knowledge 13 February 2025 |

General Court Upholds Broader Role for EDPB in OSS System

Background

In 2018, individuals from Belgium, Germany, and Austria filed complaints regarding the processing of their personal data for behavioural advertising purposes by Facebook, Instagram, and WhatsApp through the non-profit association NOYB.  Given the cross-border nature of the data processing which was the subject of these complaints, the DPC as the lead supervisory authority under Article 56(1) of the General Data Protection Regulation conducted investigations in relation to these complaints and submitted draft decisions to other concerned supervisory authorities under the Article 60(3) cooperation mechanism. Several supervisory authorities raised objections to the DPC’s draft decisions, not only regarding the DPC’s findings but also regarding potential breaches of specific provisions of the GDPR that the DPC had not investigated.  The DPC and these other DPAs were not able to resolve these objections and they were referred to the EDPB for resolution under Article 65.

The EDPB issued decisions requiring the DPC not only to change certain elements of its draft decisions, but also to investigate potential breaches of specific provisions of the GDPR that had not been investigated by the DPC.  In doing so, the EDPB gave effect to its Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679 (the “RRO Guidelines”), which (controversially when they were adopted) asserted that the EDPB could do this.

Proceedings & Decision

The DPC complied with most of the EDPB’s decisions regarding amending its draft decisions but challenged the EDPB's competence to require the DPC to investigate further potential breaches, arguing that the EDPB exceeded its authority under Article 65(1)(a) GDPR.  The cases (T-70/23, T-84/23, and T-111/23) were joined and the DPC sought the annulment of specific parts of the EDPB's binding decisions that required it (i) to carry out new investigations on aspects not previously examined, and (ii) to issue new draft decisions on the basis of the results of those new investigations.

The General Court considered the scope of the EDPB's competence under Article 65(1)(a) of the GDPR (1) in the context of a literal, contextual, purposive and historical analysis of the GDPR, and (2) in relation to the conditions for conferral of competence on an EU body.  In summary, the Court determined that:

• Literal interpretation: Article 65(1)(a) provides that the EDPB's binding decision regarding a dispute referred to it in relation to ‘relevant and reasoned objections’ shall concern all matters which are the subject of the ‘relevant and reasoned objections’. The definition of ‘relevant and reasoned objection’ set out in Article 4(24) GDPR is broad and does not expressly state that such an objection cannot be raised regarding the scope of a draft decision or the absence or inadequacy of analysis contained in a draft decision.  Therefore, as a matter of literal interpretation, the scope of a draft decision and the absence or inadequacy of analysis contained in a draft decision can be the subject of a relevant and reasoned objection.
• Contextual interpretation: The Court rejected the DPC's argument that the cooperation procedure under Article 60 GDPR is a "one-way" process that is not intended to involve the EDPB directing a lead supervisory authority to carry out further investigations regarding the subject matter of a draft decision.  It held that the procedure allows for the possibility of further investigation and analysis, if necessary.  The Court also noted the importance of cooperation and consensus among supervisory authorities concerned by a case, as emphasised in the judgment of 15 June 2021, Facebook Ireland and Others (C-645/19).
• Purposive interpretation: The Court emphasised that the one-stop shop meets an objective of procedural simplification that cannot take precedence over the essential objective of the GDPR, which is to ensure compliance with the fundamental right of natural persons to the protection of their personal data.  The Court found that the EDPB’s competence to require further investigations aligns with this objective.
• Conditions for the conferral of powers on an EU body, Judicial Review and Independence: The Court rejected arguments made by the DPC that a power for the EDPB to require a lead supervisory authority to carry out further investigations would undermine the independence of DPAs.  

The Court dismissed the DPC's actions and declined to annul the relevant parts of the EDPB’s decisions, finding that the EDPB acted within its competence under the GDPR.  It remains to be seen whether this judgment will be appealed to the European Court of Justice. The judgment may be appealed on points of law only within two months.

Comment

The Court’s judgment has generated considerable discussion due to its important implications for the one-stop shop system and organisations and DPAs who are subject to it.  The interpretation adopted by the EDPB and ultimately endorsed by the Court regarding the EDPB’s powers under Article 65 has been questioned, not only by the organisations affected by these cases (the DPC, Meta and WhatsApp) but also more generally by other controllers and by some academic commentators.  As a matter of interpretation, there is room for argument regarding some of the Court’s findings.  For example, in the context of its consideration of the literal interpretation of the GDPR, the conclusion that, since the relevant provisions do not expressly prevent the EDPB from exercising this power, the EDPB can be construed to have this power, is difficult to reconcile with EU law principles regarding the delegation of functions to EU bodies and legal clarity.  

It is noteworthy that although the Court has effectively endorsed the view of the EDPB as set out in the RRO Guidelines, it made no reference to these guidelines in its decision.  A potentially important distinction drawn in the RRO Guidelines regarding the EDPB’s powers under Article 65, which was not addressed in the Court’s judgment, is whether a decision arises from a ‘complaint led’ investigation or an ‘own volition’ investigation conducted by a lead supervisory authority.  The RRO Guidelines opine that where relevant and reasoned objections arise regarding the scope of a decision, the EDPB may direct a lead supervisory authority to investigate new matters where the decision is based on a complaint led investigation but may not do so where it is based on an own volitation investigation.  If the EDPB continues to take this approach, this will be one of the factors for lead supervisory authorities to consider when deciding whether they should open a complaint-led or own volition investigation into potential breaches of the GDPR (and a point for any organisation who is the subject of such an investigation to take into account when dealing with the investigation). 

More generally, DPAs and organisations who are the subject of investigations by lead supervisory authorities will need to consider the strategic implications of this decision for them.  For lead supervisory authorities, it presents practical and strategic challenges.  Organisations who are the subject of investigations will be considering whether the decision presents any potential opportunities for them when dealing with any such investigations.

Also contributed to by Isobel Murphy