On February 10, 2026, the Court of Justice of the European Union (CJEU) confirmed in a landmark judgment that companies can seek annulment of European Data Protection Board (EDPB) binding decisions before the adoption of a final decision by their lead Supervisory Authority (SA).

This decision opens the floodgates to substantive review of EU-level General Data Protection Regulation (GDPR) enforcement. It will create dual-track litigation for GDPR sanctions: before the General Court (GC) against EDPB decisions and before national courts, against national implementing decisions. It will also impact how companies will approach major GDPR investigations going forward.

Background

In December 2018, the Irish Data Protection Commission (DPC) initiated an investigation into WhatsApp’s compliance with its transparency obligations. Two years later, the DPC submitted its draft decision to the other SAs. Due to the lack of consensus between the SAs, the DPC referred the case to the EDPB to adopt a binding decision under Article 65 GDPR. The EDPB, in its binding decision 1/2021 (EDPB Decision), found that WhatsApp breached several GDPR provisions (including WhatsApp’s transparency obligations under Article 5(1)(a) GDPR and Articles 12-14 GDPR) and required the DPC to amend the envisaged corrective measures and the amount of the fines. On this basis, the DPC imposed a EUR 225 million fine on WhatsApp.

WhatsApp directly challenged the EDPB Decision before the GC, which dismissed WhatsApp’s action for annulment. The GC considered that the EDPB Decision was merely an intermediate act and that it was not of direct concern to WhatsApp. WhatsApp subsequently appealed that decision to the CJEU.

Key Findings

In its judgment, which largely follows Advocate General Capeta’s opinion, the CJEU clarified fundamental aspects of EU procedural administrative law that are directly applicable to judicial review in the context of the GDPR consistency mechanism:

• Companies can directly challenge EDPB binding decisions. The CJEU held that companies can challenge a binding decision adopted by the EDPB under Article 263(1) TFEU. Whether an act can be challenged must be assessed objectively, by reference to its legal effects rather than the nature of the applicant. EDPB binding decisions emanate from an EU body and express the definitive position of that body on specific points.
  
  In this case, although the EDPB Decision is not the final step of the sanction procedure (as the DPC had to issue the final decision), it still exhaustively resolves all the issues in scope of its review: all the relevant and reasoned objections raised by the concerned SAs.
  
  According to the CJEU, the EDPB Decision, therefore, cannot be regarded as a mere preparatory or intermediate act. This was also supported by the fact that the DPC’s final decision reproduced excerpts of the EDPB’s reasoning, and the EDPB Decision was formally attached to it.
• While EDPB binding decisions are not addressed to companies, they can be of direct and individual concern to them. The CJEU found that the GC erred in conflating the assessment of whether an act is open to challenge under Article 263(1) TFEU with the separate question of whether an applicant is directly concerned under Article 263(4) TFEU.
• The EDPB Decision was of “direct concern” to WhatsApp. The CJEU held that the EDPB Decision brought about a distinct change in WhatsApp’s legal position and left no discretion to the SAs as regards the legal determinations made. In particular, the EDPB Decision unconditionally bound the DPC concerning findings of infringement, the obligation to amend corrective measures, and the amount of the fine.
• Judicial review cannot be deferred to national proceedings alone. The fact that the EDPB Decision was followed by a national implementing decision did not deprive it of its direct effects. While the CJEU acknowledged that parallel proceedings before EU and national courts may arise, it held that this is inherent to ensuring effective judicial protection when EU bodies adopt binding decisions with concrete legal effects.

The significance of this judgment extends well beyond the GDPR. It creates a precedent for judicial review in all composite administrative procedures in which EU bodies and national authorities share decision making. The CJEU has confirmed that contestability depends on whether an act binds third parties, not on whether it's the “final” step in a multilevel process. That’s a horizontal principle that will apply to EU administrative law across sectors.

Conclusion

This judgment is a significant development for GDPR enforcement and EU procedural law in general. It confirms that companies can directly challenge EDPB binding decisions adopted under the dispute resolution mechanism before EU courts, strengthening procedural safeguards for companies subject to cross-border enforcement. This judgment is likely to lead to dual-track litigation, with parallel proceedings before EU courts challenging EDPB binding decisions and before national courts reviewing final SA decisions.

The case will now return to the GC, which will consequently examine the merits of an EDPB decision for the first time, including fundamental legal questions (such as: Does lossy (i.e., irreversible one-way) hashed data constitute personal data under the GDPR? Were the transparency violations properly established? Was the €225 million fine justified?) on which the EDPB weighs in will now be directly subject to judicial review at the EU level.

The outcome will be closely watched by companies that have already introduced similar actions for annulment (seven are currently pending) and will set a precedent for widespread actions from companies against EDPB binding decisions and other decisions adopted by EU bodies in other composite procedures.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex digital regulation and privacy compliance. For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, or Nikolaos Theodorakis.

Carol Evrard and Yaron Moszynski contributed to the preparation of this alert.