On January 29, 2025, the General Court of the European Union delivered a significant judgment concerning the powers and competences of the European Data Protection Board ("EDPB") . The case involved the Data Protection Commission ("DPC") of Ireland, which challenged certain binding decisions of the EDPB that would require the DPC to broaden its investigations into data processing activities by certain entities there.

Key Issues and Proceedings

The case arose from complaints lodged in 2018 by individuals in Belgium, Germany, and Austria, through the non-profit association, NOYB: European Center for Digital Rights. These complaints alleged potential infringements of the General Data Protection Regulation ("GDPR") by certain processing activities.  Given the cross-border nature of the data processing and the establishment of entities located in Ireland, the DPC acted as the lead supervisory authority under Article 56(1) of the GDPR. 

Following its investigations, the DPC submitted draft decisions to other concerned supervisory authorities, which raised objections, particularly regarding the scope of the DPC's investigations and the necessity of user consent for data processing under Articles 6 and 9 of the GDPR.  These objections led to the involvement of the EDPB under the consistency mechanism provided by Article 60(4) of the GDPR. 

EDPB's Binding Decisions

On December 5, 2022, the EDPB issued Binding Decisions 3/2022, 4/2022, and 5/2022, which required the DPC to:

1. Exclude certain findings from its draft decisions, particularly those suggesting that companies could rely on Article 6(1)(b) of the GDPR without user consent. 
2. Conduct new investigations to determine whether processing of special categories of personal data under Article 9 of the GDPR had occurred and whether related obligations were met. 
3. Issue new draft decisions based on the results of these additional investigations. 

General Court's Judgment

The DPC contested the EDPB's competence to impose such requirements, arguing that the EDPB exceeded its authority under Article 65(1)(a) of the GDPR.  The General Court, however, dismissed the DPC's actions, affirming the EDPB's competence to adopt the contested provisions. 

Key Findings of the Court

The General Court's judgment delved deeply into the interpretation of the GDPR, particularly focusing on the EDPB's authority under Article 65(1)(a). The Court's analysis began with a literal and contextual interpretation of the GDPR provisions, concluding that the EDPB's power to adopt binding decisions includes the authority to require a lead supervisory authority to broaden its investigations and issue new draft decisions. This interpretation aligns with the definitions and objectives of the GDPR, which aim to ensure the correct and consistent application of the regulation across the European Union. The Court emphasized that the EDPB's role is crucial in maintaining the integrity of the GDPR's enforcement, especially in complex cross-border cases.

The Court also addressed the nature of objections raised by other supervisory authorities. It underscored that objections concerning the scope of investigations can be considered relevant and reasoned under Article 4(24) of the GDPR. Under that article, if a supervisory authority believes that an investigation is too narrow and fails to address significant aspects of data processing, it can raise an objection that the EDPB must consider. The EDPB's binding decisions must then address all matters raised by such objections, including the adequacy of the lead authority's analysis and investigations. This ensures that all relevant aspects of data processing are thoroughly examined, protecting the fundamental rights and freedoms of data subjects. 

Furthermore, the Court highlighted the importance of the cooperation and consistency mechanisms established by the GDPR. These mechanisms are designed to facilitate collaboration between supervisory authorities and to resolve disputes to ensure a uniform application of the GDPR - in short, the mechanism is intended to improve harmonization among the EU's Supervisory Authorities under the GDPR. The EDPB's competence to require further investigations is essential for achieving this objective. By mandating additional investigations, the EDPB ensures that all supervisory authorities have a comprehensive understanding of the data processing activities in question, leading to more informed and consistent decisions. 

The Court also addressed concerns about judicial review and the independence of national supervisory authorities. It noted that the EDPB's decisions are subject to judicial review, ensuring that its powers are exercised within the limits set by the GDPR. This judicial oversight provides a check on the EDPB's authority, ensuring that it does not overstep its mandate. Additionally, the Court clarified that the independence of national supervisory authorities is not compromised by the EDPB's oversight. The GDPR framework is built on mutual scrutiny and cooperation between independent authorities, which enhances the overall effectiveness of data protection enforcement in the EU.

Takeaway

The General Court's ruling reinforces the EDPB's authority to ensure comprehensive and consistent enforcement of the GDPR across the EU. It clarifies that the EDPB can mandate further investigations by lead supervisory authorities when necessary to address relevant and reasoned objections from other authorities. This decision underscores the collaborative nature of data protection oversight in the EU and the critical role of the EDPB in maintaining the integrity of the GDPR's application.