Europe’s top court hands data controllers new weapon against privacy watchdogs

The Courtroom of Justice of the European Union this week delivered a landmark ruling that essentially alters how corporations can contest knowledge safety enforcement selections throughout Europe. The Grand Chamber dominated that WhatsApp Eire can immediately problem binding selections from the European Information Safety Board earlier than EU courts, setting apart a decrease courtroom order that had dismissed the messaging service’s authorized motion as inadmissible.

The February 10 judgment addresses a essential hole in accountability mechanisms inside the Common Information Safety Regulation enforcement framework. WhatsApp had sought to annul a July 28, 2021 EDPB binding determination that required Eire’s Information Safety Fee to seek out extra GDPR violations and impose considerably greater fines than the Irish regulator had initially proposed.

In accordance with the 121-paragraph judgment, the CJEU decided that EDPB binding selections represent “acts open to problem” underneath Article 263 of the Treaty on the Functioning of the European Union. The courtroom rejected the Common Courtroom’s December 2022 discovering that such selections symbolize merely intermediate or preparatory acts in a multi-stage enforcement process.

“The choice at problem constitutes an act of an EU physique meant to provide authorized results vis-à-vis third events and expressing the definitive place of that physique on the factors to be determined by it,” the CJEU acknowledged in paragraph 76 of its ruling. The judgment establishes that corporations needn’t wait till nationwide supervisory authorities problem remaining selections earlier than in search of judicial evaluate on the EU stage.

Origins in transparency investigation

The case traces again to December 2018, when Eire’s Information Safety Fee initiated an investigation into WhatsApp’s compliance with GDPR transparency obligations underneath Articles 12 by means of 14. The inquiry examined whether or not the messaging service offered satisfactory info to each customers and non-users about private knowledge processing actions, significantly concerning knowledge sharing with different entities within the Meta company household.

After finishing its investigation in September 2019, the Irish DPC circulated a draft determination to different involved supervisory authorities throughout the European Union in December 2020, following the cooperation procedures established in Article 60 of the GDPR. The draft determination proposed discovering sure transparency violations however stopped in need of establishing infringements that eight different European knowledge safety authorities believed WhatsApp had dedicated.

Supervisory authorities from Germany at each federal and state ranges, Hungary, the Netherlands, Poland, France, Italy, Portugal, Austria, Denmark, and Belgium raised formal objections to the Irish DPC’s draft determination. When the Irish authority declined to observe these objections, it referred the dispute to the EDPB for decision by means of the consistency mechanism designed to forestall fragmentation in GDPR enforcement throughout member states.

The EDPB’s July 2021 binding determination required Eire’s regulator to seek out that WhatsApp had did not adjust to Article 13(1)(d) concerning details about reputable pursuits, violated the transparency precept in Article 5(1)(a), and infringed Article 13(2)(e) regarding knowledge retention info. Maybe most importantly, the EDPB decided that “lossy hashed knowledge” derived from non-user contact info nonetheless constituted private knowledge underneath GDPR definitions.

On fines, the EDPB concluded that the Irish authority had misinterpreted a number of standards for calculating administrative penalties underneath Article 83. The Board discovered Eire’s proposed superb vary of €30 million to €50 million insufficient given the character and scope of violations. Eire’s DPC in the end imposed 4 separate administrative fines totaling €225 million in its August 20, 2021 remaining determination, alongside orders requiring WhatsApp to deliver its processing into compliance inside three months.

Direct concern established

The CJEU’s evaluation centered closely on whether or not WhatsApp happy the situations for bringing an annulment motion underneath the fourth paragraph of Article 263 TFEU. That provision permits pure or authorized individuals to problem acts which can be of direct and particular person concern to them, even when in a roundabout way addressed to the difficult occasion.

The Common Courtroom had dominated in December 2022 that WhatsApp failed to satisfy the “direct concern” requirement. It discovered that the EDPB binding determination was not enforceable in opposition to WhatsApp with out additional procedural steps and left discretion to the Irish supervisory authority concerning the ultimate determination’s content material.

The CJEU rejected this reasoning as legally inaccurate. In accordance with the judgment, two cumulative situations should be happy for direct concern: the contested measure should immediately have an effect on the applicant’s authorized state of affairs, and it should depart no discretion to the addressees entrusted with implementing it. The courtroom decided WhatsApp happy each necessities.

“WhatsApp was required, particularly, on account of the EDPB’s intervention, to vary its contractual relationship with the customers of the messaging service,” the CJEU defined in paragraph 98. The choice modified WhatsApp’s authorized place by establishing extra compliance obligations concerning transparency and data provision.

