An Irish High Court judge delivered a comprehensive defeat to Meta Platforms Ireland Limited on 21 May 2026, rejecting every legal argument the company had advanced to block a regulatory process that could result in administrative fines of between €360 million and €430 million. The judgment, [2026] IEHC 323, was delivered by Ms. Justice Siobhán Phelan under Record No. 2025/1876 JR and concerns an inquiry that began in July 2018 following a single data subject access complaint.

The ruling clears the path for Ireland's Data Protection Commission to proceed with its draft Preliminary Draft Decision, which targets Meta's handling of access requests to its internal "Hive" data warehouse - one of the largest and least publicly discussed data stores operated by a social media company in Europe.

Origins: a single email sent within hours of GDPR taking effect

The case traces back to 25 May 2018, the day the General Data Protection Regulation became legally operative across the European Union. Within hours of the regulation entering into force, academic researcher Michael Veale submitted a data subject access and portability request directly to Facebook Ireland Limited by email. He asked for full access to his personal data stored in Facebook's internal "Hive" data warehouse - not the curated datasets made available through the platform's standard user-facing tools.

According to the judgment, Veale specifically sought access to raw Hive data under Article 15 of the GDPR, along with information about the purposes and retention criteria for that data. He also made a data portability request under Article 20, asking for his personal data in a structured, commonly used, machine-readable format. His stated reason was specific: he wanted to determine whether third-party websites he had visited, including sites selling medicinal products, had shared his browsing data with Facebook, and whether Facebook held or inferred sensitive or special-category data about him.

Facebook replied on 19 July 2018, refusing to provide the raw Hive data. According to the judgment, the company cited GDPR limitations, including proportionality provisions under Articles 12(5), 15(4) and 20(4). The technical explanation Facebook gave to the Irish Data Protection Commission in its subsequent responses was stark. According to the judgment, Facebook stated that "it is computationally difficult in the extreme to provide targeted per user responses to each and every subject access request we receive." In a later written submission, the company explained that "because data in Hive is stored and organised chronologically, there is no efficient way to extract all log entries corresponding to a particular user account." Facebook further stated that responding to access requests relating to the Hive system would "greatly exceed the total computer processing power of the Facebook group."

Veale filed a formal complaint with the Data Protection Commission on 20 July 2018. In that complaint, he explicitly noted the wider significance of what he was raising, stating that he believed the issue was "of great societal importance given the recent revelations about microtargeting, and the extent of tracking on the internet today."

The Hive system and what it holds

The Hive data warehouse sits at the centre of this case. Unlike the data available through Facebook's "Access Your Information" tool or its "Ads Preferences" interface - both of which present processed, user-readable summaries - Hive stores raw log-level data. According to information Facebook itself provided to the Commission during the inquiry, the data in Hive is organised chronologically rather than by user identifier. Extracting all data associated with a single user would require searching every partition of every table from the current date back to the date the account was created, using either a Facebook User ID or a Replacement ID as the search key.

Facebook told regulators that this was not computationally feasible. The company's second request for information response, submitted on 19 October 2018, disclosed - under a claim of commercial sensitivity - the scale of Hive in petabytes, the number of CPU seconds needed to search one gigabyte of the data, the time it would take to search the entire warehouse, and the number of servers that would be required. The company's position was that it was "impossible" to comply with access requests at that level of granularity, and that providing users with processed, "production" data through existing tools satisfied Article 15.

The Commission's draft decision, issued in October 2025, took a different view. According to the judgment, the draft PDD recorded that the issues raised by Veale's complaint were "of general application" and that the Commission considered the position adopted by Meta in its reply to Veale's request to have the "character of a complete or blanket, refusal." The fine range of €360 million to €430 million was calculated, according to the judgment, by reference to Facebook's EEA user base of 235 million monthly active users as of August 2018.

What Meta argued in court

Meta's statement of grounds, filed in the Central Office of the High Court on 12 December 2025, advanced three broad complaints against the Commission's draft decision.

