The ECJ has clarified the legal status of binding decisions adopted under the GDPR’s consistency mechanism, holding that decisions of the European Data Protection Board (EDPB) that resolve disputes between national supervisory authorities constitute acts open to challenge before the EU Courts. In its 10 February 2026 judgment in Case C-97/23 P (WhatsApp Ireland v European Data Protection Board), the Grand Chamber of the ECJ found that such decisions produce legal effects vis-à-vis third parties and may directly affect the position of the data controller concerned.

By recognising that these decisions are not merely internal steps but reviewable EU acts, the ECJ set aside the General Court, which declared WhatsApp’s action inadmissible (Case T-709/21), and referred the case back for a decision on the merits.

Facts of the case

The case arose from an investigation by the Irish Data Protection Commission into WhatsApp’s compliance with transparency obligations under the GDPR, following complaints from users and non-users. Acting as lead supervisory authority for cross-border processing, the Irish authority initiated an inquiry into WhatsApp’s data-sharing practices, including its exchanges with other entities within the Meta group.

After a draft decision was circulated to other supervisory authorities under the GDPR cooperation mechanism, several authorities raised objections. As no consensus could be reached, the dispute was referred to the EDPB under Art. 65 GDPR.

In July 2021, the EDPB adopted a binding decision requiring the Irish authority to revise its draft. The instructions included that additional GDPR infringements be found, that certain data (including data resulting from “lossy hashing”) be classified as personal data, and that the level of administrative fines be increased.

In August 2021, the Irish authority adopted its final decision, incorporating the EDPB’s findings. It imposed a reprimand, corrective measures, and fines totalling €225 million. While WhatsApp challenged that final decision before the Irish courts, it also brought an action for annulment before the General Court against the EDPB decision itself.

The General Court dismissed that action as inadmissible, considering the EDPB decision to be a preparatory act without independent legal effects and not directly concerning WhatsApp. WhatsApp appealed.

Judgment and reasoning

In its opposing judgment favouring the admissibility of the action under Art. 263 TFEU, the ECJ first clarified that the EDPB's decision cannot be regarded as intermediate step as it definitively determines its position on the issues referred to it and is legally binding on the national supervisory authorities concerned.

Second, the ECJ found that the decision was of direct concern to WhatsApp. The EDPB’s findings – such as the identification of additional infringements and the requirement to increase fines – directly affected WhatsApp’s legal situation. The Irish supervisory authority was bound by those findings and had no discretion to depart from them in its final decision. The absence of direct enforceability against WhatsApp did not preclude a finding of direct concern.

As a result, the ECJ rejected the General Court’s approach, which had focused on the intermediate nature of the EDPB decision and the availability of judicial remedies at national level. Therefore, the existence of parallel remedies (before national courts against the final decision and before EU courts against the EDPB decision) does not exclude direct concern.

Significance

The judgment strengthens judicial review within the GDPR enforcement system. It confirms that binding decisions adopted by the EDPB under Art. 65 GDPR are not merely internal coordination tools but legally relevant acts that can be challenged directly before the EU Courts.

More broadly, the ruling clarifies the structure of the GDPR’s “composite” enforcement mechanism. While national supervisory authorities formally adopt the final decision, the EDPB’s binding determinations on key legal issues can independently affect the rights and obligations of controllers. Those determinations must therefore be open to direct judicial scrutiny at EU level.