On discretion, the courtroom emphasised that Eire’s DPC and different involved supervisory authorities “can not depart from the place adopted by the EDPB” within the binding determination. The EDPB’s determinations on GDPR infringements, the classification of lossy hashed knowledge as private knowledge, and the duty to extend fines certain the Irish authority unconditionally.

The truth that Eire’s remaining determination addressed features past the EDPB binding determination’s scope proved irrelevant to the direct concern evaluation. Nationwide supervisory authorities retain accountability for issues not topic to related and reasoned objections, reminiscent of figuring out exact superb quantities. Nonetheless, on points the EDPB determined, implementing authorities face binding obligations that can not be altered.

Implications for enforcement coordination

The ruling arrives amid persistent criticism of GDPR enforcement mechanisms, significantly concerning coordination between nationwide knowledge safety authorities. Eire’s DPC has confronted scrutiny as lead regulator for main expertise corporations with European headquarters in Dublin, with enforcement actions often taking years to complete.

Privateness advocacy organizations have documented substantial procedural delays in cross-border instances. In accordance with Max Schrems, chairman of noyb, a grievance filed on Might 25, 2018 – the day GDPR took impact – in opposition to Meta’s knowledge processing practices remained unresolved by means of a number of enforcement cycles and courtroom proceedings extending into 2025.

The CJEU judgment acknowledges potential parallel proceedings earlier than EU courts and nationwide judicial programs however finds this creates no insurmountable obstacles. When nationwide courtroom instances rely on EDPB binding determination validity, the duty of honest cooperation requires nationwide courts to remain proceedings pending EU judicial decision or make preliminary ruling references to the Courtroom of Justice.

The choice additionally addresses issues in regards to the EDPB’s function within the enforcement framework. Germany, intervening in assist of the EDPB’s place, had argued that consistency mechanisms serve purely inside coordination features between supervisory authorities. The CJEU rejected this characterization, emphasizing that EDPB binding selections produce authorized results extending past their formal addressees.

Recital 143 of the GDPR explicitly contemplates that EDPB selections could also be of direct and particular person concern to controllers, processors, or complainants, the courtroom famous. This legislative recognition confirms that binding selections can have exterior authorized results warranting direct judicial evaluate prospects.

Broader accountability questions

Authorized consultants observing the case recognized implications extending past the instant WhatsApp dispute. The CJEU’s reasoning probably opens Article 64 GDPR opinions to direct challenges, as these opinions bind supervisory authorities when addressing questions on GDPR interpretation or knowledge safety implications of draft selections.

“This paves the best way for challenges to Artwork. 64 Opinions of the EDPB, as they’re by definition binding upon SAs,” famous Peter Craddock, a knowledge safety lawyer, in evaluation shared February 14. The judgment’s emphasis on binding authorized results because the determinative issue suggests any EDPB act imposing obligations on supervisory authorities might face related scrutiny.

The ruling additionally raises questions on tips and proposals the EDPB points underneath Article 70 GDPR. Whereas these devices lack the formal binding character of Article 65 selections, they exert vital sensible affect over knowledge safety enforcement throughout member states. Whether or not controllers might problem tips that successfully decide compliance necessities stays an open query requiring future litigation to resolve.

For advertising expertise suppliers and promoting platforms, the choice creates new strategic choices when going through coordinated enforcement actions throughout a number of European jurisdictions. Corporations can now contest EDPB positions immediately moderately than ready for particular person supervisory authorities to problem remaining selections, probably accelerating decision of elementary authorized questions.

Nonetheless, the sensible impression relies upon closely on how the Common Courtroom addresses WhatsApp’s substantive arguments when the case returns for deserves consideration. The CJEU put aside the inadmissibility discovering however referred the case again to the Common Courtroom for examination of whether or not the EDPB binding determination really violated EU regulation within the methods WhatsApp contends.

The EDPB has confronted growing scrutiny over its enforcement approaches, significantly concerning behavioral promoting and consent necessities. In October 2023, the Board issued an pressing binding determination ordering Meta to stop processing private knowledge for behavioral promoting based mostly on contract and bonafide curiosity grounds throughout your complete European Financial Space.

Statistics from the EDPB’s 2023 evaluation report revealed vital disparities in enforcement patterns throughout European jurisdictions. Just one.3% of GDPR instances resulted in financial penalties between 2018 and 2023, with superb charges starting from Slovakia’s 6.84% to the Netherlands’ 0.03%. Eire averaged €475.9 million in annual fines largely as a consequence of its function as lead authority for main expertise platforms.

