/by Christina Etteldorf/
It is not only due to its beautiful landscapes but also because of its attractive legal framework for businesses compared to other EU Member States that Ireland has become the location of choice for some of the largest (mostly US-based) tech companies to establish their European branches. As a result, Ireland has also become a central hub for processing the personal data of countless EU citizens due to the data-driven business models of these companies. The Irish Data Protection Commission (DPC), as the lead supervisory authority under the GDPR’s one-stop-shop mechanism, consequently bears a lot of responsibility and thus, data protection authorities (DPAs) from other Member States closely scrutinize the DPC’s decisions. Since these DPAs are not always fully satisfied with the DPC’s findings in cross-border proceedings, the GDPR’s consistency mechanism has frequently been triggered, leading the European Data Protection Board (EDPB) to assert its authority in certain cases by directing the DPC, sometimes more and sometimes less precise, to reassess its decisions. While the EDPB’s approach is welcomed by most authorities in the interest of coherence and consistency in the uniform application and enforcement of the GDPR, the DPC has partly viewed it as an encroachment on its regulatory powers and overall independence. Most recently, the DPC brought an action before the General Court of the European Union to annul some of the EDPB’s particularly ‘invasive’ binding decisions concerning the Meta group—albeit unsuccessfully. In its judgment of 29 January 2025 in joined cases T-70/23, T-84/23 and T-111/23, the General Court did not follow the arguments of the DPC, but rather strengthened the conciliation and regulatory powers of the supranational body vis-à-vis its members.
Meta Once Again the Subject of Contention
The legal dispute arose from three complaints filed by individuals, supported by the non-profit association NOYB, with different national DPAs regarding the unlawful processing of their personal data by Meta services Facebook, Instagram, and WhatsApp. Specifically, it was alleged that Meta unlawfully relied on a ‘forced consent’ when processing personal data for behavioural advertising. However, the subsequent investigation by the DPC, acting as the lead supervisory authority, addressed the lawfulness of data processing in the company’s business model per se, raising issues of broad relevance across the EU given the millions of users of these platforms.
In its draft decisions, which had to be submitted to its colleagues at the EDPB due to the case’s cross-border implications, the DPC found that Meta had indeed violated its transparency and information obligations under Articles 25(1)(a), 12, and 13(1)(c) of the GDPR regarding all three services. It also proposed financial penalties. However, the key point of contention among the other DPAs—and the reason for the reasoned objections filed by ten of them—was not only the perceived inadequacy of the proposed fine and corrective measures but, more importantly, what the DPC had omitted: it had not found any violations of Articles 6 and 9 GDPR. In the view of the objecting DPAs Meta could not justify its data processing activities in the first place.
The DPC had taken the stance that Meta did not necessarily need to obtain separate consent for different processing purposes but could rely on the legal basis that processing was necessary for the performance of a service contract with users (Article 6(1)(b) GDPR). It argued that especially Facebook and Instagram include, and indeed appear to be premised on, the provision of a personalised service that includes personalised or behavioural advertising and that ‘this reality is central to the bargain struck between users and their chosen service provider, and forms part of the contract concluded at the point at which users accept the Terms of Service’. As for the processing of personal data in the context of personalised advertising, the DPC had already not investigated whether the social networks in question had also processed special categories of personal data, which would have rendered the contract as a legal basis invalid under Art. 9 of the GDPR and would in any case have required consent.
Clear Instructions from the EDPB to the DPC
Since the DPAs could not reach a consensus—unsurprisingly given their divergent legal views—the EDPB was required to intervene under Article 65(1)(a) GDPR. At the end of 2022, the Board issued three binding decisions regarding Facebook (Decision 3/2022), Instagram (Decision 4/2022) and WhatsApp (Decision 5/2022). Following a thorough examination, the EDPB explicitly instructed the DPC to remove the reliance on Article 6(1)(b) GDPR from its draft decision and instead find a violation of Article 6(1) GDPR for certain processing operations. It also mandated corrective measures and adjustments to the proposed fines. Additionally, the DPC was instructed to conduct new investigations or expand its existing investigations to clarify concerns raised by the other DPAs, such as the processing of particularly sensitive user data or the further processing of user data (eg. transferring them to third parties for the purpose of service improvement).