The first was a statutory vires challenge. Meta argued that the GDPR and Ireland's Data Protection Act 2018 draw a clear distinction between complaint-based inquiries - whose scope is defined by the terms of the individual complaint - and own-volition inquiries, which the Commission initiates on its own initiative and where systemic issues may properly be investigated. Meta's position was that the Commission had unlawfully converted a complaint-based inquiry into what was effectively an own-volition investigation by proposing corrective orders affecting its general data access practices across the EEA and calculating fines by reference to hundreds of millions of users rather than the single complainant.

The second ground was breach of legitimate expectations. Meta argued that representations made throughout the inquiry process - through the Notice of Commencement in 2018, the Draft Inquiry Report issued in January 2022, the Final Inquiry Report in August 2023, and the Commission's own published guidance documents - gave it a legitimate expectation that any corrective measures would be limited to Veale's individual data rights.

The third ground was fair procedures. Meta contended it had never been investigated for, heard on, or given an opportunity to defend itself against systemic allegations, and that it was therefore deprived of its rights of defence under both Irish constitutional law and the EU Charter of Fundamental Rights.

Meta sought a stay preventing the Commission from advancing to the Article 60 GDPR cooperation process with other European supervisory authorities. The High Court granted that stay on 15 December 2025, when leave to proceed was granted. The stay held through the full hearing, which commenced on 21 April 2026.

Justice Phelan's analysis

On the central vires question, Justice Phelan found against Meta on all points.

The judge reviewed Articles 57 and 58 of the GDPR in detail. Article 57 assigns the Commission a task - first and foremost - of monitoring and enforcing the application of the GDPR. Article 58(2) lists the corrective powers available to supervisory authorities, including the power to order a controller to bring processing operations into compliance with the GDPR (Article 58(2)(d)) and the power to impose administrative fines in accordance with Article 83 (Article 58(2)(i)). According to the judgment, nothing in the language of Article 58 draws any distinction between whether those corrective powers are exercised following a complaint-based inquiry or an own-volition one.

The judge placed particular weight on Article 83, which prescribes the factors that a supervisory authority must consider when calculating administrative fines. Those factors include the nature, gravity and duration of the infringement, as well as "the number of data subjects affected." The use of mandatory language - the word "shall" - means the Commission is legally required to consider the broader user population when setting a fine, regardless of how the underlying inquiry began. According to the judgment, this makes it impossible for a complaint-based inquiry to be limited to a purely individual remedy without undermining the mandatory requirements of Article 83.

Justice Phelan also drew attention to the Court of Justice of the European Union's judgment in TR v. Land Hessen, Case C-768/21, in which the CJEU confirmed that where a supervisory authority finds an infringement, "it is required to react appropriately in order to remedy the shortcoming found, and each measure should be appropriate, necessary and proportionate in view of ensuring compliance with that regulation, taking into account the circumstances of each individual case."

On the fair procedures ground, the judge found that Meta had been informed from the outset that corrective measures up to and including administrative fines calculated under Article 83 were a potential outcome. The Notice of Commencement in July 2018 expressly referenced the Commission's powers under Article 58(2), including the power to impose an administrative fine. The Commission's letter of 2 May 2024 went further, explaining the concept of an "undertaking" under competition law and how the fine cap would be calculated by reference to the turnover of the Meta group as a whole rather than just the Irish subsidiary.

The legitimate expectations argument failed for similar reasons. The judge found that the Commission had never represented it would limit corrective action to Veale's individual case and that such a limitation would in any case be incompatible with the Commission's statutory obligations. According to the judgment, the Commission "could not lawfully limit its consideration of prescribed matter when it comes to the exercise of its statutory powers."

Specifically, the judge dismissed Meta's argument at paragraph 191 of the judgment: "The contention that the Commission lacks statutory vires to impose corrective measures or an administrative fine referrable to the number of data subjects affected, other than the individual complainant, following inquiry on foot of an individual complaint has not, in my view, been substantiated."

