CJEU Confirms Meta Can Challenge EDPB’s Binding WhatsApp Decision 2026
In a significant development for EU data protection enforcement, the Court of Justice of the European Union (CJEU) has ruled that companies may directly challenge binding decisions of the European Data Protection Board (EDPB) before the EU courts.
The judgment arises from proceedings involving WhatsApp Ireland, a subsidiary of Meta, and clarifies a critical procedural question under the GDPR’s cooperation and consistency mechanism.
Background: From National Fine to EU-Level Dispute
The case stems from a GDPR investigation led by the Data Protection Commission (DPC) in Ireland, WhatsApp’s lead supervisory authority in the EU.
The DPC initially proposed a fine of approximately €30 million for transparency-related GDPR infringements. However, following objections raised by other concerned supervisory authorities, the matter was escalated under the GDPR’s consistency mechanism to the EDPB. The EDPB issued a binding decision requiring the DPC to reassess its findings and increase the fine. Ultimately, the penalty was raised to €225 million.
WhatsApp sought to challenge the EDPB’s binding decision directly before the General Court. The General Court initially dismissed the action as inadmissible, reasoning that the EDPB decision was merely preparatory and that only the final national decision of the DPC could be challenged.
The CJEU’s Ruling
On appeal, the CJEU overturned that finding.
The Court held that:
- An EDPB binding decision adopted under Article 65 GDPR constitutes a reviewable EU act under Article 263 TFEU.
- Such decisions directly affect the legal position of the undertaking concerned.
- They are not merely preparatory steps but produce binding legal effects, even though they are implemented through a national authority.
In other words, companies subject to an EDPB binding decision are entitled to seek judicial review directly before the EU courts.
Why This Matters
This ruling has structural implications for GDPR enforcement across the EU.
1. Strengthened Judicial Protection
The judgment confirms that companies must have access to effective judicial remedies when EU-level bodies exercise binding authority. It closes a procedural gap that previously created uncertainty about how and when EDPB decisions could be challenged.
2. Clarification of the EDPB’s Legal Status
The Court implicitly reinforces the EDPB’s role as an EU body whose binding decisions have autonomous legal significance, rather than being merely advisory or intermediary in nature.
3. Impact on Future Cross-Border Enforcement
The GDPR’s one-stop-shop mechanism relies heavily on cooperation between national supervisory authorities and the EDPB. This ruling may influence how future disputes unfold, particularly in high-profile cross-border investigations involving large technology companies.
Broader Implications
While the judgment does not weaken the EDPB’s authority, it introduces an additional layer of judicial scrutiny. Companies facing significant fines or corrective measures resulting from Article 65 procedures now have a clearer path to challenge the underlying EU-level reasoning.
At the same time, the ruling contributes to legal certainty by aligning GDPR enforcement with general principles of EU administrative law, particularly the right to effective judicial protection.
Conclusion
The CJEU’s decision marks an important clarification in the evolving architecture of EU data protection enforcement. By confirming that EDPB binding decisions are directly challengeable, the Court has reinforced procedural safeguards while preserving the integrity of the GDPR’s consistency mechanism.
For organizations operating across multiple EU Member States, this judgment reshapes the litigation landscape and adds a new strategic dimension to cross-border GDPR enforcement proceedings.
