The European Data Protection Board's role of maintaining consistent and harmonized EU General Data Protection Regulation enforcement received a boost via the European General Court. On 29 Jan., the court ruled in favor of the EDPB's 2023 binding decision calling on Ireland's Data Protection Commission to carry out separate investigations into certain areas of Meta's data processing rather than bundling several alleged GDPR violations without full consideration of individual allegations
The ruling, which the Irish DPC can appeal to the Court of Justice of the European Union, clarifies the EDPB's authority to compel lead supervisory authorities to further explore GDPR violations without infringing on the competence or independence of a given member state's data protection authority.
The EDPB told the IAPP it welcomed the dismissal of the DPC's challenge while urging EU institutions to "ensure" current negotiations on the proposed regulation to harmonize cross-border GDPR enforcement "will be full in line with this ruling."
In a statement to the IAPP, the Irish DPC said, "We note the court's decision and are currently reviewing it." The challenge was first initiated in February 2023 when the DPC was led by former Commissioner Helen Dixon. The lawsuit was among the final actions of Dixon's tenure before the DPC moved to a multi-commissioner format.
The DPC issued a preliminary 5.5 million euro fine to Meta's WhatsApp in December 2022 over a violation of GDPR transparency principles and forcing users to consent to the processing of their data in the Terms of Service. After an Article 65 dispute-resolution process carried out by the EDPB regarding the DPC's draft decision, the board issued its binding decision confirming the fine but called for "fresh investigations" into potential Article 9 GDPR violations around WhatsApp's processing of special categories of personal data.
A 19 Jan. 2023 statement from the DPC set the stage for its eventual lawsuit contesting the EDPB's perceived overreach. The Irish regulator opined the EDPB "does not have a general supervision role akin to national courts" while also noting the binding order to broaden an investigation "does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR."
Simona Demkova, an assistant professor in European law at Leiden University's Europa Institute, told the IAPP the General Court's ruling "reinforces the balance between efficient GDPR enforcement and fundamental rights protection." She noted the court's deference to the EDPB's role and authority under the GDPR signals "reliance on general principles of EU law ... where sincere cooperation shaped enforcement coordination between data protection and competition authorities."
In its statement to the IAPP, the EDPB also emphasized support for GDPR enforcement harmonization proposal's "tools to foster consensus among DPAs on the scope of the investigation at an early stage." However, the board also indicated its desires for any procedural legislation to uphold board members' current ability to "raise relevant and reasoned objections on the scope" of a given investigation once it is completed.
NOYB Honorary Chair Max Schrems brought the original complaint against Meta that created the strain between the EDPB and the DPC. In a public statement, Schrems said the dismissal of DPC claims essentially restarts the Meta cases "from square one," as the DPC must now open those EDPB-mandated investigations. He added, "Any final decision will take years before the DPC and before the Irish courts."
Joe Duball is the news editor for the IAPP.
