Today’s judgment from the Tenth Chamber of the General Court affirms the EDPB’s authority to instruct national supervisory authorities to broaden their investigations and issue new draft decisions in cross-border data protection cases.

It comes after the EDPB intervened to order the DPC to impose harsher penalties on the owners of Facebook, Instagram and WhatsApp following findings of General Data Protection Regulation (GDPR) breaches.

The complaints against Meta Platforms Ireland Ltd (formerly Facebook Ireland Ltd) and WhatsApp Ireland Ltd were submitted in 2018 by individuals from Belgium, Germany and Austria, represented by NOYB – European Center for Digital Rights.

As the lead supervisory authority under the GDPR’s “one-stop-shop” mechanism, the DPC was responsible for investigating the complaints. Following its investigations, the DPC submitted draft decisions to other concerned supervisory authorities across the EU.

Several authorities raised objections, particularly regarding the scope of the DPC’s investigations and its conclusion that Meta and WhatsApp could rely on Article 6(1)(b) of the GDPR — which allows data processing without consent if necessary for the performance of a contract — to justify some of their data processing activities.

Unable to reach a consensus with the other supervisory authorities, the DPC referred the matter to the EDPB, which adopted three binding decisions in December 2022.

Finding that the DPC’s draft decisions were too narrow in scope and failed to adequately address concerns about the processing of sensitive personal data under Article 9 of the GDPR, the EDPB instructed the DPC to conduct further investigations into whether Meta and WhatsApp processed sensitive data and to issue new draft decisions based on the findings.

The DPC challenged these instructions, arguing that the EDPB had exceeded its powers under Article 65(1)(a) of the GDPR, which allows the EDPB to adopt binding decisions in cases where supervisory authorities disagree.

The DPC contended that the EDPB could not mandate it to broaden its investigations or issue new draft decisions, as this would infringe on its discretion as the lead supervisory authority.

The General Court today rejected the DPC’s arguments, holding that the EDPB’s instructions were within its competence under the GDPR.

The court emphasised that the EDPB’s role is to ensure the consistent application of the GDPR across the EU, and that its binding decisions must address all matters raised in relevant and reasoned objections from supervisory authorities.

It noted that the EDPB’s decisions were based on objections that highlighted significant risks to the fundamental rights and freedoms of data subjects, particularly in relation to the processing of sensitive data.

The court found that the EDPB was justified in requiring the DPC to conduct further investigations to determine whether Meta and WhatsApp had complied with their obligations under the GDPR.

It also rejected the DPC’s argument that the EDPB’s instructions would undermine the “one-stop-shop” mechanism, which is designed to streamline data protection enforcement by designating a single lead supervisory authority.

While the one-stop-shop mechanism aims to simplify procedures, it cannot take precedence over the GDPR’s fundamental objective of protecting individuals’ personal data, the court held.

A spokesperson for the DPC told Irish Legal News: “We note the court’s judgment and are currently reviewing it.”