The European Court of Justice has found against the Irish Data Protection Commissioner following a case taken by the EU's main data protection board.
The case originally relates to the processing of user data from Facebook, Instagram and WhatsApp but broadly concerns whether the EU's data protection board can direct national data supervisors to follow a certain course of action.
The case is likely to revive allegations by data privacy campaigners that the Irish data protection authorities are not strict enough when it comes to keeping global tech companies, many of which have their European headquarters in Ireland, in check.
Following complaints by citizens in Belgium, Germany and Austria, the European Data Protection Board (EDPB) decided to review draft decisions made by the Irish Data Protection Commissioner in actions against the three tech operators.
This morning, the General Court of the ECJ ruled that the EDPB can overrule a national supervisor, in this case the Irish Data Protection Commissioner.
The court found that the EDPB can issue binding instructions to the Irish commissioner to conduct further investigations and adopt new decisions.
The case goes back to 2018, when three individuals from Belgium, Germany and Austria issued complaints against Meta, the owner of Facebook, and Whatsapp.
The complaints, brought forward by the non-profit NOYB-European Centre for Digital Rights, were lodged against Facebook Ireland Ltd (now Meta) and WhatsApp Ireland Ltd.
The complaints focused on alleged breaches of the EU's General Data Protection Regulation (GDPR) when it came to processing data from Facebook, Instagram, and WhatsApp users.
Due to the cross-border nature of the companies' operations, and the fact that they are headquartered in Ireland, the Irish Data Protection Commission (DPC) acted as the lead supervisory authority.
The DPC carried out investigations and prepared draft decisions for input from other EU data protection authorities.
The complaints revolved around the alleged violations of the GDPR provisions covering the rules for processing personal and sensitive data.
Other supervisory authorities put forward their own data privacy concerns, particularly regarding Meta and WhatsApp's targeted advertising practices and the lack of user consent for processing sensitive data.
Since the different supervisory authorities could not reach a consensus on these objections, the Irish data protection authorities referred the matter to the European Data Protection Board (EDPB).
In December 2022, the EDPB issued binding decisions which went against the Irish commissioner’s analysis.
The DPC had argued that Meta and WhatsApp could rely a priori on the GDPR Regulation to justify the lawfulness of the data processing they carried out.
Following its binding decisions, the EDPB asked the Irish DPC to withdraw the findings related to final decisions, including the finding that user consent was not required for the data processing carried out.
The European board also demanded that the DPC find certain infringements of the GDPR, and to adopt corrective measures, in relation to Meta and WhatsApp.
Furthermore, the EDPB directed the Irish commissioner to conduct further investigations into whether Meta and WhatsApp processed sensitive data under Article 9 of the GDPR and whether such processing complied with the GDPR.
In response, the Irish DPC challenged the EDPB’s authority to impose these measures through binding decisions.
This led to three legal actions taken by the Irish commissioner in early 2023.
In all three cases, the Irish DPC alleged that the EDPB had exceeded its competence by requiring the DPC to conduct a new investigation into aspects not yet examined and also to submit a draft additional decision on the basis of the results of that new investigation.
In the case taken, the Irish DPC sought the annulment of the provisions instructing it to broaden the scope of its investigations and to draw up new draft decisions.
In its judgment today, the General Court dismissed the three cases taken by the Irish Data Protection Commissioner.
The court held that the EDPB’s competence includes the ability to issue binding instructions to a lead supervisory authority, in this case the Irish commissioner, to conduct further investigations and adopt new decisions "if there are gaps or insufficient analysis in the original decision".
Judges found that the EU’s data protection rules allow the EDPB to address all relevant and reasoned objections, even if it requires revisiting earlier stages of the investigative process.
The court also found that the scope of the analysis must extend beyond a complainant's specific claims to ensure full compliance with the GDPR.
As such the court found that the EDPB's authority allows it to call for broader investigations when necessary.
The court also ruled that the cooperative mechanism between national supervisory authorities supported the EDPB’s role.
While the mechanism is flexible, allowing for reconsideration and further analysis when authorities cannot reach a consensus, the lead supervisory authority must submit the matter to the EDPB for a binding decision when a dispute arises.
Even after a binding decision, the lead supervisory authority may reopen the investigation to address unresolved issues, provided it delivers a final decision within the GDPR’s deadlines.
The ECJ also confirmed that granting the EDPB the power to mandate broader investigations is consistent with EU principles although such power is subject to judicial review.
The court found that requiring broader investigations does not compromise the independence of the lead supervisory authority or its ability to prioritise tasks.
