Authority of European Data Protection Board to order new investigations clarified by EU General Court

This decision is also consistent with the continuing efforts of the European Parliament, Council and Commission to improve GDPR enforcement. A summary of the current position of these various proposals was produced by the European Parliament Research Service in December 2024.

Background

The activist group None of Your Business ('NOYB') filed complaints on 25 May 2018 against WhatsApp Ireland Limited, Facebook Ireland Ltd., and Google LLC (the "Platforms") for alleged GDPR violations, specifically regarding the consent requirement under Article 7. NOYB is a non-profit organisation co-founded by privacy activist Max Schrems. 

Under the one stop shop principle, and on the basis that Meta Platforms Ireland Limited (Meta) and WhatsApp Ireland Limited (WhatsApp) are headquartered in Ireland, the Irish Data Protection Commission (the "DPC") was required to investigate these complaints.

Following its investigations, the DPC submitted draft decisions to other concerned supervisory authorities across the EU. Several authorities raised objections, particularly regarding the scope of the DPC’s investigations and its conclusion that Meta and WhatsApp could rely on Article 6(1)(b) of the GDPR (which allows data processing without consent if necessary for the performance of a contract) as a lawful basis for the processing of users' personal data to deliver personalised services including advertising.

Following a consultation process, the DPC and other supervising authorities were unable to reach agreement and the DPC ultimately referred the matter to the European Data Protection Board (EDPB) under the consistency mechanism. This mechanism is used where different supervisory authorities take differing views on the correct application of the GDPR. Under this mechanism, the EDPB issues binding decisions which are to be followed by the lead supervisory authority (LSA) in question.

The EDPB issued three Binding Decisions 3/2022 (Facebook), 4/2022 (Instagram) and 5/2022 (WhatsApp), which upheld a number of the DPC's findings in respect of certain elements of the initial complaints. However, the EDPB disagreed with the DPC's draft decisions in respect of reliance upon 'performance of a contract' as the lawful basis for processing personal data and ordered their removal from the final decision. The EDPB instructed the DPC to conduct further investigations into whether Meta and WhatsApp processed sensitive data and to issue new draft decisions based on the findings.

The DPC accepted the EDPB Binding Decisions in respect of those findings relating to the draft decisions, but challenged the EDPB's remit to require it to open a new investigation. In a press release the DPC stated that the "EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation."

The statement concluded that the direction to open new investigations represented "overreach on the part of the EDPB" and confirmed it would seek to annul the direction via the courts.

Some six years after the initial complaint was made, the challenge to the EDPB was heard in the General Court of the European Union. The submission advanced by the DPC was summarised by the court as an allegation that "the EDPB exceeded the competence conferred on it by Article 65(1)(a) of Regulation 2016/679 by requiring it, in each of the binding decisions at issue, (i) to carry out a new investigation on aspects not yet examined, and (ii) to issue a new draft decision in accordance with Article 60(3) of that regulation on the basis of the results of that new investigation." The DPC also relied upon Article 4(24) and Article 65(6) of the GDPR to argue that the scope of any binding decision was limited "to the scope of the analyses carried out by the [the lead supervisors] draft decision…".¹ The DPC argued that the "provisions in question do not confer any power on the EDPB to issue instructions to that authority concerning another subject, for example, to oblige it to carry out an investigation or submit a new draft decision".²

The General Court rejected the DPC’s arguments, holding that the EDPB’s instructions were within its remit under the GDPR. The court emphasised that the EDPB’s role is to ensure the consistent application of the GDPR across the EU and that its binding decisions must address all matters raised in objections from other supervisory authorities. In this instance, the General Court noted that the EDPB’s decisions were based on objections that highlighted significant risks to the fundamental rights and freedoms of EU data subjects, particularly in relation to the processing of sensitive data. In light of that, the General Court found that the EDPB was justified in requiring the DPC to conduct further investigations to determine whether Meta and WhatsApp had complied with their obligations under the GDPR.

It is worth noting that the General Court considered but rejected the DPC’s argument that the EDPB’s instructions would undermine the “one-stop-shop” mechanism, which is designed to streamline data protection enforcement by designating a single lead supervisory authority. While the one-stop-shop mechanism aims to simplify procedures, the General Court found that it was never intended to take precedence over the GDPR’s fundamental objective of protecting individuals’ personal data.

The full judgment can be found here.

Closing remarks

The General Court's judgment helpfully provides much needed clarification on the interplay between the remit of the national supervisory authorities and the EDPB, particularly with regards to defining a national supervisory authority's broad powers on enforcement procedures.

However, a shortfall in the enforcement mechanisms under the GDPR is exposed through the extensive delays; after a near seven year period passed since the original complaint (taken up with investigations, consultations, and legal challenges) the DPC finds itself on the wrong side of a ruling to investigate the Platforms processing of sensitive data. In turn, NOYB's complaint is no further advanced than it was in 2018.

[1] Paragraph 34, In Joined Cases T-70/23, T-84/23 and T111/23

[2] Paragraph 34, In Joined Cases T-70/23, T-84/23 and T111/23