CLOSE

close

CLOSE

EN

WhatsApp v. the EDPB: Why this €225m GDPR case matters for every business

  • A landmark ruling from the EU’s top court confirms that companies can directly challenge binding EDPB decisions, reshaping GDPR appeals for businesses in the UK and Europe

In a significant ruling that could reshape the way GDPR fines are challenged across Europe, the Court of Justice of the European Union (CJEU) has backed WhatsApp’s right to directly challenge a €225m privacy fine imposed following intervention by the European Data Protection Board (EDPB).

This may look like another Big Tech procedural battle. But this case could impact businesses of all sizes affected by GDPR. This is not just about Meta. It is about how EU data protection enforcement works and how companies can defend themselves.

The case: from €50m to €225m

The case stems from a 2021 decision by Ireland’s Data Protection Commission (DPC), which fined WhatsApp for failing to adequately explain to users how their data was shared with its parent company, Facebook.

Initially, the Irish regulator proposed a significantly lower fine, reportedly between €30m and €50m. However, under the GDPR’s cooperation and consistency mechanism, other EU data protection authorities disagreed with Ireland’s assessment. The matter was escalated to the EDPB, which issued a binding decision instructing the Irish regulator to reassess its findings and increase the penalty.

The result was a €225m fine.

WhatsApp challenged not just the fine itself, but the EDPB’s authority to issue a binding decision that effectively forced Ireland’s regulator to increase the penalty. Lower courts initially ruled that WhatsApp could not directly challenge the EDPB’s decision because it was formally addressed to the Irish DPC, not to WhatsApp.

This week, the EU’s top court disagreed.

The CJEU held that the EDPB’s binding decision was of “direct concern” to WhatsApp because it altered the company’s legal position and left no discretion to the Irish regulator. In other words, the EDPB’s decision was effectively determinative of the outcome.

As a result, WhatsApp can now pursue a direct action before the EU courts challenging the EDPB’s intervention.

The case will return to the General Court to assess the substance, including whether WhatsApp actually breached the GDPR and whether the fine was correctly calculated.

How this changes the GDPR appeals landscape

This ruling opens a new procedural door.

Companies can now challenge binding EDPB decisions directly at EU level, rather than relying solely on appeals through national courts. That could streamline proceedings and fundamentally reshape how cross-border GDPR disputes are litigated.

It is also expected to unlock a queue of pending appeals, many involving Meta, where companies are contesting EDPB interventions that overruled national regulators. Under the GDPR’s one-stop-shop system, companies with cross-border processing are primarily supervised by a lead authority, often Ireland for major US tech firms. However, where other EU regulators disagree, the EDPB can step in and issue a binding decision.

Until now, it was unclear whether businesses could directly challenge those board-level decisions. The CJEU has now confirmed that they can. That is a structural development in EU administrative law, not just a corporate victory.

What this means for your business

This case should not be viewed purely through a Big Tech lens. The implications extend far beyond Meta.

The EDPB’s influence is confirmed, and can be challenged

The ruling confirms just how powerful the EDPB is. Its decisions can directly alter a company’s legal position and materially increase fines. For businesses operating across multiple EU states, this reinforces that enforcement risk does not end with engagement with a single national regulator.

At the same time, the judgment introduces greater judicial oversight. Companies now have a clearer path to test whether the EDPB has exceeded its powers or misapplied the GDPR.

For smaller organisations, this is a question of legal certainty. Regulatory coordination across 27 Member States is complex. The ability to challenge central decisions helps ensure that enforcement remains accountable.

GDPR litigation may become more strategic

GDPR has already produced over €4b in fines since 2020, though many have been subject to lengthy legal challenges. Ireland’s DPC, for example, has collected only a fraction of its headline penalties while appeals proceed.

Now that direct challenges to the EDPB are confirmed as admissible, companies facing significant cross-border enforcement may rethink their litigation strategy.

This could mean:

  • more cases moving into eu-level courts
  • faster clarification of how fines are calculated
  • greater scrutiny of how regulators interpret key gdpr provisions

Over time, that may produce more consistent jurisprudence on fine calculation methodologies, something businesses have been seeking since the GDPR came into force.

Transparency obligations are significant

The case is primarily about transparency and specifically, how clearly companies explain data-sharing practices to users. For everyday businesses, this is a reminder that transparency failures can escalate quickly. What may begin as a documentation or notice issue can evolve into a multi-jurisdictional enforcement dispute with nine-figure consequences.

Even if most companies will never face a €225m fine, the principle applies equally to SMEs:

  • Are privacy notices clear and specific?
  • Are data-sharing arrangements fully documented?
  • Are group-company transfers properly explained?

Transparency remains one of the most litigated and enforced areas of the GDPR.

An indication that enforcement is maturing

This ruling lands at a time when EU digital regulation is intensifying. Challenges are also underway under the Digital Markets Act (DMA) and Digital Services Act (DSA). Major technology firms are openly criticising the EU’s digital rulebook.

Against that backdrop, the CJEU’s decision reinforces two important realities:

First, EU regulators, including coordination bodies like the EDPB, have real, enforceable power.

Second, that power is subject to judicial review at the highest level.

For businesses, this signals a maturing enforcement environment. The era of regulatory experimentation is over. GDPR enforcement is now legally complex, procedurally layered and increasingly shaped by appellate jurisprudence.

A case about accountability on both sides

WhatsApp has framed the decision as a victory for accountability, arguing that the EDPB is an “unelected authority” whose decisions must be challengeable before EU courts.

The CJEU has agreed on that procedural point. But the substance of the case, whether WhatsApp infringed the GDPR and whether the fine was justified, remains to be decided.

For businesses, two principles stand out. Regulators under GDPR are powerful, coordinated and increasingly assertive but they are not beyond judicial scrutiny. The enforcement ecosystem has gained greater procedural clarity about who can challenge regulatory decisions and in which forum. That clarity will not just influence this case; it is likely to shape the strategy, speed and structure of privacy disputes across Europe for years to come.

Our 10-step guide to data protection outlines the essential actions organisations should take to build and maintain a robust data protection framework. It turns complex legal requirements into a clear, practical roadmap you can use to assess your current approach and strengthen your policies, controls and practices. Get it here.

Recommended
WhatsApp v. the EDPB: Why this €225m GDPR case matters for every business

WhatsApp v. the EDPB: Why this €225m GDPR case matters for every business
New 2026 enforcement outlook signals tougher expectations for corporate compliance

New 2026 enforcement outlook signals tougher expectations for corporate compliance
Is Ireland setting the pace for AI governance in 2026?

Is Ireland setting the pace for AI governance in 2026?