision is relevant to its ruling. And if the ECJ has a question for a preliminary ruling and an action for annulment on the same case at the same time, it can suspend the preliminary ruling proceedings in favor of the annulment proceedings.
Effects of the judgment
The decision opens up a new, direct legal protection route. In future, companies affected by a binding EDPB decision will be able to challenge this decision directly before the General Court in Luxembourg. Previously, they had to rely on challenging the final decision of the national data protection authority before the national courts and hope that the national court would refer the question of the validity of the EDPB decision to the ECJ. Now they can challenge the decision directly. However, the deadline of two months after its publication on the EDPB website must be observed.
In future, the EDPB must expect that its decisions will not only be subject to judicial review by the supervisory authorities, but also by the companies concerned. This is likely to increase the requirements for the justification of such decisions.
Conclusion
The ECJ makes it clear that the EDPB does not operate in a legal vacuum. Its binding decisions can be challenged directly before the EU courts without having to go through the national authorities and courts.
The question of whether a legal act is contestable at all depends solely on its objective content and not on how it affects the plaintiff. In doing so, the ECJ corrects an error made by the General Court, which had confused the two questions.
The ECJ must now decide whether the EDPB decision was also lawful in substance. Only then will it become clear whether, in particular, the classification of certain encrypted data as personal data and the significant increase in fines will stand up to judicial review.
We are happy to
advise you about
Data protection law!
