In a judgment dated January 29, 2025, the Court of Justice ruled that the binding decisions of the EDPB (European Data Protection Board) addressed to the Irish supervisor DPC (Data Protection Commission) concerning Meta can be upheld. This is an interesting ruling because the highest European court here clarifies how, in (cross-border) discussions between national supervisors, the relationships are between the national supervisor(s) on the one hand and the EDPB on the other. This judgment confirms the formal competence of the EDPB regarding binding decisions directed at national member states.
The trigger for the EDPB's binding decisions was a conflict between the DPC and other national regulators. In 2018, complaints were filed with national supervisors of Germany, Belgium and Austria against Meta for alleged violations of, among other things, Article 9 of the AVG on the processing of special personal data.[1]The complaints were referred to the Irish regulator DPC because that is where Meta is based.[2]
Given the cross-border nature of the complaint, the DPC sent its draft decisions indicating that the DPC was not going to further investigate the alleged violation of Article 9 to the other national supervisors involved. The concerned supervisors appealed but the DPC refused to investigate further. Subsequently, the EDPB became involved in the dispute.[3] In the binding decisions, the EDPB ordered the DPC to expand and further investigate Meta's data processing activities.[4] The Court of Justice rejected the Irish regulator's appeal against these decisions concerning Meta. [5]
With this ECJ ruling, the Court clarified the relationship between the EDPB and national supervisors of AVG member states. Namely, the ruling confirms that the EDPB has the power to require national supervisory authorities to expand their investigations in the case of cross-border cases.
It is important to mention that issuing such binding decisions to dispute national regulators for the enforcement of the AVG is not the EDPB's only task. The EDPB also produces so-called guidelines and recommendations on the AVG for its clarification. These EDPB guidelines provide an important source of information for personal data processors on how to comply with specific AVG obligations. The privacy law attorneys at Kienhuis Legal also draw a lot from these guidelines, and of course also keep a close eye on the decisions of national regulators and the Court of Justice, in order to be able to support you as best as possible in interpreting and implementing obligations under the AVG.
Incidentally, unlike EDPB decisions, the EDPB Guidelines are not binding; the Court of Justice retains the final say on them as well.
[1] Court of Justice January 29, 2025,ECLI:EU:T:2025:116 r.o. 5-6.
[2] Court of Justice January 29, 2025, ECLI:EU:T:2025:116 rulings 7- 9.
[3] Court of Justice January 29, 2025, ECLI:EU:T:2025:116 r.o. 83.
[4] Court of Justice January 29, 2025, ECLI:EU:T:2025:116 r.o. 2.
[5] Court of Justice January 29, 2025, ECLI:EU:T:2025:116 r.o. 3.