The DPC implemented the requirements set by the EDPB, insofar as these did not necessitate further investigations, in its final decisions on Facebook, Instagram and WhatsApp in January 2023, ruling in particular against the possibility of relying on Art. 6(1)(b) GDPR. But not without also publicly expressing its displeasure, as could be read in the DPC’s press release, which stated that „[t]he EDPB does not have a general supervision role akin to national courts in respect of national independent authorities and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation. The direction is then problematic in jurisdictional terms, and does not appear consistent with the structure of the cooperation and consistency arrangements laid down by the GDPR”. Therefore, to the extent that the direction may involve an overreach on the part of the EDPB, the DPC considered it appropriate that it would bring an action for annulment before the Court of Justice and did so.
A Clear Message from the CJEU: A Decision in Favor of Coherence
The key issue in the case was the interpretation of Articles 65(1)(a) and (6) and Article 4(24) GDPR, particularly regarding whether a binding decision ‘concerns all the matters which are the subject of the relevant and reasoned objection’. The DPC argued that extending the investigation was not part of the objections raised by the DPAs and, therefore, should not have been subject to a binding decision. Conversely, the EDPB contended that extending the investigation was an inevitable consequence of its directive to reject Meta’s reliance on Article 6(1)(b) GDPR and to assess the applicability of Article 9 GDPR.
The General Court ultimately sided with the EDPB’s broader interpretation after considering the wording, context, and purpose of the provisions in question. It reasoned that any alternative interpretation would significantly weaken the consistency mechanism, as it would prevent supervisory authorities from challenging the lack of or insufficient analysis by a lead authority. Furthermore, the Court determined that Article 65(6) GDPR, which requires the lead authority to take the final decision based on the EDPB’s binding decision within one month, does not limit the scope of the EDPB’s powers but merely establishes the procedural timeline. The context of the consistency mechanisms as a whole, the General Court held, suggests that the cooperation between the DPAs concerned relates to the analysis of the case as a whole and the preparation of the decision in its entirety. It also rejected the DPC’s argument in favour of a narrower interpretation that a lack of consensus between DPAs can be remedied by recourse to judicial review by national courts. The mere possibility of referring a question of this kind to the national courts – which, incidentally, would not necessarily be easy for a complainant residing in a state other than that of the lead DPA – could not mean that lasting disputes could not be resolved within the EDPB.
On the issue of independence, the General Court clarified that the GDPR’s requirement for independent DPAs does not imply absolute independence in the sense of the absence of any scrutiny. The Court emphasised that the EDPB itself is composed of independent authorities and that its decision-making process, which includes majority requirements for binding decisions, ensures that the balance of independence is maintained within the EU’s regulatory framework. The ruling reaffirmed that the EDPB’s power to adopt binding decisions applies only when there is a clearly identified shortcoming in the lead authority’s analysis that could have significant consequences. Additionally, it reiterated that while the EDPB has the authority to issue binding decisions, the final arbiters of the DPAs remain the national courts, which can also review EDPB decisions substantively.
Looking ahead
With its decision, the General Court has significantly strengthened the role of the EDPB, reinforcing a coordinated and consistent enforcement of the GDPR across the EU. This development is particularly beneficial for data subjects, ensuring greater protection and uniform application of data protection laws across Member States. However, from the perspective of data controllers, this ruling could weaken the advantages of the one-stop-shop mechanism, as companies can no longer rely solely on agreements with their lead supervisory authority. The ruling also raises questions about the EDPB’s authority in both complaint-based and own-initiative investigations of DPAs, as the judgment – unlike the EDPB Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679 – does not explicitly differentiate between these contexts. Additionally, the Court has yet to decide on further appeals against the EDPB’s decisions, with Meta challenging the binding decisions too in pending cases T-128/23 and T-129/23. The arguments here, however, are not only that the EDPB exceeded its powers, also from the perspective of the data controller concerned, but also that the binding decisions contain substantive flaws, namely that the EDPB interpreted the concept of necessity for a contract under Art. 6(1)(b) GDPR in an excessively narrow manner and ‘failed to act as an impartial body’.
For now, the DPC will have to continue its investigations into Meta unless it chooses to refer the matter to the European Court of Justice. Given the timeline of the original investigation, which began in 2018, it may still take several years before a final determination is made regarding the GDPR compliance of Meta’s business model, particularly in relation to behavioural advertising.
Christina Etteldorf, Institut für Europäisches Medienrecht (EMR), Saarbrücken (Germany)