The European Court of Justice (ECJ) has ruled against the Irish Data Protection Commissioner (DPC) in a case brought forward by the European Data Protection Board (EDPB). The ruling affirms the EDPB’s authority to issue binding instructions to national data protection supervisors, a decision that could have significant implications for tech regulation in the European Union.
The case, which originated from complaints against Meta-owned platforms Facebook, Instagram, and WhatsApp, raised concerns over the extent of the Irish DPC’s regulatory oversight. The ruling is expected to fuel criticism that Ireland’s data protection authorities have been too lenient in policing global tech giants, many of which have their European headquarters in Dublin.
Background of the Case
The dispute dates back to 2018, when individuals from Belgium, Germany, and Austria lodged complaints against Meta, alleging violations of the General Data Protection Regulation (GDPR). The complaints, filed with the non-profit NOYB-European Centre for Digital Rights, accused Meta and WhatsApp of improperly processing user data without sufficient consent.
Given the cross-border nature of the companies’ operations, the Irish DPC acted as the lead supervisory authority. It carried out investigations and drafted decisions for review by other EU data protection regulators. However, concerns emerged over Meta’s targeted advertising practices and potential violations of GDPR provisions regarding user consent and the processing of sensitive data.
As disagreements persisted, the case was referred to the EDPB, which in December 2022 overruled parts of the Irish DPC’s findings. The EDPB mandated further investigations and corrective measures, arguing that the Irish commissioner had failed to fully examine Meta and WhatsApp’s data processing practices.
ECJ Ruling and Its Implications
The ECJ’s General Court upheld the EDPB’s authority, dismissing three legal challenges brought by the Irish DPC. The court ruled that the EDPB has the power to direct a national regulator to conduct further investigations if gaps or insufficient analysis are identified in an original decision.
“The EDPB’s role is to ensure a consistent application of GDPR across the EU, including the ability to address all relevant concerns, even if it requires revisiting earlier stages of an investigation,” the court stated.
The ruling also reinforced the cooperative mechanism between national supervisory authorities, confirming that when disagreements arise, the lead supervisory body must submit disputes to the EDPB for binding resolution. Furthermore, while a lead authority retains the ability to reopen investigations, it must adhere to GDPR deadlines and procedural requirements.
Wider Ramifications
This ruling may intensify scrutiny of the Irish DPC, which has faced long-standing accusations of being too lenient toward multinational tech firms. Privacy advocates argue that Ireland’s regulatory approach has allowed companies like Meta to circumvent stricter enforcement measures that could be applied elsewhere in the EU.
The ECJ ruling reinforces the EDPB’s oversight powers, ensuring that national regulators adhere to a unified standard of data protection enforcement. As tech companies continue to navigate Europe’s evolving regulatory landscape, this decision marks a significant step toward strengthening data privacy governance across the bloc.