Share This Article
EDPB binding decisions are challengeable under the GDPR: with its judgment of 10 February 2026 in Case C-97/23 P, the Court of Justice of the European Union confirmed that binding decisions adopted by the European Data Protection Board under Article 65 GDPR can be directly challenged before the EU Courts under Article 263 TFEU.
This is not just a procedural clarification for litigators. It is a structural development that becomes central in the context of the Digital Omnibus reform, which is considering a stronger role for the EDPB and a reduced operational footprint for the European Commission in GDPR matters.
The ruling in WhatsApp Ireland v European Data Protection Board forces us to read the current institutional reform debate through a different lens: if the EDPB is going to exercise more power, its decisions must be fully reviewable. The Court has now made that point unequivocally clear.
From WhatsApp to Luxembourg: Why EDPB Binding Decisions Are Challengeable Under GDPR
WhatsApp tried to challenge the EDPB binding decision directly before the EU Courts.
The General Court dismissed the action as inadmissible, arguing that the EDPB decision was merely an intermediate procedural step. According to that logic, only the final national decision could be challenged. The Court of Justice took a different view.
It focused on substance rather than form. If an act produces binding legal effects and leaves no discretion to the national authority, it cannot be considered a simple preparatory step. The EDPB decision definitively resolved the dispute between authorities and shaped the content of the final enforcement measure.
Therefore, the principle is now established: EDPB binding decisions are challengeable under GDPR.
Why This Judgment Matters More Because of the Digital Omnibus
If this were only about admissibility under Article 263 TFEU, it would already be important. But the real significance lies elsewhere.
The Digital Omnibus reform is exploring a rationalization of EU digital legislation and, in that context, a possible strengthening of the EDPB’s role in GDPR governance. Discussions have pointed toward delegating more operational and coordination tasks to the EDPB while reducing certain functions currently exercised by the European Commission. That is a political and institutional choice.
But centralization always comes with a question: who controls the controller?
If the EDPB is going to have greater authority in resolving disputes, interpreting GDPR provisions, or indirectly influencing the level of administrative fines across Member States, its decisions must be open to direct judicial review.
This is precisely what the Court has now confirmed.
In practical terms, the recognition that EDPB binding decisions are challengeable under GDPR becomes the constitutional safeguard of any future reform. The more the Digital Omnibus strengthens the EDPB, the more relevant this judgment becomes.
Centralization and Accountability Must Move Together
Over the years, I have often argued that the GDPR enforcement architecture suffers from fragmentation and inconsistency. The cooperation mechanism was meant to solve that, but it has also increased the complexity of proceedings.
A stronger EDPB could improve consistency across Member States. That would be positive for legal certainty and for companies operating cross-border. However, consistency cannot come at the price of reduced judicial protection.
The Court’s reasoning is reassuring in that sense. It makes clear that EDPB binding decisions are not internal coordination tools. They are acts capable of directly affecting undertakings. As such, they must be challengeable before the EU Courts.
This ensures that any expansion of EDPB powers under the Digital Omnibus remains anchored to effective judicial control.
What This Means for Companies
For companies involved in cross-border investigations, the litigation landscape becomes more sophisticated. It is no longer just about challenging the national supervisory authority’s decision before domestic courts. There is now the possibility of directly challenging the EDPB’s binding determination at EU level.
That opens strategic considerations:
-
whether to pursue parallel proceedings;
-
how to coordinate arguments between EU and national litigation;
-
how to assess the procedural and reputational implications.
More importantly, companies will need to monitor EDPB decisions even more closely if the Digital Omnibus reform enhances its institutional role. EDPB determinations may increasingly shape the interpretation of core GDPR concepts and the parameters of enforcement.
The formula that EDPB binding decisions are challengeable under GDPR is therefore not a technical headline. It is a signal that the balance of power within EU data protection law is evolving.
A Structural Moment for EU Data Governance
The GDPR created a unique enforcement model, combining national authorities with a supranational consistency mechanism. The Digital Omnibus reform may push that model further toward centralization.
The ECJ judgment ensures that this evolution remains compatible with the rule of law.
In my view, this is the real takeaway. The Court is not resisting institutional reform. It is ensuring that reform remains embedded in judicial guarantees.
As the General Court now examines the merits of the case, we will gain further clarity on the substantive limits of the EDPB’s authority. But the procedural framework is already set.
If the EDPB is empowered further under the Digital Omnibus, its acts will remain subject to direct scrutiny by the EU Courts. And that is exactly how a mature regulatory system should function.