Joined Cases T‑70/23, T‑84/23 and T‑111/23

(Published in extract form)

Data Protection Commission

v

European Data Protection Board

Judgment of the General Court of 29 January 2025

(Protection of personal data – Article 65(1)(a) of Regulation (EU) 2016/679 – Binding decision instructing a lead supervisory authority to broaden the scope of its investigation and issue a new draft decision – Competence of the European Data Protection Board)

Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Competence of the European Data Protection Board (EDPB) – Scope – Binding decision instructing a lead supervisory authority to broaden the scope of an investigation and issue a new draft decision – Included

(Art. 39 TEU; Arts 16(1) and (2), 101 and 102 TFEU; Charter of Fundamental Rights of the European Union, Art. 8(1) and (3); European Parliament and Council Regulation 2016/679, recitals 126, 136 and 141 and Arts 4(24), 57(1)(a) and (f), 58(2), 60, 65(1)(a), (2), (3) and (6) and 66)

(see paragraphs 35, 36, 38-40, 43-45, 49-54, 56-59, 62, 63, 68-75, 77-82)

Résumé

Sitting in extended composition, the General Court dismisses the action of the Data Protection Commission – the Irish supervisory authority for personal data protection – seeking annulment in part of the binding decisions of the European Data Protection Board (EDPB) at issue. In its judgment, it rules, for the first time, on the competence of the EDPB to require a national supervisory authority to broaden its analysis of a case and, if necessary, its investigation.

After exchanges with the other supervisory authorities concerned, the Data Protection Commission, as the lead supervisory authority, found that there was no consensus on the objections to its draft decisions concerning the cross-border processing of data in connection with the use of the social network Facebook, the social network Instagram and the messaging service WhatsApp. As a result, it referred the matter to the EDPB through the consistency mechanism. ( 1 )

Following the examination of the three files, the EDPB, considering that most of the objections to the draft decisions were relevant and reasoned, decided to adopt a position on the matters they raised.

Thus, on 5 December 2022, it adopted binding decisions requiring the Data Protection Commission to carry out new investigations into the data processing carried out in connection with the use of the three abovementioned applications and, on the basis of the results thereof, to issue new draft decisions.

The Data Protection Commission then challenged the EDPB’s power to impose such measures on it by means of binding decisions.

Findings of the Court

In the first place, the Court clarifies the scope of the EDPB’s competence ( 2 ) relying on a literal, contextual and purposive analysis of the GDPR.

In that context, first of all, it notes that, according to a literal interpretation of the relevant provisions of the GDPR, ( 3 ) the EDPB is competent to adopt provisions, such as the contested provisions, instructing the lead supervisory authority to conduct a new investigation into certain aspects of the files in question and then to adopt new draft decisions. Since the EDPB’s binding decision must concern all the matters that are the subject of relevant and reasoned objections, the relevant provisions of the GDPR do not preclude, where the EDPB approves a relevant and reasoned objection relating to the absence or inadequacy of analysis in the draft decision of an aspect of the case that makes it impossible to know whether or not there is an infringement of that regulation, that decision from including an instruction to the lead supervisory authority to remedy that lack of analysis and, if it appears necessary in the light of the file in the EDPB’s possession, to deepen or broaden to that end the investigation carried out up to that point. If it appears that the case file is insufficient to enable the required analysis to be carried out in full, the EDPB must be allowed to require the lead supervisory authority to undertake further investigation.

Next, the Court considers, as part of the contextual interpretation of the relevant provisions of the GDPR, that the general context of the obligation of cooperation between the supervisory authorities concerned by a case, which is enshrined in the GDPR, confirms the EDPB’s competence to adopt the contested measures.

On that point, it states that the procedure for cooperation between supervisory authorities concerned by a case, ( 4 ) which may involve triggering the consistency mechanism operated by the EDPB, is not a ‘one-way’ procedure in which the stages always follow each other in the order of the provisions providing for them, without the possibility of returning to a previous stage or temporarily remaining at the same stage.

In addition, it notes that the analysis of the conditions under which the processing of personal data is carried out and its compliance with the GDPR does not have be limited to what is highlighted in the complaint made. In particular, fully carrying out the tasks of the supervisory authorities provided for in the GDPR of enforcing the application of that regulation and handling complaints to the extent appropriate ( 5 ) involves adopting an appropriate scope of analysis of the file in the light of the complaint that gave rise to it, but also in the light of other factors which may supplement it. The relevant and reasoned objection, according to its definition, relates to aspects the analysis of which comes within the scope of the two abovementioned tasks. As a result, the fact that a relevant and reasoned objection concerns the scope of the analysis and, where applicable, the scope of the investigation and that the EDPB follows that objection in no way undermines those tasks.

Lastly, the Court states that the examination of the purposes of the GDPR also confirms the literal interpretation of the relevant provisions of the GDPR.

In that regard, it points out, in particular, that the mechanism for cooperation between supervisory authorities concerned by a case reaches its limits where those authorities cannot reach a consensus. It is in that situation that the matter in respect of which consensus has not been reached must be submitted by the lead supervisory authority to the consistency mechanism, which results in an EDPB binding decision. In the event that the investigation is reopened, the competent authority must adopt a final decision on the substantive aspects that have been investigated and determined following an EDPB binding decision within the period provided for in the GDPR. That does not prevent it from carrying out an additional investigation and analysing those aspects of the case that have not yet been examined.

In the second place, the Court considers that the conditions for conferring competence on an EU body do not oppose the adopted interpretation that the EDPB has the power to require a lead supervisory authority to broaden its analysis and, where appropriate, its investigation. The exercise of such a power is circumscribed by various conditions and criteria which limit its discretion. Thus, that power, first, is exercised only in the event of a clearly identified shortcoming in the analysis undertaken by the lead supervisory authority in its handling of the case which may have significant consequences, as is apparent from the definition of a relevant and reasoned objection, and, second, results from the collective assessment of the supervisory authorities comprising the EDPB.

Furthermore, the Court notes that the exercise of that power is subject to judicial review. More specifically, within the limits of the pleas relied on before them, the Courts of the European Union are able to review the substantive legality of the contested provisions in the light of the circumstances of the case. In particular, it is open to them, first, to verify whether the EDPB, by adopting provisions of that nature, did indeed act on a relevant and reasoned objection by a supervisory authority. It is open to them, second, to examine the legality of the very substance of such provisions giving instructions to the supervisory authorities.

In that context, the Court adds that an EDPB binding decision requiring the applicant to broaden its analysis and its investigation does not call into question its ability to prioritise the performance of its various tasks as an independent authority, the review of which falls to the national court alone. Nor does it call into question, more generally, its independence. ( 6 )

( 1 ) In accordance with Article 60(4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1; ‘the GDPR’).

( 2 ) Under Article 65(1)(a) of the GDPR.

( 3 ) Article 65(1)(a) of the GDPR, read in conjunction with Article 4(24), Article 65(6) and recitals 126 and 136 of that regulation.

( 4 ) Provided for in Article 60 of the GDPR.

( 5 ) Article 57(1)(a) and (f) of the GDPR.

( 6 ) Enshrined in Article 39 TEU, Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights of the European Union.