WhatsApp Ireland Ltd – CJEU Judgment (European Union, 2026)
CJEU judgment — not a DPA enforcement action
This is a Court of Justice ruling, not an enforcement action by a data protection authority. It is not included in cookie statistics or the Risk Calculator.
Following the entry into force of the GDPR, the Irish DPA received complaints from users and non-users (the data subjects) of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp Ireland Ltd (the controller). After receiving an European Data Protection Board (EDPB) 'binding decision' (28 July 2021) within the framework of the GDPR's consistency mechanism, the Irish DPA adopted a final decision on 20 August 2021, in which it found that the controller had infringed certain provisions of the GDPR. The Irish DPA imposed corrective measures on the controller, in particular administrative fines for a cumulative amount of €225 million. The controller, challenged the EDPB's binding decision before the European General Court (GC) and in - in parallel - the implementing final decision by the Irish DPA before an Irish court. On 7 December 2022, the GC rejected the controller’s action as inadmissible. In that order, the GC considered, in essence, that the binding decision did not constitute a challengeable act for the purpose of [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(1) TFEU] and that the controller was not directly concerned with that decision, within the meaning of [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(4) TFEU]. Additionally, the GC considered the controller’s action brought out of time, because the Irish DPA had informed the controller already of ‘the relevant content’ of the contested decision prior to the EDPB’s publication thereof on its website, thus the term under [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(5)] had already commenced then and not only with the publication. By its appeal lodged on 17 February 2023, the controller requested that the CJEU in essence to reject the GC's order and find the action admissible. The controller put forward two grounds of appeal: # The GC misin
GDPR Articles Cited
Following the entry into force of the GDPR, the Irish DPA received complaints from users and non-users (the data subjects) of the ‘WhatsApp’ messaging service concerning the processing of personal data by WhatsApp Ireland Ltd (the controller). After receiving an European Data Protection Board (EDPB) 'binding decision' (28 July 2021) within the framework of the GDPR's consistency mechanism, the Irish DPA adopted a final decision on 20 August 2021, in which it found that the controller had infringed certain provisions of the GDPR. The Irish DPA imposed corrective measures on the controller, in particular administrative fines for a cumulative amount of €225 million. The controller, challenged the EDPB's binding decision before the European General Court (GC) and in - in parallel - the implementing final decision by the Irish DPA before an Irish court. On 7 December 2022, the GC rejected the controller’s action as inadmissible. In that order, the GC considered, in essence, that the binding decision did not constitute a challengeable act for the purpose of [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(1) TFEU] and that the controller was not directly concerned with that decision, within the meaning of [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(4) TFEU]. Additionally, the GC considered the controller’s action brought out of time, because the Irish DPA had informed the controller already of ‘the relevant content’ of the contested decision prior to the EDPB’s publication thereof on its website, thus the term under [https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E263:EN:HTML Article 263(5)] had already commenced then and not only with the publication. By its appeal lodged on 17 February 2023, the controller requested that the CJEU in essence to reject the GC's order and find the action admissible. The controller put forward two grounds of appeal: # The GC misin
Outcome
CJEU Judgment
A judgment by the Court of Justice of the European Union, typically on a preliminary reference from a national court.
Related Cases (0)
No other cases found for WhatsApp Ireland Ltd in EU
This is the only recorded case for this entity in this jurisdiction.
Details
Judgment Date
10 February 2026
Authority
Court of Justice of the European Union
GDPRhub ID
gdprhub-cjeu-9081About this data
Cite as: Cookie Fines. WhatsApp Ireland Ltd - European Union (2026). Retrieved from cookiefines.eu
Last updated: