In a fundamental recalibration of how European privacy law is enforced, the Grand Chamber of the Court of Justice of the European Union (CJEU) ruled on February 10, 2026, that tech giants can directly sue the European Data Protection Board (EDPB). The judgment in the high-stakes appeal of WhatsApp Ireland v. EDPB (Case C-97/23 P) effectively strips away a layer of procedural immunity that had previously shielded the EU’s central privacy referee from direct litigation.
The case originated from a 2021 dispute where the EDPB used its “consistency mechanism” to override the Irish Data Protection Commission, forcing it to increase a transparency-related fine against WhatsApp from roughly €30 million to €225 million. When WhatsApp attempted to challenge this instruction in the EU’s lower court, the case was dismissed. At the time, judges argued that the EDPB’s decision was merely an “intermediate” step and that WhatsApp could only sue the Irish regulator in a national court.
Overturning the “Intermediate Act” Theory
The Grand Chamber has now decisively rejected that logic. The Court found that when the EDPB issues a binding decision under Article 65 of the GDPR, it is not just providing “advice” or a “preparatory” document. Because these decisions definitively determine the legal position of a company—often mandating specific findings of infringement or dictating the scale of a penalty—they constitute an act open to challenge under Article 263 of the Treaty on the Functioning of the European Union.
This ruling clarifies that the EDPB is an authoritative body issuing decisions with direct legal impact, rather than an “untouchable coordinator” hiding behind collective decision-making. The Court emphasized that for a legal system to remain fair, any act by an EU body that produces binding legal effects on a third party must be subject to direct judicial review.
Proving “Direct Concern”
A central pillar of the judgment focused on the concept of “direct concern.” The CJEU ruled that WhatsApp was directly affected by the EDPB’s order because the Irish regulator had zero discretion in how to implement the Board’s findings. Since the national authority was legally compelled to follow the EDPB’s specific instructions, the “distinct change” in WhatsApp’s legal position was caused by the Board itself.
This part of the ruling is a strategic victory for large corporations, as it provides a faster, more direct route to contest the EU’s privacy enforcement strategies without waiting years for national court proceedings to exhaust themselves.
What This Means for Global Privacy Enforcement
The case has now been referred back to the General Court for a substantive review. This means the lower court must now look at the actual merits of the case: did WhatsApp truly violate transparency rules, and was the €225 million fine proportionate?
While the procedural win does not erase the fine, it sets a powerful precedent for 2026 and beyond. Any company currently caught in the “one-stop-shop” enforcement mechanism now has a confirmed legal pathway to hold the EDPB fully accountable. For the European Union, the ruling reinforces its self-image as a rule-of-law system where even the most powerful regulatory bodies are not beyond the reach of the court’s leash.