EU court orders Irish data watchdog to investigate Meta privacy complaint

The European Union's General Court ruled on January 29, 2025, that Ireland's Data Protection Commission (DPC) acted unlawfully by refusing to investigate a complaint about Meta's handling of sensitive user data.

The ruling stems from a complaint filed by privacy advocacy group noyb in May 2018, which questioned Meta's legal basis for processing personal data for advertising purposes. According to court documents, the European Data Protection Board (EDPB) determined in December 2022 that Meta had illegally processed user data for advertising without obtaining proper consent under Article 6(1) of the General Data Protection Regulation (GDPR).

The case highlights significant procedural delays in enforcing European privacy laws. The original complaint, filed on GDPR's first implementation day on May 25, 2018, alleged that Meta's platforms, including Facebook, WhatsApp, and Instagram, were engaging in "forced consent" practices by making service access conditional on users agreeing to data processing.

The EDPB instructed the DPC to investigate Meta's use of sensitive data under Article 9 GDPR. However, instead of complying with this binding decision, the DPC challenged the EDPB's authority before the European Courts through cases T-70/23, T-111/23, and T-84/23.

Max Schrems, Chairman of noyb, stated: "This case already has been going on for more than six years, with the DPC refusing to take action, which benefits US Big Tech. We are happy about the Court's decision to dismiss the DPC's claims, but it also means that the cases starts again from square one."

The court's decision addressed several legal points regarding data protection authorities' obligations. According to the ruling, the EDPB maintains competence to adopt contested provisions, and the cooperation mechanism between supervisory authorities reaches its limits when consensus cannot be reached, as provided in Article 60(4) of Regulation 2016/679.

The judgment specifically rejected the DPC's argument that reopening investigations delays consensus on previously investigated matters. The court stated that competent authorities must adopt final decisions on substantive aspects following an EDPB binding decision within the period provided in Article 65(6) of Regulation 2016/679.

The case has exposed structural issues in GDPR enforcement mechanisms. While the regulation allows for fines of up to 4% of global revenue for violations, the prolonged procedural timeline means that actual enforcement actions face significant delays.

The original 2018 complaint focused on specific practices by major tech platforms. According to the initial filing, the complaints were distributed across multiple European authorities: Google (Android) with the French DPA (CNIL), Instagram with the Belgian DPA (CPP), WhatsApp with the Hamburg DPA (HmbBfDI), and Facebook with the Austrian DPA (DSB).

The Court emphasized that Article 8(1) of the Charter of Fundamental Rights and Article 16(1) TFEU provide that everyone has the right to the protection of personal data concerning them. The ruling noted that broadening investigations when requested by supervisory authorities constitutes a measure to defend both complainants' and controllers' rights.

The case can now be appealed to the Court of Justice of the European Union (CJEU). Until final resolution, the procedural steps required by the General Court's ruling must be followed, potentially leading to a full investigation of the original complaints regarding Meta's data processing practices.

This development occurs against a backdrop of increasing scrutiny of data protection enforcement in Europe. The DPC, as lead regulator for many major technology companies with European headquarters in Ireland, faces particular attention regarding its handling of cross-border data protection cases.