DPC forced to reinvestigate GDPR complaints by European court

Ruling marks latest twist in set of three actions dating back to 2018

Life

Image: Ekaterina-Bolovtsova via Pexels

The Data Protection Commission suffered an embarrassing defeat at the General Court of the European Court of Justice today after it was ordered to reopen three complaints into the use of personal data by Meta.

The Court’s decision relates to an investigation into the Facebook, Instagram and WhatsApp parent company’s use of personal data for ad targeting purposes.

The case was taken in Ireland under the GDPR’s ‘one stop shop’ provision where companies could be prosecuted in the country of their EU base. While convenient in theory Ireland has been criticised for the slow pace of enforcement.

The complaint dates back to 2018 when the DPC refused to investigate three complaints made by consumer advocate group noyb – lead by lawyer and privacy activist Max Schrems – on behalf of three individuals living in Belgium, Germany and Austria. In 2022 the DPC issued draft decisions in each case refusing to investigate Meta’s use of “special category data” such as religious beliefs, race, ethnicity, health or sexual orientation.

Meta argued that as GDPR came into effect users were given the choice to either continue using the platform or delete their accounts – the former acting as consent to new terms and conditions.

The DPC’s draft decision involved a fine of €210 million and a requirement for Meta to bring its terms and conditions more explicitly in line with the GDPR. The decision proved controversial with other European watchdogs and was eventually fined €390 million but was rejected by the European Data Protection Board (EDPB) and ordered the DPC to widen the scope of its investigations. In 2023 the DPC took the EDPB to court arguing that it did not have the authority to do so.

Today’s decision clarifies the role of the EDPB in deciding the scope of investigations and validity of sanctions levied under GDPR.

“The EDPB can issue binding instructions to the lead supervisory authority to conduct further investigations and adopt new decisions if there are gaps or insufficient analysis in the original decision,” the court wrote in a statement.

Reacting to today’s decision Schrems said: “This case already has been going on for more than six years, with the DPC refusing to take action, which benefits US Big Tech. We are happy about the Court’s decision to dismiss the DPC’s claims, but it also means that the cases starts again from square one. Any final decision will take years before the DPC and before the Irish courts. The DPC is a master of grotesque sidesteps and loops in procedures – with the consequence that US Big Tech is never receiving a penalty.”

Dr Johnny Ryan, director of Enforce, a unit of Irish Council for Civil Liberties, said: “Today, the European Court of Justice has dismissed the DPC’s case, repudiating the DPC’s posture toward Big Tech under its previous Commissioner, Helen Dixon.”

A statement from the DPC read: “We note the Court’s judgment and are currently reviewing it.”

The case can be appealed to the Court of Justice of the European Union.

TechCentral Reporters

Read More: Data protection Data Protection Commission dpc EDPB europe European Data Protection Board Facebook GDPR General Data Protection Regulation Instagram Meta Noyb WhatsApp