Lessons from WhatsApp’s GDPR dispute

The GDPR introduced a supervision of entities carrying out processing based on the entity’s place of establishment in principle, or where the processing takes place. However, where cross-border processing operations are made, the entity’s place of establishment becomes the lead data protection authority (“DPA”), assuming the competence to handle all complaints lodged in relation to cross-border processing activities, and taking decisions regarding such complaints.

Those decisions taken by the lead DPA are however subject to a review by the other relevant DPAs, which may raise a “relevant and reasoned objection” to the draft decision. In such case, the dispute resolution mechanism of the EDPB – reuniting all DPAs – is triggered and leads to a decision voted by two-thirds of its members regarding the objection. The resulting decision of the EDPB must be used as a basis for the lead DPA’s final decision.

This review process was thought as a manner to ensure consistency and coherence between member States in order to achieve a uniform application to the GDPR across the EU, without any role or place for the entity subject to the final decision in this process; the entity should instead make use of its national rules to oppose the final decision taken by the lead DPA.

In the dispute at hand, the EDPB adopted Binding Decision 1/2021 on the basis of Article 65(2) of the GDPR on 28 July 2021. During such process, WhatsApp requested for its views to be heard on the grounds that such decision will inevitably affect it indirectly. The EDPB had initially refused such request citing that WhatsApp had shared their views with their lead DPA, and thus was satisfied with the respect of WhatsApp’s right to good administration. The EDPB in the end recommended the lead DPA to find infringements of the GDPR against WhatsApp.

On 7 December 2022, the General Court of the CJEU rejected WhatsApp’s appeal based on art. 263 TFEU against the EDPB decision. In order to have standing, the General Court recalled that the plaintiff must evidence (i) that the act has binding legal effects affecting them, and (ii) leaving no discretion on the lead DPA as to how to implement it.

The claim brought by WhatsApp was however deemed to concern a preparatory intermediate act which has not yet created binding legal effects on WhatsApp (i.e., the final decision of the lead DPA may be appealed). The General Court also found that the lead DPA retained some discretion in analysing the “overall practice” of WhatsApp, whereas the EDPB decision only concerned certain aspects.

Further to an appeal of the General Court’s decision, the CJEU adopted the opposite view on these two points. First, the CJEU found that the lack of direct enforceability of the act against the third party is irrelevant for the claim at hand. It instead found “a direct link between that decision and its effects on WhatsApp’s situation”, taking the example that WhatsApp will be required to change its contractual relationship with its users as a result of the EDPB decision, rather than the final decision of the lead DPA.

Second, the CJEU also dismissed the comments from the General Court regarding the certain degree of discretion retained by the lead DPA, since the EDPB decision binds it and all other DPAs to a position they cannot depart from in order to achieve a uniform application of the GDPR.

The original decision of the General Court was thus set aside, and the case was referred back to it to be judged anew.

The need for a uniform application of EU law is not limited to GDPR matters, and is well known to practitioners in the financial sector having to apply guidance and guidelines from the EBA, ESMA, EUIOPA and others, with clear consequences on how e.g. outsourcing agreements are negotiated and agreed upon. How do these fare in light of the above case law?

The CJEU – similarly to Luxembourg administrative courts – has consistently held that soft-law instruments such as guidelines and recommendations are not appealable per art. 263 TFEU (e.g., the rejected appeal of the Fédération bancaire française against the EBA guidelines on internal governance). However, this line is not entirely clear given that the CJEU also holds that certain recommendations may have indirect effects (and are therefore appealable) where the courts are obliged to take them into consideration (see the BT case law regarding EBA decisions further to recommendations made to the Bulgarian National Bank and Bank Deposit Guarantee Fund to comply with the Directive n°94/19 on deposit-guarantee schemes).

In our view, the WhatsApp’s focus on the uniform application of EU law – absent from the above-cited case law – may however take more space in the debates as such goal justifies the binding nature of such soft-law instruments.

This article was published in the February 2026 edition of Agefi Luxembourg.