Enforcement of the EU General Data Protection Regulation started with a bang Jan. 4 as Ireland's Data Protection Commission adopted final decisions on two inquiries into Meta’s Facebook and Instagram. The decisions focused on Meta subsidiaries’ use of contract as a legal basis for its personalized advertising model and led to steep 390 million euro fines for the company’s household brands. You can take a look at the IAPP’s initial reporting and our refresher of the GDPR’s six legal bases for personal data processing as the IAPP team produces additional resources and reporting.
As the decisions themselves are not yet public, privacy pros so far must rely on the DPC press statement, with an eye toward what it tells us about what the substance of the decisions may be and how the DPC navigated the dispute resolution mechanism. This mechanism has led to seven decisions so far at the European Data Protection Board level. Its contours are described in Articles 60 and 65 of the GDPR and in the EDPB FAQ, but its inner workings can remain somewhat obscure for the lay person.
Setting aside the merits of the decisions while we wait for them to become public, several aspects of the statement are worth attention. Some are clear and provide insight into the dispute resolution mechanism from a process perspective; other elements are more sibylline so we can venture a few conjectures on what it could imply about the dynamics at play.
First, the stakeholders involved. The EDPB FAQ reads: “When a Lead Supervisory Authority … issues a draft decision, it consults the Concerned Supervisory Authorities, which can express their disagreement with the draft decision by submitting relevant and reasoned objections within a period of four weeks (Art. 60 (4) GDPR).”
The DPC statement tells us that in the case of its Meta decisions, 10 of the 47 CSAs raised objections to some elements of the DPC’s draft decisions. In fact, this should be read as the CSAs from 10 countries have raised objections, for both Facebook and Instagram decisions, (knowing that some countries can have several SAs raising objections, like in Germany for instance).
Conjecture one
Although the EDPB decision requires a two-thirds majority of CSAs, one can read this segment to mean that, in effect, the binding determinations of the EDPB could have relayed the views expressed by a minority of CSAs. It would be instructive to be a fly on the wall to get a better sense of the dynamics in the room of the drafting team. Does the size of the CSAs matter in this regard? We can easily imagine that a group of CSAs with time and resources would push, in a very assertive way, their interpretation of how the case should go, leaving the option for many to simply follow.
Then, there is the remit of the determinations. The DPC statement mentions objections expressed by 10 CSAs and retained in the final decisions touched on the legal basis used by Meta Ireland matter at the heart of the inquiries, and the EDPB determinations rejected many other objections raised. It is worth noting the EDPB determinations reflect an ask from some CSAs (whether the 10 or a subset is unclear) to add an additional breach of the “fairness principle” to the DPC final decisions, a breach which was not in the DPC draft decisions.
In its Guidelines 03/2021 on the application of Article 65, the EDPB clearly states a CSA can argue in its objection that, in its view, the findings amount to a GDPR provision infringement other than or additional to those already analyzed by the LSA in its draft decision and that, if so, “the LSA will be obliged to reflect this in its final decision, taking into account the binding decision of the EDPB in relation to the objection raised” (section 4.2.2).
This gives us a view into how the EDPB and SAs apply the criteria of “relevance and reasoned opinion” in practice (as set by Article 4(24) of the GDPR and further defined in the EDPB Guidelines 09/2020) and how transformative this step of the process can be.
Conjecture two
CSAs and the EDPB have to work through a significant amount of documentation and analysis in a four-week time crunch — possibly extended by one month, and as just demonstrated, over holidays. Given ongoing reports that SAs across the EU/European Economic Area are largely understaffed and under resourced, could it the EDPB secretariat, though not immune to the same resource challenges, be empowered in its role as “lead rapporteur” and increasingly become a driver on the substance in debating and processing Article 65 cases?
Conjecture three
And then there is the apparent power struggle involved in the case. The last paragraph of the DPC statement seems to suggest some tension between the DPC and EDPB: “to the extent that the direction (to conduct a fresh investigation spanning all of Facebook and Instagram’s data processing operations) may involve an overreach on the part of the EDPB, the DPC considers it appropriate that it would bring an action for annulment before the Court of Justice of the EU in order to seek the setting aside of the EDPB’s directions.”
The DPC’s confirmation that it will launch this case suggests the DPC believes its independence (and that of its fellow SAs) is endangered by an EDPB instructing the DPC.
Finally, a fight about regulator independence will have to be brought before the EU General Court. One big question is how many DPAs will stick with the DPC to support such a claim? Contesting a case against the EDPB, and possibly going against regulators that support how the system ends up working, may be politically loaded.
Cooperation with independence are indeed challenging to balance.