‘The DPC is a master of grotesque sidesteps and loops in procedures,’ said NOYB chair Max Schrems.
In a fresh judgement issued this morning (29 January), the European Court of Justice ruled against a dispute brought on by the Irish Data Protection Commission (DPC), ordering it to follow the European Data Protection Board’s (EDPB) decision to conduct fresh investigations into Meta.
The judgement relates to GDPR complaints that were made against Meta in 2018 by three individuals living in Belgium, Germany and Austria through non-profit data privacy advocacy group Noyb regarding the lawfulness of Instagram, WhatsApp and Facebook’s data processing practices.
Although the complaints were made elsewhere, Meta is based in Ireland, which meant that the DPC would take charge of the investigation. In its draft decision, the data watchdog found that the three complainants could not justify that Meta needed to gain user consent to process their data, a decision that other supervisory authorities objected to.
Following the disagreement, the DPC took matters to the European Data Protection Board (EDPB), which sided with disagreeing parties and ordered the DPC to conduct new investigations into the matter to determine if any of the information processed by Meta contains “special categories” of data – including personal data revealing race, ethnicity, political leanings, religious beliefs, health etc – which enjoy extra protections under the GDPR.
Moreover, the EDPB also requested the DPC to investigate whether the special category of personal data is used for advertising or marketing purposes.
However, the DPC disputed the EDPB’s power to impose orders, and instead sued the European data watchdog at the European Court of Justice (ECJ) in 2023. Today, the ECJ dismissed the DPC’s claims, finding that the EDPB does, in fact, have the authority to impose its instructions.
“We note the court’s judgment and are currently reviewing it,” a DPC spokesperson told SiliconRepublic.com in response to the verdict.
Commenting on the ECJ’s decision, Max Schrems, chair of Noyb said: “This [Meta] case already has been going on for more than six years, with the DPC refusing to take action, which benefits US Big Tech.
“We are happy about the Court’s decision to dismiss the DPC’s claims, but it also means that the cases starts again from square one. Any final decision will take years before the DPC and before the Irish courts.
“The DPC is a master of grotesque sidesteps and loops in procedures – with the consequence that US Big Tech is never receiving a penalty,” he added.
While the Irish Council for Civil Liberties’ director of Enforce Dr Johnny Ryan said that the ECJ’s decision today “repudiates the DPC’s posture toward Big Tech under its previous commissioner, Helen Dixon.”
Concluding a separate case into Meta last month, the DPC fined the Facebook-owner €215m for a 2018 data breach that affected approximately 29m Facebook accounts globally.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
Updated, 5.55pm, 29 January 2025: This article was amended to include a response from a DPC spokesperson.