Technical enforcement issues

The WhatsApp case centered partly on technical questions on when hashed knowledge retains private knowledge traits underneath GDPR definitions. The Irish DPC’s draft determination had not labeled output from WhatsApp’s “lossy hashing process” utilized to non-user contact info as private knowledge. The EDPB disagreed, figuring out such materials remained topic to GDPR protections.

This classification carried vital implications for potential Article 5(1)(c) and Article 6(1) violations concerning knowledge minimization and lawful processing bases. It additionally prolonged the scope of WhatsApp’s Article 14 obligations regarding info provision for knowledge not obtained immediately from knowledge topics.

The EDPB’s place aligned with emerging judicial interpretations that study whether or not recipients possess means moderately more likely to establish people from processed knowledge. In September 2025, the CJEU addressed pseudonymization questions in EDPS v. SRB, establishing that knowledge safety obligations ought to replicate precise moderately than theoretical identification dangers from the angle of various processing events.

WhatsApp challenged each the substantive determinations about lossy hashed knowledge and procedural features of how the EDPB reached its conclusions. The corporate argued the Board exceeded its authority by making findings on issues the Irish DPC’s investigation had not coated and by requiring superb will increase based mostly on misinterpretations of Article 83 standards.

These deserves arguments will now obtain examination from the Common Courtroom following the CJEU’s admissibility willpower. The decrease courtroom should assess whether or not the EDPB correctly exercised its dispute decision authority and appropriately interpreted related GDPR provisions when issuing its binding determination.

Parallel enforcement developments

The WhatsApp ruling emerges in opposition to a backdrop of intensifying knowledge safety enforcement throughout Europe. TikTok faces a €530 million fine from Eire’s DPC for alleged unauthorized knowledge transfers to China, with the corporate securing Irish Excessive Courtroom permission to problem the penalties as unconstitutionally extreme.

LinkedIn Ireland received a €310 million fine in October 2024 for violations concerning behavioral evaluation and focused promoting of members’ private knowledge. Meta platforms have accrued billions in GDPR penalties since 2018, with enforcement actions addressing consent practices, knowledge switch mechanisms, and transparency obligations.

Germany has emerged as a testing floor for algorithmic accountability by means of instances deploying the Digital Companies Act, GDPR, and AI Act together. Courts in Leipzig and Berlin have awarded compensation to particular person customers for Meta Enterprise Instruments violations, establishing precedents for personal enforcement mechanisms alongside regulatory proceedings.

The European Fee proposed major GDPR amendments in November 2025 addressing AI growth and particular person privateness rights. Privateness organizations criticized the draft modifications as narrowing private knowledge definitions and increasing grounds for refusing knowledge topic entry requests, elevating issues about weakening protections underneath the guise of simplification.

Procedural timeline and subsequent steps

The CJEU addressed preliminary questions on whether or not WhatsApp’s November 1, 2021 motion was filed inside the two-month deadline established within the sixth paragraph of Article 263 TFEU. The EDPB had argued the limitation interval started when WhatsApp acquired data of the binding determination on August 13, 2021, making the November submitting premature.

The courtroom rejected this place, emphasizing that publication date determines the place to begin for challenges to acts in a roundabout way notified to candidates. Article 65(5) GDPR requires EDPB binding selections to be revealed on the Board’s web site. The September 2, 2021 publication date gave WhatsApp till November 2 to file its annulment motion, making the November 1 submission well timed.

With the admissibility query resolved, the Common Courtroom should now study WhatsApp’s substantive claims that the EDPB binding determination violated EU regulation. These arguments embody each procedural irregularities in how the Board reached its determinations and substantive errors in decoding GDPR provisions concerning transparency, knowledge classification, and superb calculation methodology.

The timeline for Common Courtroom proceedings stays unsure. Advanced knowledge safety instances involving a number of events and in depth factual data usually require 18 to 36 months for decision at first occasion, with prospects for additional appeals creating extra delays. WhatsApp’s parallel problem to Eire’s remaining determination earlier than Irish courts provides complexity to the general enforcement image.

Authorized consultants anticipate the Common Courtroom will fastidiously study the boundaries of EDPB authority when issuing binding selections. Questions embrace whether or not the Board could make findings on issues not addressed in supervisory authority draft selections, the way it ought to interpret Article 83 superb calculation standards, and what deference implementing authorities owe to EDPB authorized interpretations.

The ruling additionally establishes that corporations going through GDPR enforcement actions retain choices for contesting each EDPB binding selections and subsequent nationwide supervisory authority remaining selections by means of separate judicial proceedings. Nonetheless, the CJEU famous that honest cooperation obligations could require coordination between parallel instances to keep away from conflicting outcomes.

