ECJ paves the way against data protection fines in the millions
Companies can directly sue the European Data Protection Board over its decisions – a success for Meta before the ECJ in the dispute over billion-euro fines.
(Image: DenPhotos/Shutterstock.com)
The legal tug-of-war over one of the highest fines in the history of the General Data Protection Regulation (GDPR) has taken a decisive turn. On Tuesday, the European Court of Justice (ECJ) cleared the way for WhatsApp to directly defend itself against the requirements of the European Data Protection Board (EDPB). The highest judges thus overturned a previous decision by the General Court of the European Union (GCEU), which had dismissed a corresponding action for annulment by the messenger service as inadmissible at the end of 2022.
Origin in 2018
The case originates from an investigation by the Irish Data Protection Commission (DPC) in 2018, which was to examine irregularities in the transparency and information provided to users on WhatsApp. While the Irish regulators initially intended a moderate fine in the range of 30 million to 50 million euros, resistance arose among the European partner authorities.
As no consensus emerged, the supervisory authorities involved involved the EDPB. In 2021, the latter finally issued a binding decision that forced the DPC to drastically tighten the planned measures. The result was a record fine of 225 million euros, which was ultimately imposed on WhatsApp. The EDPB accused the Meta subsidiary of a lack of transparency in sharing data with Facebook – another division of the group.
Up to now, the EU court of first instance had taken the view that WhatsApp could only challenge the final decision of the Irish authority before a national court. At that level, the judges considered the EDPB's decision to be a mere interim measure without direct external effect for the company. The ECJ has now expressly not followed this reasoning. In its judgment in case C-97/23 P, the Court stated that such a decision constitutes a contestable act, as it originates from an EU institution and aims to produce legal effects towards third parties.
Videos by heise
Referral back to the lower court
With this decision, the judges in Luxembourg largely followed the recommendation of Advocate General Tamara Ćapeta from March 2025. Particularly significant is the Court's finding that WhatsApp is directly affected by the Data Protection Board's decision. Since the decision is binding on the national authorities and leaves them no discretion, it changes the legal situation of the affected company in a qualified manner. A spokesperson for WhatsApp welcomed the ruling and emphasized that the EDPB, as a non-elected body, must be fully accountable to the EU courts.
The scope of this decision extends far beyond the individual case. The ruling is likely to resolve a backlog of further lawsuits currently pending before the GCEU. In many of these cases, which often concern the parent company Meta, billions of euros are at stake. By confirming that the EDPB can be directly sued, new legal avenues are opening up for tech corporations to challenge the strict interpretations of European data protection authorities.
However, for WhatsApp, the success in Luxembourg does not mean the end of the fine proceedings. The ECJ has now referred the case back to the lower court for a decision on the merits. This court must now examine in substance whether WhatsApp has actually violated the GDPR's transparency obligations and whether the amount of the imposed fine is lawful. The EDPB stated that it had taken note of the ruling and was prepared to defend its decision in court.
(mma)
