Introduction
On the 29th of January this year, the General Court dismissed the Irish Data Protection Commission’s (DPC) action seeking to annul parts of three decisions issued by the European Data Protection Board (EDPB) (Joined Cases T-70/23, T-84/23, and T-111/23). In these decisions, the EDPB directed the DPC to expand its investigation into the data processing activities of Facebook Ireland Ltd (now Meta) concerning its Facebook and Instagram services, as well as WhatsApp Ireland Ltd (hereafter Whatsapp). Additionally, the DPC was required to submit a new draft decision based on the findings of this extended investigation (see EDPB Decisions 3/2022, 4/2022, and 5/2022). This judgment offers important clarifications on the scope of the EDPB’s decision-making powers, the rationales behind the General Data Protection Regulation’s (GDPR) cooperation and consistency mechanisms, and the complete independent status of supervisory authorities, relevant also for the ongoing trilogues as regards the Commission Proposal for a Regulation laying down additional procedural rules relating to the enforcement of the GDPR too (hereafter Commission Proposal for a GDPR Procedural Regulation). But ultimately, in its judgment, the General Court took a strong stance as regards the prioritization of the protection of fundamental rights to privacy and personal data protection over efficiency considerations.
Background to the case: the saga continues
In 2018, complaints in accordance with Article 77 of the GDPR were filed with the respective data protection authorities in Austria, Belgium, and Germany against Meta and WhatsApp through the non-profit organization NOYB – European Centre for Digital Rights. Given the cross-border nature of the data processing, the complaints were forwarded to the Irish DPC, the lead authority under the GDPR’s one-stop-shop mechanism as Meta and WhatsApp have their main establishments in Ireland (Article 56(1) GDPR). The complaints alleged violations of multiple GDPR provisions, including Article 9, which governs the processing of special categories of personal data. However, the DPC opted not to investigate this aspect of the complaint, stating that the inquiry had already addressed the fundamental issue on which the complaint depends, making a broader assessment into Article 9 unnecessary (EDPB decisions 3/2022, para. 186; 4/2022 para. 191; 5/2022, para 177). Consequently, its draft decision omitted any conclusions on this provision of the GDPR.
As the cases involved cross-border complaints, the DPC was required to submit its draft decisions to concerned authorities under the GDPR’s cooperation mechanism (Article 60) – i.e., authorities with whom the complaint was originally lodged, authorities on whose territory the controller has other establishments than the main establishment, and authorities of the Member State in which data subjects (likely to be) affected reside. The cooperation mechanism is supposed to prevent the lead authority from adopting a go-it-alone attitude (Council Doc. 10139/14, para. 11). For that purpose, concerned authorities may raise relevant and reasoned objections to the draft decision, which the lead supervisory authority shall take utmost account of (Articles 4(24) and 60(4) GDPR). Indeed, several authorities objected to the DPC’s draft decisions, arguing that Meta and WhatsApp’s personal data processing might involve special categories of personal data and that the DPC should have expanded its investigation to assess compliance with Article 9 of the GDPR. The DPC, however, deemed these objections insufficiently reasoned and declined to follow them (see EDPB decisions 3/2022, para. 162; 4/2022, para. 166; 5/2022, para. 175). Consequently, the dispute was escalated to the EDPB for dispute resolution under Article 65(1)(a) GDPR.
The EDPB rejected the DPC’s conclusions, finding the objections from the concerned authorities both relevant and reasoned, warranting further assessment on the merits. The EDPB criticized the DPC for failing to address risks related to the potential processing of special categories of personal data, affecting not only the complainants but all Facebook, Instagram, and WhatsApp users (EDPB decisions 3/2022, para. 193; 4/2022 para. 198; 5/2022, para 217). Additionally, the EDPB took a strong stance on the supervisory authority’s duty to handle complaints, concluding that the DPC did not handle the complaints with all due diligence. The EDPB also noted that structurally renouncing objections as not being relevant and/or reasoned, restraints the ability of concerned authorities to act and mitigate risks to data subjects through sincere and effective cooperation. In other words, authorities cannot eschew essential dialogue (EDPB decisions 3/2022, paras. 194–195; 4/2022, paras. 199–200; 5/2022, paras. 218–220). Yet, due to the DPC’s limited inquiry, the EDPB lacked sufficient evidence to determine by itself whether Meta and WhatsApp had violated Article 9 of the GDPR. As the EDPB has no information gathering or investigative powers, it decided that the DPC must conduct a new investigation into the processing of special categories of personal data and assess compliance with GDPR obligations. Based on the findings, the DPC is required to issue a new draft decision (EDPB decisions 3/2022, para. 198; 4/2022, para. 203; 5/2022, para. 222).