Business response and evaluation

Privateness attorneys welcomed the judgment as clarifying accountability mechanisms whereas expressing issues about potential strategic litigation delaying enforcement. The choice addresses longstanding questions on whether or not the GDPR’s complicated multi-tier enforcement construction supplies satisfactory procedural protections for affected corporations.

“A step in the direction of EDPB accountability,” commented one authorized practitioner analyzing the ruling. “The EDPB is unelected, not a legislator and never a courtroom – but its positions have had a major impression on knowledge safety over the previous 8 years.”

Others questioned whether or not enabling direct challenges to EDPB selections would possibly undermine the consistency mechanism’s effectiveness. The Board was established exactly to forestall fragmentation in GDPR enforcement throughout 27 member states with differing regulatory traditions and enforcement priorities. Permitting corporations to contest binding selections might delay disputes the consistency mechanism goals to resolve effectively.

The European Information Safety Board and European Information Safety Supervisor have collectively criticized proposed GDPR simplification measures that they argue would weaken privateness protections. Their February 10, 2026 joint opinion rejected Fee proposals to slender private knowledge definitions and increase circumstances for refusing knowledge topic entry requests.

Advertising and marketing professionals monitoring European privateness enforcement acknowledge the CJEU ruling creates new variables in compliance planning. Corporations working throughout a number of European jurisdictions should now account for prospects that EDPB positions might face direct authorized challenges, probably creating uncertainty about enforcement priorities throughout litigation durations.

The judgment arrives as analysis demonstrates GDPR’s significant impact on European technology investment patterns. A June 2025 Nationwide Bureau of Financial Analysis examine discovered the regulation essentially altered enterprise capital flows, with data-related corporations experiencing disproportionate results from compliance price will increase.

Chronological timeline

• Might 24, 2018: WhatsApp modifications privateness coverage to align with GDPR necessities
• Might 25, 2018: GDPR turns into enforceable throughout the European Union
• December 2018: Irish DPC initiates inquiry into WhatsApp’s GDPR transparency compliance
• September 2019: Irish DPC completes investigation and receives remaining report
• December 2020: Irish DPC circulates draft determination to involved supervisory authorities
• January 2021: Eight European supervisory authorities elevate objections to draft determination
• June 2021: Irish DPC refers dispute to EDPB for binding determination
• July 28, 2021: EDPB adopts binding determination requiring extra violation findings and better fines
• August 20, 2021: Irish DPC points remaining determination imposing €225 million in fines
• September 2, 2021: EDPB publishes binding determination on its web site
• November 1, 2021: WhatsApp recordsdata motion in search of annulment of EDPB binding determination
• December 7, 2022: Common Courtroom dismisses WhatsApp’s motion as inadmissible
• February 17, 2023: WhatsApp appeals Common Courtroom order to CJEU
• March 27, 2025: Advocate General sides with WhatsApp in opinion supporting direct challengeability
• October 2023: EDPB issues urgent binding decision in opposition to Meta behavioral promoting
• October 2024: European Data Protection Board unveils work programme emphasizing enforcement cooperation
• January 2025: EU court orders Irish DPC to investigate Meta complaint from 2018
• February 10, 2026: CJEU Grand Chamber guidelines EDPB binding selections are immediately challengeable, units apart Common Courtroom order, refers case again for deserves consideration

Abstract

Who: The Courtroom of Justice of the European Union Grand Chamber issued a judgment in WhatsApp Eire’s enchantment in opposition to the European Information Safety Board, with Germany intervening in assist of the EDPB’s place.

What: The courtroom dominated that EDPB binding selections underneath Article 65 GDPR represent acts open to problem earlier than EU courts and are of direct concern to affected corporations, overturning the Common Courtroom’s December 2022 inadmissibility discovering and establishing that controllers can immediately contest such selections moderately than ready for nationwide supervisory authority implementation.

When: The judgment was delivered on February 10, 2026, addressing WhatsApp’s November 1, 2021 problem to the EDPB’s July 28, 2021 binding determination that had required Eire’s Information Safety Fee to seek out extra violations and impose considerably greater fines.

The place: The ruling applies all through the European Union and establishes binding precedent for the way corporations can problem EDPB selections throughout all member states, essentially altering the judicial evaluate prospects inside GDPR’s multi-tier enforcement framework.

Why: The courtroom decided that EDPB binding selections definitively specific the Board’s place on disputed issues, bind implementing supervisory authorities with out leaving discretion, and immediately have an effect on controllers’ authorized positions by establishing compliance obligations – making such selections challengeable acts that warrant direct judicial evaluate to make sure accountability and procedural protections inside the GDPR enforcement system.