Grace Tierney BL

On 29 January 2025, the European Court of Justice (ECJ) found against the Irish Data Protection Commission (DPC) — the EU’s main data protection board — in a case relating to the processing of people’s most intimate data by Meta. This “special category” data falls within Article 9 of the General Data Protection Regulations (GDPR), enjoying extra protections.

The claim originally relates to the processing of user data from Facebook, Instagram and WhatsApp but more broadly concerns whether the EU’s Data Protection Board (EDPB) can direct a national data supervisor to follow a certain course of action.

The Initial Complaint

The claim sees its advent in 2018 when three individuals, supported by the NGO NOYB-European Centre for Digital Rights, lodged complaints against Facebook Ireland Ltd (now Meta) and WhatsApp Ireland Ltd. The complaints concerned alleged breaches of the GDPR in the procession of “special category” data — things like personal data revealing race, ethnicity, political leanings, religious beliefs, health, etc. — from Facebook, Instagram, and WhatsApp, and because the companies concerned are headquartered in Ireland, the Irish DPC was the lead supervisory authority responsible for the review of the complaints.

The DPC carried out investigations and prepared draft decisions for input from other EU data protection authorities. These other authorities raised concerns particularly highlighting the companies’ targeted advertising and the lack of user consent for processing sensitive data. The matter was then referred to the EDPB after the Irish DPC and other EU authorities could not reach agreement on the objections raised.

The Irish DPC had concluded that the companies could rely via inference on the GDPR to justify the lawfulness of their data processing. However, in December 2022, the EDPB issued binding decisions — that went against the Irish DPC’s analysis. The EDPB in its decision held that Meta had illegally used the personal data of users for advertising without their consent, contrary to Article 6(1) GDPR. The EUPB requested that the Irish DPC do the following:

1. Withdraw its findings, including the finding the user consent was not required for the data processing carried out.
2. Find certain infringements of the GDPR, and to adopt corrective measures, in relation to the companies.
3. Conduct further investigations into whether the companies processed sensitive data and whether such processing complied with the GDPR.

The DPC’s challenge

The Irish DPC took three cases to the ECJ challenging the EDPB’s authority to issue binding decisions and sought the quashing of the provisions requiring that it broaden the scope of its investigations. In all three cases, the Irish DPC argued that the EDPB had exceeded its competence by requiring new investigations with and expanded scope.

The General Court dismissed the three cases on 29 January 2025. The ECJ held that the EDPB’s competence does, in fact, include the ability to issue binding decisions to EU supervisory authorities to conduct further investigations and/or adopt new decisions “if there are gaps or insufficient analysis in the original decision”.

The Court additionally held:

1. The EU’s data protection rules allow that EDPB to address all relevant and reasoned objections, even if it requires revisiting earlier stages of the investigative process.
2. The scope of the analysis must extend beyond a complainant’s specific claims to ensure full compliance with the GDPR.
3. The cooperative mechanism between national authorities supports the EDPB’s role, and that the lead supervisory authority must submit matters to the EDPB for a binding decision when authorities cannot reach consensus.
4. Granting the EDPB the power to mandate broader investigations is consistent with EU principles although such power is subject to judicial review.
5. Requiring broader investigations does not compromise the independence of the lead supervisory authority or its ability to prioritise tasks.

Meta’s algorithms and recommender systems

It is significant that the Irish DPC refused to investigate a key element of a complaint against Meta, particularly in the context of most leading technology companies having their headquarters in “Silicon Docks” in Dublin. The DPC’s refusal to investigate Meta’s use of people’s most intimate data likely gave the impression that it was “soft” on Big Tech – whether intentional or not.

The data subject to the complaints/ECJ cases is data of some of the most personal markers of a person — supported by its special status within the GDPR. This data is essential to the functioning of Meta’s recommender algorithms used to manipulate what people see in their “feeds”. In documents released in 2021, the world learned that Meta’s algorithm is built to prioritise posts that elicited anger and outrage.

Conclusion

The effects of a divisive and angry online world have been explored extensively, and it is clear to see that these effects include spill-over into the offline world. Meta’s use of users’ most personal data to supercharge its algorithm, surely must be investigated. The ECJ agreed.

Regulations like the GDPR function effectively only if they have teeth, and the ECJ’s judgment is welcome.

• Grace G Tierney BL is a practising barrister. This article first appeared on the Law Library blog.