The DPC sought to annul these parts of EDPB decisions 3/2022, 4/2022, and 5/2022, arguing before the General Court that the EDPB had exceeded its powers under Article 65(1)(a) of the GDPR by ordering a new investigation and draft decision (Joined Cases T-70/23, T-84/23 and T-111/23, para. 17).
The General Court’s judgment: the EDPB did not exceed its competences
On the basis of a literal, contextual and purposive interpretation, the General Court gave short shrift to the DPC’s narrow understanding of Articles 65(1)(a), 65(6) and 4(24) of the GDPR. While the DPC argues that these provisions limit the scope of the EDPB’s binding decisions to the scope of the analysis carried out by the lead supervisory authority, the General Court reminds the DPC that a binding EDPB decision shall concern all matters brought forward in the relevant and reasoned objections, in particular whether there is an infringement of the GDPR (Joined Cases T-70/23, T-84/23 and T-111/23, para. 35). Importantly, the General Court continues by clarifying that relevant and reasoned objections of concerned supervisory authorities are not limited to considerations set out in the draft decision. In the words of the Court: “there is nothing to prevent […] an objection from relating to the absence of inadequacy of analysis […] which makes it impossible to know whether or not there is an infringement of [the GDPR] as regards that aspect”. (Joined Cases T-70/23, T-84/23 and T-111/23, para. 35). Hence, where relevant and reasoned objections related to the scope of the investigation give rise to disputes and are referred to the Board, the latter can decide on these disputes.
The General Court explicitly states that thereby the EDPB does not exceed the competences conferred upon it (see Article 5 TEU), nor the limits posed to the conferral of power upon EU bodies as established by the Meroni doctrine (Case 9/56 Meroni v High Authority). As regards the latter, the General Court concludes that the EDPB’s dispute resolution powers are expressly provided for by the EU legislature, they are precisely delineated, and subject to judicial review (Joined Cases T-70/23, T-84/23 and T-111/23, para. 71).
The cooperation and consistency mechanisms: fundamental rights protection over efficiency
In addition to confirming the scope of the EDPB’s decision-making powers, the Court reminded the supervisory authorities of their duties under the GDPR’s cooperation mechanism. First, it emphasized that authorities must jointly agree on decisions in cross-border cases, which assessment includes the scope of the analysis (Joined Cases T-70/23, T-84/23 and T-111/23, para. 38). Secondly, the General Court clarified that while Article 58(1)(f) of the GDPR requires an investigation to the extent appropriate, the lead authority cannot unilaterally decide on the appropriateness of the scope of the investigation and exclude this question from the cooperation and consistency mechanisms (Joined Cases T-70/23, T-84/23 and T-111/23, para. 50).
These reminders are crucial, as individuals may encounter substantial challenges when seeking protection of their rights directly against data controllers and processors inter alia due to the clear power imbalance between the two parties and the difficulties with claiming damages before civil courts (see C-300/21 Österreichische Post). Given these difficulties and a lack of incentive to ensure enforcement through private claims, complaint procedures become of rudimentary importance (Hofmann and Mustert 2024). However, where some supervisory authorities apply selective criteria – overt or covert – regarding which complaint to handle and which aspects of the complaint to investigate, the complaint procedure fails to function as a mechanism ensuring the protection of a data subject’s rights to privacy and personal data protection. Instead, complaint procedures then rather seem to inform supervisory authorities, contrary to the CJEU’s interpretation of the role of complaint procedures in safeguarding individual’s rights (C-768/21 Land Hessen). The cooperation and consistency mechanisms are essential in overcoming such inconsistent and unequal complaint handling across the Member States (Council Doc. 10139/14, para. 11), and empower all supervisory authorities to protect its data subjects, even where data subjects are affected by data processing which physically takes place outside its territory (Council Doc. 15656/1/14 REV 1, p. 5). Their effectiveness would be undermined if the lead authority could solely determine the scope of an investigation (Gentile and Lynskey 2022; Mustert 2023). Therefore, the General Court’s clarification is crucial, as it explicitly confirms that concerned authorities and the EDPB can address selective investigation approaches through these mechanisms.
Additionally, contrary to the DPC’s claims, the General Court concludes that reopening an investigation does not impose superfluous costs and excessive inconveniences upon the complainants and investigated parties. The General Court firmly asserts that procedural simplification cannot take precedence of the GDPR’s core objectives – the protection of natural person’s fundamental to the protection of their personal data (Joined Cases T-70/23, T-84/23 and T-111/23, para. 56). Moreover, the disadvantages referred to by the DPC could have been avoided, if the lead supervisory authority concluded a comprehensive investigation from the outset. This highlights the critical need of consensus on the scope of an investigation prior to commencing it – an aspect many authorities neglect (Mustert 2023).