What the draft decision proposes

The Commission's draft Preliminary Draft Decision, circulated in October 2025, proposed four preliminary findings of infringement. According to the judgment, these were: that Meta infringed Article 15(1) and (3) by refusing Veale access to a copy of relevant data; that Meta infringed Article 15(1)(a), (d) and (g) by providing inadequate information in its reply; that Meta infringed Article 20(1) by refusing to provide data in portable format; and that Meta infringed Articles 12(3) and 12(4) by failing to comply with the applicable response time limits.

The corrective powers proposed in the draft decision include a reprimand under Article 58(2)(b), compliance orders under Article 58(2)(d) affecting Meta's general data access practices across all users - not just Veale's - and an administrative fine under Article 58(2)(i) calculated in accordance with Article 83. The fine range of €360 million to €430 million reflects, according to the judgment, the systemic scale of the practices at issue.

The draft decision has not become final. Following the High Court ruling, the Commission will now be able to advance to the Article 60 GDPR cooperation process, sharing its draft decision with Concerned Supervisory Authorities in other EU member states. Those authorities may raise "relevant and reasoned objections." If the Commission does not accept such objections, the matter may escalate to the European Data Protection Board under Article 65 for a binding decision.

Procedural delays and the seven-year span

One striking feature of this case is its length. The inquiry opened in July 2018. A Draft Inquiry Report issued in January 2022, more than three and a half years later - a gap explained in part by Covid-19 and multiple changes of lead investigator. The Final Inquiry Report followed in August 2023. Then came another extended silence before the draft PDD issued in October 2025. Meta filed judicial review proceedings in December 2025 and the full hearing ran in April 2026. The judgment landed on 21 May 2026, nearly eight years after Veale sent his original email.

The eight-year GDPR enforcement landscape remains contested. Analysis published this month by Alliance Risk found that nearly 40% of the €7.1 billion in announced GDPR fines since 2018 are either already annulled or under active legal challenge.

The Irish Data Protection Commission has been at the centre of GDPR enforcement for major technology companies since the regulation took effect, given that most large US platforms have their European headquarters in Ireland. LinkedIn Ireland faced a €310 million fine from the DPC in October 2024 for advertising data processing violations. TikTok faced a €530 million DPC penalty in April 2025 for remote data access to China, which established that remote access from a third country constitutes a data transfer under GDPR. TikTok is currently challenging that decision before the High Court.

Meta itself has faced multiple enforcement actions from other European jurisdictions. A Madrid court ordered Meta to pay €479 million to 87 Spanish digital publishers in November 2025 for GDPR-based unfair competition violations covering behavioral advertising between 2018 and 2023. German courts have imposed damages on Meta across multiple GDPR tracking cases, with the Dresden Higher Regional Court awarding €1,500 per user in February 2026 for Business Tools violations with no further avenue of appeal. An Austrian court ordered full data access after an eleven-year case in December 2025.

The Ireland inquiry predates all of these. It concerns a different and more fundamental question: not what data Meta collects through third-party tracking, but what it holds internally and whether individuals can access it.

Why this matters for the advertising industry

The case has direct implications for how advertising technology companies think about their internal data architectures. Meta's core argument - that it was computationally infeasible to respond to individual subject access requests at raw data level - is precisely the type of argument that GDPR's Article 25, on data protection by design, was intended to make unavailable.

The judgment reinforces that a complaint from a single individual can trigger corrective orders affecting millions of users if the underlying practice is systemic. For any platform that maintains large internal data warehouses organised around product rather than user identities, this represents a concrete compliance challenge. The obligation to respond to access requests is not discharged by offering a consumer-facing summary tool if the underlying data exists in a format that the controller does not make accessible.

The EU's attempt to fix GDPR enforcement through procedural reforms remains contested, and the Commission is proposing further GDPR amendments through the Digital Omnibus legislative package. The Hive case, however, was decided on the current text - and that text, according to Justice Phelan, is unambiguous.

