EU court allows WhatsApp to contest €225-million Irish GDPR penalty

The Court of Justice of the European Union ruled today that WhatsApp has standing to challenge a 225 million-euro penalty imposed under the GDPR by Ireland’s Data Protection Commission and adopted by the European Data Protection Board. The decision opens a legal pathway for Meta Platforms’ messaging service to seek review of the enforcement decision and raises fresh questions about the balance of power in pan-European data enforcement.

The fine, which relates to cross-border processing decisions coordinated by Ireland as lead supervisory authority, was adopted by the EDPB after a process that centralized dispute resolution among member state regulators. Ireland’s Data Protection Commission initially took the lead because Meta’s principal European operations are based in Ireland. The ECJ’s ruling focused on whether a company subject to an EDPB decision has the right to bring legal proceedings to challenge that decision’s validity.

By finding that WhatsApp has standing, the court effectively treats the EDPB decision as an act that can be contested in national courts or in the EU judicial system. That conclusion preserves a route for companies to ask judges to annul or set aside binding EDPB measures, rather than leaving review solely to the internal mechanisms of the board or to national enforcement alone.

Legal specialists said the ruling could reverberate through the EU’s data protection architecture. The EDPB was created to ensure consistent application of the GDPR across member states and to resolve disputes where multiple national authorities have interests. Allowing direct challenges to EDPB decisions may encourage more litigation by large technology companies seeking to slow or overturn coordinated penalties, potentially prolonging enforcement processes and creating a broader body of case law on procedural rights under EU data law.

For regulators, the decision complicates the enforcement playbook. The DPC has frequently been the lead authority in high-profile cases against large technology firms because their European headquarters are in Ireland. The EDPB’s coordinating role has been central to issuing cross-border fines and harmonized orders. A new willingness by courts to admit challenges to EDPB acts could require regulators to tighten their procedures to withstand judicial scrutiny and could deter some coordinated actions where the risk of lengthy litigation is high.

For Meta, standing to litigate offers a tactical avenue to contest the substance of the penalty or the process by which it was adopted. Challenging an EDPB decision is likely to be a protracted legal effort that could delay any final enforcement outcome for months or years. That delay could affect how companies budget for compliance risk and how national authorities prioritize investigatory resources.

The ruling also has broader public interest implications. Courts now face the task of balancing effective enforcement of privacy rights across the EU against the procedural safeguards that protect entities subject to regulatory action. The outcome of any subsequent litigation by WhatsApp will be closely watched by privacy advocates, regulators and other technology firms because it may define how far the EDPB’s coordination powers extend and how readily its decisions can be reviewed by the judiciary.

As the case moves back into national and EU procedural channels, the central questions will be whether an annulment is sought and on what grounds, and how quickly courts will act on challenges that intersect with the pace and expectations of data protection enforcement across Europe.