The Commission Proposal for a Regulation streamlining GDPR enforcement
The importance of early consensus finding is also reflected in the Commission Proposal for a GDPR Procedural Regulation, which, inter alia, aims to establish meaningful engagement of concerned authorities at an early stage of the enforcement procedure (COM/2023/348 final). For that purpose specifically, it requires the lead authority to draft a summary of key issues once it has formed a preliminary view on the main issues of the case, including a preliminary identification of the scope of the investigation (Articles 9 and 10). Concerned authorities then have four weeks to comment on the summary, fostering early consensus on the investigation’s scope and necessary actions. However, the EDPB and the European Data Protection Supervisor (EDPS) have been critical to this Proposal, raising important questions, such as: why, for example, does the Proposal establish that the lead authority shall only communicate complex legal and technical assessments? Why is there no requirement for the lead authority to engage with the concerned authorities’ comments? And why does the Commission allow the EDPB to impose restrictions on the maximum length of comments submitted to the summary of key issues? (EDPB-EDPS opinion 01/2023 paras. 52, 54 and 60).
A further concern is that the Commission proposes that, in cases of disagreements on complaint-based investigations, the lead authority shall submit the matter to the EDPB for urgent decision-making (Commission Proposal, Article 10(4)). This obligation can easily be circumvented by the lead authority where it commences own-volition inquiries by separating it from the complaint, an approach frequently taken by the DPC as seen in its own-volition inquiry into Whatsapp Ireland which was brought to its attention by several complaints (EDPB decision 01/2021). In light of this, it is even more worrisome that the Proposal restricts the ability of concerned authorities to raise objections to the draft decision once they have participated in the early stages of the enforcement procedure. Under Article 18(2)(a) of the Commission Proposal, relevant and reasoned objections would no longer be allowed to broaden the scope of an investigation or introduce additional allegations. Yet, disagreements on these issues can arise at any stage and limiting objections would unduly weaken the role of concerned authorities in enforcement (EDPB-EDPS opinion 01/2023, para. 95). It would also prevent such disputes form being resolved through the EDPB’s dispute resolution mechanism. It is to be hoped that the General Court’s ruling will prompt the institutions to reassess their approach.
Supervisory authorities do not act in absolute independence
Lastly, the General Court clarified that by requiring the DPC to broaden its investigation, the authority’s complete independent status as enshrined in Articles 16(2) TFEU and 8(3) CFR, has not been called into question. Even more so, the Court emphasized that these provisions “do not imply that the authorities of the Member States […] have absolute independence” ((Joined Cases T-70/23, T-84/23 and T-111/23, para. 82). In fact, supervisory authorities entrusted with the task to monitor compliance with the GDPR, are subject to a system of mutual scrutiny between these independent authorities, which includes the EDPB; “[w]hat is important, is that the bodies scrutinizing the supervisory bodies should themselves be independent” (Joined Cases T-70/23, T-84/23 and T-111/23, para. 82). While this brings an end to any question as regards the exact reach of the supervisory authorities’ complete independent status as regards this mechanism, it is worrisome that the General Court so easily passes by the fact that the GDPR does not set equal standards to the EDPB’s independence compared to the national supervisory authorities (e.g., see Articles 52-54 compared to Article 69). Furthermore, questions have been raised as regards the Commission’s right to be involved and informed regarding every activity of the EDPB (see for concerns as regards a role for the Commission’s role in GDPR enforcement EDPS Opinion 7 March 2012).
Concluding remarks
The General Court’s judgment offers key clarifications as regards perennial issues of GDPR enforcement, particularly, as regards the broad discretion granted to the supervisory authorities to determine the required course of action. Effective cooperation and consistency mechanisms are then essential for ensuring that authorities can jointly decide in individual cases, ultimately leading to more consistent and legally sound outcomes in complaint and enforcement procedures. Clearly defined powers for concerned authorities and the EDPB are crucial in this regard, which this judgment contributes to. However, it is concerning that the Commission Proposal appears to move in an opposite direction, further expanding the role of the lead supervisory authority. It is to be hoped that the General Court’s ruling will lead the EU institutions to reassess their approach.
Lisette Mustert is an Assistant Professor of Administrative Law at Utrecht University, and a member of the Utrecht Centre for Regulation and Enforcement in Europe (RENFORCE). Prior to joining Utrecht University, Lisette defended her doctoral thesis on Cross-border enforcement of the GDPR by independent administrative authorities at the University of Luxembourg in July 2023.
Lisette conducts research at the intersection of EU and national administrative law. Her expertise lies particularly in the field of complaint handling and enforcement of the General Data Protection Regulation, and public enforcement of EU law more generally. Her research interests also include questions of effectiveness, good administration and the protection of fundamental rights – such as the right to effective judicial protection – in the EU’s integrated administration.