Timeline

  • 25 May 2018 - Michael Veale submits a data subject access and portability request to Facebook Ireland Limited on the day the GDPR takes effect
  • 19 July 2018 - Facebook refuses to provide raw Hive data, citing Articles 12(5), 15(4) and 20(4) of the GDPR
  • 20 July 2018 - Veale files a formal complaint with the Irish Data Protection Commission
  • 27 July 2018 - The DPC opens Inquiry IN-18-7-1 under s. 110(1) of the Data Protection Act 2018
  • 14 August 2018 - Facebook writes to the DPC seeking procedural clarification
  • 19 October 2018 - Facebook provides its substantive explanation of why it refused to provide raw Hive data, including claims about computational infeasibility
  • 8 November 2018 - Veale makes written submissions elaborating on why access to Hive data was necessary
  • 2019 - mid-2021 - Extended period of apparent inactivity, coinciding in significant part with the Covid-19 pandemic
  • 5 January 2022 - Facebook Ireland Limited formally changes its name to Meta Platforms Ireland Limited
  • 25 January 2022 - New investigator issues a Draft Inquiry Report (85 pages) to Meta's solicitors
  • 25 March 2022 - Meta provides written submissions on the Draft Inquiry Report
  • 21 August 2023 - The Final Inquiry Report issues; the DPC confirms the file is entering the decision-making stage
  • October 2024 - Former Meta executive Niamh Sweeney appointed as Data Protection Commissioner
  • 10 October 2025 - The DPC issues the draft Preliminary Draft Decision proposing four infringement findings and fines of €360-430 million
  • 5 November 2025 - Meta objects to the draft PDD by letter, contending the Commission has unlawfully expanded the scope of the inquiry
  • 9 December 2025 - The DPC rejects Meta's objections and refuses to withdraw or revise the draft PDD
  • 12 December 2025 - Meta files its Statement of Grounds and verifying affidavit in the High Court
  • 15 December 2025 - High Court grants leave to proceed and a stay preventing the DPC from advancing to the Article 60 process
  • 10 February 2026 - The DPC's Statement of Opposition is filed
  • 19 January 2026 - By consent, directions set the hearing for 21 April 2026
  • 21 April 2026 - Full hearing commences before Ms. Justice Siobhán Phelan
  • 21 May 2026 - Judgment [2026] IEHC 323 delivered; all grounds dismissed; an order dismissing the proceedings is made

Summary

Who: Meta Platforms Ireland Limited (applicant) and the Irish Data Protection Commission (respondent), with the judgment delivered by Ms. Justice Siobhán Phelan of the Irish High Court.

What: The High Court dismissed all grounds of Meta's judicial review challenge to the DPC's draft Preliminary Draft Decision. The draft PDD proposes four findings of GDPR infringement relating to Facebook's refusal to provide access to its internal Hive data warehouse, along with corrective orders and administrative fines of between €360 million and €430 million.

When: The underlying complaint was filed on 20 July 2018. The inquiry opened in July 2018. The draft PDD issued on 10 October 2025. Meta commenced judicial review proceedings in December 2025. The judgment was delivered on 21 May 2026.

Where: The proceedings were brought before the Irish High Court, with Ireland serving as the lead supervisory authority for Meta under the GDPR one-stop-shop mechanism. The Hive data warehouse, central to the complaint, is an internal Facebook data system that stores log-level user data organised chronologically.

Why: The case turns on whether a single GDPR complaint can justify system-wide corrective orders and large administrative fines affecting an entire user base. Justice Phelan found that neither the GDPR nor Ireland's Data Protection Act 2018 limit the Commission's corrective powers to measures tailored to the individual complainant. Article 83 mandates consideration of the number of data subjects affected when calculating fines, regardless of whether the underlying inquiry was complaint-based or own-volition.