In its judgement of 10 February 2026 (C-97/23 P), the European Court of Justice ruled that an EDBP decision is an act open to challenge which is of direct concern to WhatsApp, declaring the company’s action admissible and sending the case back to the General Court for a ruling on the merits.
Facts of the Case
In late 2018, Ireland’s Data Protection Commission (“Irish DPC”) initiated, on its own motion, a general investigation into WhatsApp Ireland Ltd (“WhatsApp”) compliance with transparency and information obligations under the General Data Protection Regulation (“GDPR”). As no consensus could be reached among the national supervisory authorities regarding the Irish DPC’s draft decision, the European Data Protection Board (“EDPB”) intervened pursuant to the GDPR’s dispute resolution procedure (Article 65) and adopted a decision addressing the objections raised by the national authorities (“EDPB Decision”). That decision found a number of GDPR infringements and required the Irish DPC to amend its corrective measures and to adopt a higher fine. The Irish DPC subsequently adopted its final decision leading, amongst other, to a EUR 225 million fine against WhatsApp.
WhatsApp challenged the Irish DPC final decision before the Irish courts and, in parallel, sought annulment of the EDPB Decision before the General Court of the European Union (“GC”). However, the GC rejected the action in December 2022 as inadmissible, reasoning that the EDPB Decision was neither an “act open to challenge” under Article 263(1) TFEU nor “of direct concern” to WhatsApp, a procedural requirement for standing under Article 263(4) TFEU. The GC held that the final decision of the Irish DPC was however open for challenge by WhatsApp before the national court with a possibility for the latter to refer a question to the European Court of Justice (“ECJ”).
Findings of the ECJ
Act open to challenge
First, rejecting the GC’s reasoning, the ECJ held that the EDPB Decision is an act open to challenge under Article 263(1) TFEU.
On the one hand, the ECJ emphasised that the decisive criterion under Article 263(1) TFEU is whether the measure is adopted by an EU body and is intended to produce binding legal effects. Endorsing the Advocate General Ćapeta Opinion, the ECJ stressed that those effects must be assessed objectively, by reference to the substance and the context of the act, rather than considering the applicant’s legal situation. The latter assessment is relevant only at the separate stage of examining standing under Article 263(4) TFEU. By conflating these two steps, the ECJ found that the GC applied an incorrect test and confused the requirements of paragraphs (1) and (4) of Article 263 TFEU. In the present case, the ECJ concluded that the EDPB Decision is an act which emanates from an EU body and is binding on third parties, namely the Irish DPC as well as all the national supervisory authorities concerned.
On the other hand, the ECJ found that a decision adopted under Article 65 GDPR is not a mere preparatory or intermediate measure. By resolving the substantive disagreements between supervisory authorities – including findings of infringement and directions as to corrective measures – the EDPB expressed its definitive position on the points to be decided by it. The ECJ also noted that the fact that the EDPB Decision was not enforceable against entities other that its addressees is irrelevant for the purposes of the classification of that decision as an act open to challenge.
Accordingly, the ECJ concluded that the EDPB Decision is a reviewable act for the purposes of Article 263(1) TFEU and may, in principle, be challenged before the EU courts.
Individual and direct concern to WhatsApp
As a preliminary point, the ECJ confirmed that the EDPB Decision was of individual concern to WhatsApp since that decision concerned certain aspects of the Irish DPC final decision which relate specifically to the situation of that company, as the GC itself found in first instance.
Subsequently, according to the ECJ, the GC erred in law by excluding direct concern solely because the EDPB Decision is not enforceable against WhatsApp and does not constitute the final stage of the aforementioned dispute resolution procedure. The ECJ recalled that direct concern requires two cumulative conditions namely, the act must directly affect the applicant’s legal situation and leave no discretion to the addressee responsible for its implementation.
As regards the first condition, the ECJ found that EDPB’s Decision brought about a distinct change in WhatsApp’s legal position in so far as it decided that WhatsApp had failed to comply with certain provisions of the GDPR. It resulted from this that WhatsApp was required to change its contractual relationship with its users.
As regards the second condition, ECJ found that the Irish DPC (and all the other authorities) had no margin of discretion whatsoever as regards the matters definitely decided by the EDPB. In particular, the EDPB’s determinations on GDPR violations as well as the obligation to increase the amount of the fine were unconditionally binding on the authorities which could not depart form the EDPB’s position.
Since both conditions were met, the ECJ concluded that the EDPB decision was of direct concern to WhatsApp.
On these grounds, the ECJ aside the GC’s order and referred the case back to the GC to rule on the merits of WhatsApp’s action for annulment.
3. Conclusion
The ECJ’s ruling represents a significant development in EU judicial review of GDPR enforcement. By confirming that final binding decisions adopted by the EDPB are directly challengeable by affected companies – even though those decisions are formally addressed to national authorities – the ECJ expands access to EU judicial remedies and reinforces oversight of the EDPB’s role under the GDPR. Whether this reasoning will extend beyond disputes under Article 65 GDPR (where EDPB adjudicates) or even beyond the field of data protection remains to be seen.