WhatsApp Ireland Ltd – CJEU Judgment (European Union, 2026)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
The Court of Justice ruled on a case involving WhatsApp Ireland Ltd, which had been challenged over its handling of user data. This ruling is important because it clarifies how companies can respond to decisions made by data protection authorities. It emphasizes the need for companies to understand their legal obligations under data protection laws.
What happened
WhatsApp Ireland Ltd challenged a decision by the Irish Data Protection Authority regarding its processing of user data.
Who was affected
Users and non-users of the WhatsApp messaging service were affected by the complaints made to the Irish DPA.
What the authority found
The Court held that WhatsApp's challenge to the Irish DPA's decision was inadmissible, meaning the company could not contest the authority's ruling.
Why this matters
This case highlights the importance of complying with data protection decisions and sets a precedent for how companies can respond to regulatory actions. Businesses should be aware that they may not always have grounds to contest authority decisions.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Following the entry into force of the GDPR, the Irish DPA received complaints from users and non-users (the data subjects) of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp Ireland Ltd (the controller). After receiving an European Data Protection Board (EDPB) 'binding decision' (28 July 2021) within the framework of the GDPR's consistency mechanism, the Irish DPA adopted a final decision on 20 August 2021, in which it found that the controller had infringed certain provisions of the GDPR. The Irish DPA imposed corrective measures on the controller, in particular administrative fines for a cumulative amount of €225 million. The controller, challenged the EDPB's binding decision before the European General Court (GC) and in - in parallel - the implementing final decision by the Irish DPA before an Irish court. On 7 December 2022, the GC rejected the controller’s action as inadmissible. In that order, the GC considered, in essence, that the binding decision did not constitute a challengeable act for the purpose of [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(1) TFEU] and that the controller was not directly concerned with that decision, within the meaning of [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(4) TFEU]. Additionally, the GC considered the controller’s action brought out of time, because the Irish DPA had informed the controller already of ‘the relevant content’ of the contested decision prior to the EDPB’s publication thereof on its website, thus the term under [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(5)] had already commenced then and not only with the publication. By its appeal lodged on 17 February 2023, the controller requested that the CJEU in essence to reject the GC's order and find the action admissible. The controller put forward two grounds of appeal: # The GC misin
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for WhatsApp Ireland Ltd in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
10 February 2026
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-9081About this data
Cite as: Cookie Fines. WhatsApp Ireland Ltd - European Union (2026). Retrieved from cookiefines.eu
Last updated: