The Irish Data Protection Commission (DPC) released details of investigations into two Meta companies on Wednesday, which will change the way the companies target ads. The decisions conclude complaints that were first lodged in May 2018.
But the decisions against Meta are arguably not the most interesting part of the DPC’s statement.
The investigations were subject to many months of dispute between the DPC and its peers at the European Data Protection Board (EDPB). The EDPB effectively won, forcing the DPC to increase its fines and reconsider its more lenient conclusions about the company’s compliance.
In the end, Meta received a €210 million fine for breaches related to Facebook and a €180 million fine regarding Instagram. The company must also bring its processing into compliance within three months.
But the EDPB also “purported” to direct the DPC to carry out a new investigation into Meta. The DPC is not happy about this, claiming that the EPDB has exceeded its powers—and stating that it intends to challenge the DPC’s order in court.
An “Open-Ended and Speculative Investigation”
The DPC’s strongly-worded statement came in the final paragraph of the press release announcing the two new Meta fines.
The EPDB’s (supposed) order requires the DPC to conduct a new investigation spanning the entirety of Facebook and Instagram’s processing operations.
The DPC stated that the EDPB directed the regulator to look into the special categories of personal data that “may or may not be processed” across Meta’s systems.
The DPC claims this investigation would be “open-ended and speculative”.
‘Problematic in Jurisdictional Terms’
The DPC argues that it is not open to the EDPB to instruct a national authority to conduct such an investigation.
The UK Data Protection Index
An exclusive membership panel providing unique and comprehensive insights into the role and salary of Data Protection Officers in the UK.
If you fulfil the role of a DPO, CDO, CCO, CPO, IGO or CIO and you’re UK based then become a member for FREE!
“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities,” the statement says.
“The direction is then problematic in jurisdictional terms…”
The DPC argues that such an order would go against the GDPR’s “cooperation and consistency” process, which seeks to resolve disputes between data protection authorities (DPAs) and ensure the consistent enforcement of data protection law across the EU.
The DPC’s claim hinges on the notion that the EDPB does not have the authority to order DPAs to bring new investigations. The body is designed to help resolve disputes over existing investigations.
A Challenge in Court
The DPC’s statement concludes that the EDPB’s instructions “may involve an overreach”.
As such, the DPC states that it will be bringing an action for annulment before the Court of Justice of the European Union (CJEU), asking the court to set aside the EDPB’s directions.
This action would presumably be taken by the DPC under Article 263 of the Treaty on the Functioning of the European Union (TFEU).
Article 263 TFEU is a process for challenging the legality of acts of EU institutions, bodies, offices, or agencies. The acts must be addressed to the person bringing the challenge or affect them directly.
Decisions, regulations, and directives, binding agreements, non-binding instruments can be challenged under this annulment procedure.
To succeed the claimant must demonstrate that the act in question violates EU law and directly and individually affects them.
A Troubled History
The DPC has a history of disputes with its fellow regulators at the EDPB.
The two decisions against Meta announced today are just the latest in a long chain of decisions that have raised disagreements among other EU regulators.
DPC decisions against Twitter in December 2020, and against WhatsApp, Instagram and Facebook last year, all had to be revised following EDPB intervention.
But the DPC’s challenge against the EDPB’s direction will be the first time that the regulator has challenged its colleagues in court.
→ Last Thursday In Privacy - January 26, Online Event
Keep up to date with privacy developments
Keeping ahead of the curve is especially important in a fast-moving field like privacy.
Last Thursday in Privacy is an all-day online event on 26 Jan, featuring updates from expert speakers around the world.